The document discusses the modernization of monolithic applications using Amazon VPC Lattice networking, highlighting the transition to microservices and addressing common challenges faced by developers. It covers various concepts such as service-aware networking, security policies, and deployment strategies like blue/green deployment. The presentation emphasizes simplifying microservice deployment and ensuring zero trust security while providing centralized service management across multiple VPCs.

1. <@your social handle>

2. Simplify Modernization of your
monolithic application using VPC
Lattice Networking
Sanket Nasre, Sr. Migration SA at AWS
06/15/2023
https://www.linkedin.com/in/sanket-nasre-58813b23/

3. Agenda
Ø Monoliths and Microservices in a nutshell
Ø “Breaking the Bad” Monoliths
Ø Developer’s Conundrum with Network and Application Portion
Ø VPC Lattice Basics and Security
Ø Lattice…in the context of Microservices
Ø Reference architectures for placing Microservices with Lattice
Ø App Dependency
Ø Blue/Green Deployment with VPC Lattice
Ø Path/Host based Routing with VPC Lattice

4. Basic Concepts and Definitions
Completely
independent
Monolith Microservices
Miniservices
?

5. “Breaking the Bad” Monoliths
Ø Business capability
Ø Sub-domain
Ø Transactions
Ø Service per team pattern
Ø Strangler fig pattern
Ø Branch by abstraction pattern

6. Give service teams their own sandbox
Network and permission boundaries with VPCs and accounts
VPC 1 VPC 2
Microservice 1 Microservice 3
Microservice 2 Microservice 4

7. Network and Application Layer Complexity
Transit
Gateway
Peering
Transit
Gateway
Microservice
Monolith Microservice Microservice
Microservice Microservice
Internet
Gateway
VPC
Privatelink
AWS Account 2
AWS Account 1
AWS Account n
Consumer
EC2
API
Gateway
NLB
ALB
Network
Routing
Application layer
Routing,
Healthchecks,
Loadbalancing
VPC
Peering

8. How do we make it simpler for
developers to deploy and connect
microservices with zero trust?

9. Amazon
Bridging the gap between admins and developers

10. Amazon VPC Lattice concepts
S E R V I C E - A W A R E N E T W O R K I N G
Service directory
• Centralized registry of services
Service network
• Define logical boundary defined across VPCs and accounts
• Apply common access and observability policy
Auth policies
• Declarative policies for access, observability, and traffic
management
• Applied at the service, gateway, or the application network
level
Amazon VPC
Service A
Amazon EKS
Service B
Amazon VPC
Amazon
EC2
Service C
Lambda
Service
• Unit of application
• Extends across all compute resources: instances, containers,
serverless
13

11. VPC Lattice Security
14
Service and VPC Association Network Layer Controls VPC Lattice Auth Policy
Service and VPC association with
a service network. If a VPC or
specific service is not associated
with the service network, clients in
the VPC will not have access to
the service.
Network-level security protections
for the service network. Use
Network ACLs or place a Security
Group (SG) on the VPC to
service network association
VPC Lattice auth policy can be applied on
service networks and individual services.
Typically operated by the network or cloud
administrator, and they will implement
coarse-grained authorization
SG-123
SG-123

12. Lattice… in the context of Microservices
Consumer VPC
Service VPC
Service
Consumer/User
Service
Service
Network
VPC
Association
Service
Association
Service
Association
Resource
Access
Manager
Account A
Account B
Microservice
Microservice

13. Centralized Service Network Account
Service Directory
Service
Name
Owner
Auth Account B
Write Account A
Provider Account B
Consumer Account
Provider Account A
Service Network Account
Service
Network
Policy
Service
Policy
Service Policy
VPC
Resolver
VPC
VPC
Association
VPC Lattice Service
Network
Service
Association
Auto scaling Group
Instances Instances
Auth Service
Write Service
AWS Lambda
Service
Association
Consumer EC2
Private
Subnet
Private
Subnet

14. Centralized Multiple Service Networks
Service Directory
Service
Name
Owner
Write Account A
Provider Account B
Consumer Account A
Provider Account A
Service Network Account
Service Network Policy
Service
Policy
Service
Policy
VPC A
Resolver
VPC
VPC
Association
VPC Lattice Service
Network 1
Service
Association
Auto scaling Group
Instances Instances
Auth Service
Write Service
AWS Lambda
Consumer EC2
VPC B
Resolver
VPC Lattice Service
Network 2
Service Directory
Service
Name
Owner
Auth Account B
Write Account A
Service
Network
Policy
AWS
Lambda
Private
Subnet
VPC
Association Service
Association
Service
Association
ENI
Private
Subnet
Private
Subnet

15. Distributed Service Networks
Service Directory
Service
Name
Owner
Write Account A
Provider Account B
Consumer Account A
Provider Account A
Service
Network
Policy
VPC A
Resolver
VPC
VPC
Association
VPC Lattice Service
Network
Service
Association
Auto scaling Group
Instances Instances
Auth Service
Write Service
AWS Lambda
Consumer EC2
VPC B
Resolver
VPC Lattice Service
Network
Service Directory
Service
Name
Owner
Auth Account B
Service
Network
Policy
AWS
Lambda
Private
Subnet
VPC
Association Service
Association
ENI
Private
Subnet
Private
Subnet

16. Application Dependency
Service Directory
Service
Name
Owner
Billing Account B
Parking Account A
Inventory Account C
Provider Account B
Provider Account C
Provider Account A
Service Network Account
Service
Network
Policy
Service
Policy
Service Policy
VPC
VPC
VPC
Association
VPC Lattice Service
Network
Service
Association
Auto scaling Group
Instances Instances
Billing Service
Parking Service
AWS Lambda
Service
Association
Private
Subnet
Private
Subnet
Inventory Service
Service
Association VPC
Association

17. Blue/Green Deployment (Same AWS Account)
Subnet
Subnet
Service 2:
Parking
Consumer VPC
VPC 2
VPC 1
Route
53
Amazon VPC
Lattice service
network Subnet
VPC 3 Service 3:
Parking++
Amazon VPC Lattice policy: Parking++ and
Parking are blue or green, with 90% to
Parking and 10% to Parking++
90%
10%
Consumer/User
Amazon
VPC
Lattice
link local
VPC 4
Subnet
VPC association
Service association
Service 1:
Billing

18. Path/Host based routing (Same AWS Account)
Subnet
Subnet
Service 2:
Parking
Consumer VPC
VPC 2
VPC 1
Route
53
Amazon VPC
Lattice service
network Subnet
VPC 3 Service 3:
Inventory
Consumer/User
Amazon
VPC
Lattice
link local
Subnet
VPC 4
VPC association
Service association
Service 1:
Billing
/api/parking
parking.hotel.com
/api/inventory
Inventory.hotel.com

19. Thank you!
Sanket Nasre
Sr. Migration SA
AWS Industries
https://www.linkedin.com/in/sanket-nasre-58813b23/