2. Simplify Modernization of your
monolithic application using VPC
Lattice Networking
Sanket Nasre, Sr. Migration SA at AWS
06/15/2023
https://www.linkedin.com/in/sanket-nasre-58813b23/
3. Agenda
Ø Monoliths and Microservices in a nutshell
Ø “Breaking the Bad” Monoliths
Ø Developer’s Conundrum with Network and Application Portion
Ø VPC Lattice Basics and Security
Ø Lattice…in the context of Microservices
Ø Reference architectures for placing Microservices with Lattice
Ø App Dependency
Ø Blue/Green Deployment with VPC Lattice
Ø Path/Host based Routing with VPC Lattice
5. “Breaking the Bad” Monoliths
Ø Business capability
Ø Sub-domain
Ø Transactions
Ø Service per team pattern
Ø Strangler fig pattern
Ø Branch by abstraction pattern
6. Give service teams their own sandbox
Network and permission boundaries with VPCs and accounts
VPC 1 VPC 2
Microservice 1 Microservice 3
Microservice 2 Microservice 4
10. Amazon VPC Lattice concepts
S E R V I C E - A W A R E N E T W O R K I N G
Service directory
• Centralized registry of services
Service network
• Define logical boundary defined across VPCs and accounts
• Apply common access and observability policy
Auth policies
• Declarative policies for access, observability, and traffic
management
• Applied at the service, gateway, or the application network
level
Amazon VPC
Service A
Amazon EKS
Service B
Amazon VPC
Amazon
EC2
Service C
Lambda
Service
• Unit of application
• Extends across all compute resources: instances, containers,
serverless
13
11. VPC Lattice Security
14
Service and VPC Association Network Layer Controls VPC Lattice Auth Policy
Service and VPC association with
a service network. If a VPC or
specific service is not associated
with the service network, clients in
the VPC will not have access to
the service.
Network-level security protections
for the service network. Use
Network ACLs or place a Security
Group (SG) on the VPC to
service network association
VPC Lattice auth policy can be applied on
service networks and individual services.
Typically operated by the network or cloud
administrator, and they will implement
coarse-grained authorization
SG-123
SG-123
12. Lattice… in the context of Microservices
Consumer VPC
Service VPC
Service
Consumer/User
Service
Service
Network
VPC
Association
Service
Association
Service
Association
Resource
Access
Manager
Account A
Account B
Microservice
Microservice
13. Centralized Service Network Account
Service Directory
Service
Name
Owner
Auth Account B
Write Account A
Provider Account B
Consumer Account
Provider Account A
Service Network Account
Service
Network
Policy
Service
Policy
Service Policy
VPC
Resolver
VPC
VPC
Association
VPC Lattice Service
Network
Service
Association
Auto scaling Group
Instances Instances
Auth Service
Write Service
AWS Lambda
Service
Association
Consumer EC2
Private
Subnet
Private
Subnet
14. Centralized Multiple Service Networks
Service Directory
Service
Name
Owner
Write Account A
Provider Account B
Consumer Account A
Provider Account A
Service Network Account
Service Network Policy
Service
Policy
Service
Policy
VPC A
Resolver
VPC
VPC
Association
VPC Lattice Service
Network 1
Service
Association
Auto scaling Group
Instances Instances
Auth Service
Write Service
AWS Lambda
Consumer EC2
VPC B
Resolver
VPC Lattice Service
Network 2
Service Directory
Service
Name
Owner
Auth Account B
Write Account A
Service
Network
Policy
AWS
Lambda
Private
Subnet
VPC
Association Service
Association
Service
Association
ENI
Private
Subnet
Private
Subnet
15. Distributed Service Networks
Service Directory
Service
Name
Owner
Write Account A
Provider Account B
Consumer Account A
Provider Account A
Service
Network
Policy
VPC A
Resolver
VPC
VPC
Association
VPC Lattice Service
Network
Service
Association
Auto scaling Group
Instances Instances
Auth Service
Write Service
AWS Lambda
Consumer EC2
VPC B
Resolver
VPC Lattice Service
Network
Service Directory
Service
Name
Owner
Auth Account B
Service
Network
Policy
AWS
Lambda
Private
Subnet
VPC
Association Service
Association
ENI
Private
Subnet
Private
Subnet
16. Application Dependency
Service Directory
Service
Name
Owner
Billing Account B
Parking Account A
Inventory Account C
Provider Account B
Provider Account C
Provider Account A
Service Network Account
Service
Network
Policy
Service
Policy
Service Policy
VPC
VPC
VPC
Association
VPC Lattice Service
Network
Service
Association
Auto scaling Group
Instances Instances
Billing Service
Parking Service
AWS Lambda
Service
Association
Private
Subnet
Private
Subnet
Inventory Service
Service
Association VPC
Association
17. Blue/Green Deployment (Same AWS Account)
Subnet
Subnet
Service 2:
Parking
Consumer VPC
VPC 2
VPC 1
Route
53
Amazon VPC
Lattice service
network Subnet
VPC 3 Service 3:
Parking++
Amazon VPC Lattice policy: Parking++ and
Parking are blue or green, with 90% to
Parking and 10% to Parking++
90%
10%
Consumer/User
Amazon
VPC
Lattice
link local
VPC 4
Subnet
VPC association
Service association
Service 1:
Billing
18. Path/Host based routing (Same AWS Account)
Subnet
Subnet
Service 2:
Parking
Consumer VPC
VPC 2
VPC 1
Route
53
Amazon VPC
Lattice service
network Subnet
VPC 3 Service 3:
Inventory
Consumer/User
Amazon
VPC
Lattice
link local
Subnet
VPC 4
VPC association
Service association
Service 1:
Billing
/api/parking
parking.hotel.com
/api/inventory
Inventory.hotel.com