Introducing VPC Lattice – Simplify Networking for Service-to-Service Communication (Preview)

海外精选
re:Invent
Amazon EC2
海外精选的内容汇集了全球优质的亚马逊云科技相关技术内容。同时,内容中提到的“AWS” 是 “Amazon Web Services” 的缩写,在此网站不作为商标展示。
0
0
{"value":"Modern applications are built using modular and distributed components. Each component is a service that implements its own subset of functionalities. To make these services communicate with each other, you need a way to let them discover where they are, authorize access, and route traffic. When troubleshooting issues, you need to keep communication configurations under control so that you can quickly understand what is happening at the application, service, and network levels. This can take a lot of your time.\n\nToday, we are making available in preview [Amazon VPC Lattice](https://aws.amazon.com/vpc/lattice/), a new capability of [Amazon Virtual Private Cloud (Amazon VPC)](https://aws.amazon.com/vpc/) that gives you a consistent way to connect, secure, and monitor communication between your services. With VPC Lattice, you can define policies for traffic management, network access, and monitoring so you can connect applications in a simple and consistent way across AWS compute services (instances, containers, and serverless functions). VPC Lattice automatically handles network connectivity between VPCs and accounts and network address translation between IPv4, IPv6, and overlapping IP addresses. VPC Lattice integrates with [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) to give you the same authentication and authorization capabilities you are familiar with when interacting with AWS services today, but for your own service-to-service communication. With VPC Lattice, you have common controls to route traffic based on request characteristics and weighted routing for blue/green and canary-style deployments. For example, VPC Lattice allows you to mix and match compute types for a given service, which helps you modernize a monolith application architecture to microservices.\n\nVPC Lattice is designed to be noninvasive, allowing teams across your organization to incrementally opt in over time. In this way, you are able to deliver applications faster by focusing on your application logic, while VPC Lattice handles service-to-service networking, security, and monitoring requirements.\n\n**++How Amazon VPC Lattice Works++**\n\nWith VPC Lattice, you create a logical application layer network, called a **service network**, that connects clients and services across different VPCs and accounts, abstracting network complexity. A service network is a logical boundary that is used to automatically implement service discovery and connectivity as well as apply access and observability policies to a collection of services. It offers inter-application connectivity over HTTP/HTTPS and gRPC protocols within a VPC.\n\nOnce a VPC has been enabled for a service network, clients in the VPC will automatically be able to discover the services in the service network through DNS and will direct all inter-application traffic through VPC Lattice. You can use [AWS Resource Access Manager (RAM)](https://aws.amazon.com/ram/) to control which accounts, VPCs, and applications can establish communication via VPC Lattice.\n\nA service is an independently deployable unit of software that delivers a specific task or function. In VPC Lattice, a **service** is a logical component that can live in any VPC or account and can run on a mixture of compute types (virtual machines, containers, and serverless functions). A service configuration consists of:\n\n- One or two **listeners** that define the port and protocol that the service is expecting traffic on. Supported protocols are HTTP/1.1, HTTP/2, and gRPC, including HTTPS for TLS-enabled services.\n- Listeners have **rules** that consist of a **priority**, which specifies the order in which rules should be processed, one or more **conditions** that define when to apply the rule, and **actions** that forward traffic to target groups. Each listener has a **default rule** that takes effect when no additional rules are configured, or no conditions are met.\n- A **target group** is a collection of **targets**, or compute resources, that are running a specific workload you are trying to route toward. Targets can be [Amazon Elastic Compute Cloud (Amazon EC2)](https://aws.amazon.com/ec2/) instances, IP addresses, and Lambda functions. For [Kubernetes ](https://kubernetes.io/)workloads, VPC Lattice can target services and pods via the **AWS Gateway Controller for Kubernetes**. To have access to the AWS Gateway Controller for Kubernetes, you can [join the preview.](https://pages.awscloud.com/AmazonVPCLattice-Preview.html)\n\n![image.png](https://dev-media.amazoncloud.cn/06bd0e30372542b6aa72e2376fcd13bb_image.png)\n\nTo configure service access controls, you can use **access policies**. An access policy is an IAM resource policy that can be associated with a service network and individual services. With access policies, you can use the “PARC” (principal, action, resource, and condition) model to enforce context-specific access controls for services. For example, you can use an access policy to define which services can access a service you own. If you use [AWS Organizations](https://aws.amazon.com/organizations/), you can limit access to a service network to a specific organization.\n\nVPC Lattice also provides a **service directory**, a centralized view of the services that you own or have been shared with you via AWS RAM.\n\n**++Using Amazon VPC Lattice++**\n\nWe expect people with different roles can use VPC Lattice. For example:\n\n- The **service network administrator** can:\n- Create and manage a service network.\n- Define access and monitoring for the service network.\n- Associate client and services.\n- Share the service network with other AWS accounts.\n\n- The **service owner** can:\n- Create and manage a service, including access and monitoring.\n- Define routing, for example, configuring listeners and rules that point to the target groups where the service is running.\n- Associate a service to service networks.\n\nLet’s see how this works in practice. In this quick walkthrough, I am covering both roles.\n\n**++Creating Two Backend Services++**\n\nThere is nothing specific to VPC Lattice in this section. I am just creating a couple of services, one running on Amazon EC2 and one on AWS Lambda, that I’ll use later when I configure networking with VPC Lattice.\n\nIn an [Amazon Linux](https://aws.amazon.com/amazon-linux-2/) EC2 instance, I create a web app that replies “Hello from the instance” to HTTP requests. To allow access to the instance from clients coming via VPC Lattice, I add an inbound rule to the security group to allow TCP traffic on port 8080 from the VPC Lattice [AWS-managed prefix list.](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html)\n\nHere’s the ```app.py``` file. I am using [Python](https://www.python.org/) and [Flask](https://flask.palletsprojects.com/) for this app, but you don’t need to know them to follow along with the post.\n\nPython\n\n```\nfrom flask import Flask\n\napp = Flask(__name__)\n\n@app.route('/')\ndef index():\n return 'Hello from the instance'\n\n@app.route('/<path>')\ndef somePath(path):\n return 'Hello from the instance at path \"{}\"'.format(path)\n\napp.run(host='0.0.0.0', port=8080)\n```\n\nHere’s the ```requirements.txt``` file with the Python dependencies. There’s only one line because the only module I need is ```flask```:\n\n```\nflask\n```\n\nI install the dependencies:\n\n```\npip3 install -r requirements.txt\n```\n\nThen, I start the web app using the nohup command to keep it running in case I log out of the instance:\n\n```\nnohup flask run --host=0.0.0.0 --port 8080 &\n```\n\nOn the EC2 instance, the web service is now listening to HTTP traffic on port 8080.\n\nIn the Lambda console, I create a simple function using the [Node.js 18.x runtime](https://aws.amazon.com/blogs/compute/node-js-18-x-runtime-now-available-in-aws-lambda/) that replies “Hello from the function” to all invocations.\n\nJavaScript\n\n```\nexports.handler = async (event) => {\n const response = {\n statusCode: 200,\n body: JSON.stringify('Hello from the function'),\n };\n return response;\n};\n```\n\nThe two services are now both ready. Let’s use VPC Lattice to configure networking.\n\n**++Creating VPC Lattice Target Groups++**\n\nI start by creating two target groups, one for the EC2 instance and one for the Lambda function. In the VPC console, there is a new **VPC Lattice** section in the navigation pane. There, I choose **Target groups** and then **Create target group**.\n\nFor the first target group, I choose the **Instances** target type and enter a name.\n\n![image.png](https://dev-media.amazoncloud.cn/8276adaca9404a248040c2c67aea77bf_image.png)\n\nI choose the protocol (**HTTP**) and port (**8080**) used by the web app running on the instance. I select the VPC where the instance is running and the protocol version (**HTTP1**).\n\n![image.png](https://dev-media.amazoncloud.cn/362a7df67ab04cc6b603b2e83b92fb59_image.png)\n\nNow I can configure the health check that will be used to test the target status. In this case, I use the default values proposed by the console.\n\n![image.png](https://dev-media.amazoncloud.cn/c3034b147100490c8babf7980d529cb9_image.png)\n\nIn the next step, I can register the targets. I select the instance on which the web app is running from the list and choose to include it.\n\n![image.png](https://dev-media.amazoncloud.cn/6dc4e3bffa164bc2be1f99982e7cd2c7_image.png)\n\nI review the selected targets (one instance in this case) and choose **Submit**.\n\nIn a similar way, I create a target group for the Lambda function. This time, I select the function from the list. I can choose which [function version](https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html) or [function alias](https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html) to use. For simplicity, I use the ```$LATEST``` version.\n\n![image.png](https://dev-media.amazoncloud.cn/a6a71814be5244eba797d252c749b697_image.png)\n\n**++Creating VPC Lattice Services++**\n\nNow that the target groups are ready, I choose **Services** in the navigation pane and then **Create service**. I enter a name and a description.\n\n![image.png](https://dev-media.amazoncloud.cn/306242eca28e4e389312eaf54d5546fc_image.png)\n\nNow, I can choose the authentication type. If I choose **None**, the service network does not authenticate or authorize client access, and the **auth policy**, if present, is not used. I select** AWS IAM** and then, from the **Apply policy template** dropdown, the template that allows both authenticated and unauthenticated access.\n\n![image.png](https://dev-media.amazoncloud.cn/db2d6ed23ca04886b865964b01d251aa_image.png)\n\nIn the **Monitoring** section, I turn on **Access logs**. As the destination for the access logs, I use an [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) Log group that I created before. I also have the option to use an [Amazon Simple Storage Service (Amazon S3)](https://aws.amazon.com/s3/) bucket or a [Amazon Kinesis Data Firehose](https://aws.amazon.com/kinesis/data-firehose/) delivery stream.\n\n![image.png](https://dev-media.amazoncloud.cn/adf172925a4844be9aba00c3c031c9ef_image.png)\n\nIn the next step, I define routing for the service. I choose **Add listener**. For the protocol, I configure the service to listen using **HTTPS**. In the default action, I choose to send two-thirds (**Weight** ```20```) of the requests to the instance target group and one-third (**Weight** ```10```) to the function target group.\n\n![image.png](https://dev-media.amazoncloud.cn/8bbfba871dde493484574b8a07e63073_image.png)\n\nThen, I add two additional rules. The first rule (**Priority** ```10```) sends all requests where the path is ```/to-instance``` to the instance target group.\n\n![image.png](https://dev-media.amazoncloud.cn/6c390c09546b4c0ba48c407962aad25f_image.png)\n\nThe second rule **(Priority** ```20```) sends all traffic where the path is /to-function to the function target group.\n\n![image.png](https://dev-media.amazoncloud.cn/ac7a9cd6029548cabc8d60941b1ee1c8_image.png)\n\nIn the next step, I am asked to associate the service with one or more service networks. I didn’t create a service network yet, so I skip this step for now and choose **Next**. I review the configuration and create the service.\n\n**++Creating VPC Lattice Service Networks++**\n\nNow, I create the service network so that I can associate the service and the VPCs I want to use. I choose **Service network** from the navigation pane and then **Create service network**. I enter a name and a description for the service network.\n\n![image.png](https://dev-media.amazoncloud.cn/4fcd24f33f244ded88dc98143ec921df_image.png)\n\nIn the **Associate services**, I select the service I just created.\n\n![image.png](https://dev-media.amazoncloud.cn/6413c5878fc1469f9dd43ef951155be8_image.png)\n\nIn the **VPC associations**, I select the VPC used by the instance where the web app runs. This can help in the future because it allows the web app to call other services associated with the service network.\n\n![image.png](https://dev-media.amazoncloud.cn/bc5cd8a3b79046eaad13d1d68f92db20_image.png)\n\nThen, I select a second VPC where I have another EC2 instance that I want to use to run some tests.\n\n![image.png](https://dev-media.amazoncloud.cn/4b2caa0e3f254de293a041f8fbe62e8e_image.png)\n\nFor simplicity, in the **Access** section, I select the **None** auth type.\n\n![image.png](https://dev-media.amazoncloud.cn/136791d93cf548aea3f5a94b1d8f68d7_image.png)\n\nIn the **Monitoring** section, I choose to send the access logs for the whole service network to an S3 bucket.\n\n![image.png](https://dev-media.amazoncloud.cn/41b90fe1416843499625db100829f9e4_image.png)\n\nI review the summary of the configuration and create the service network. After a few seconds all service and VPC associations are active, and I can start using the service.\n\nI write down the domain name of the service from the list of service associations.\n\n![image.png](https://dev-media.amazoncloud.cn/b66c7d833e5d468c8cb89429061fd1d9_image.png)\n\n**++Testing Access to the Service Using VPC Lattice++**\n\nI look at the **Routing** tab of the service to find a nice recap of how the listener is handling routing towards the different target groups.\n\n![image.png](https://dev-media.amazoncloud.cn/245563370fca4c0ba877d1478985011c_image.png)\n\nThen, I log into the EC2 instance in my second VPC and use curl to call the service domain name. As expected, I get about two-thirds of the responses from the instance and one-third from the function.\n\n```\ncurl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws\nHello from the instance\n\ncurl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws\nHello from the instance\n\ncurl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws\n\"Hello from the function\"\n```\n\nWhen I call the ```/to-instance``` and ```/to-function paths```, the additional rules forward the requests to the instance and the function, respectively.\n\ncurl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws/to-instance\nHello from the instance \"to-instance\" path\n\n```\ncurl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws/to-function\n\"Hello from the function\"\n```\n\nI can now review access to my service using the access log subscriptions I configured before.\n\nFor the service, I look in the CloudWatch Log group. There, I find a log stream containing detailed access information about the service.\n\n![image.png](https://dev-media.amazoncloud.cn/ca27742bf49c4812851c6f2974ff2880_image.png)\n\nThe access log for all services associated with the service network is on the S3 bucket. I have only one service for now, but more are coming.\n\n![image.png](https://dev-media.amazoncloud.cn/56a1bed8d50b4d80bdf7853224b4a776_image.png)\n\n**++Available in Preview++**\n\n[Amazon VPC Lattice](https://aws.amazon.com/vpc/lattice/) is available [in preview](https://pages.awscloud.com/AmazonVPCLattice-Preview.html) in the US West (Oregon) [Region](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/).\n\nVPC Lattice provides deployment consistency across AWS compute types so that you can connect your services across instances, containers, and serverless functions. You can use VPC Lattice to apply granular and rich traffic controls, such as policy-based routing and weighted targets to support blue/green and canary-style deployments.\n\nVPC Lattice allows monitoring and troubleshooting service-to-service communication with detailed access logs and metrics that capture request type, volume of traffic, error rates, response time, and more. In this blog post, I only scratched the surface of what you can do with VPC Lattice.\n\n[Simplify the way you connect, secure, and monitor service-to-service communication with Amazon VPC Lattice.](https://aws.amazon.com/vpc/lattice/)\n\n![6465c675a51d44aca59965f281504693_image3.png](https://dev-media.amazoncloud.cn/b8d2862a78344a009c0c9e2876d1b45a_6465c675a51d44aca59965f281504693_image%283%29.png)\n\n### **[Danilo Poccia](https://aws.amazon.com/blogs/aws/author/danilop/)**\n\nDanilo works with startups and companies of any size to support their innovation. In his role as Chief Evangelist (EMEA) at Amazon Web Services, he leverages his experience to help people bring their ideas to life, focusing on serverless architectures and event-driven programming, and on the technical and business impact of machine learning and edge computing. He is the author of AWS Lambda in Action from Manning.","render":"<p>Modern applications are built using modular and distributed components. Each component is a service that implements its own subset of functionalities. To make these services communicate with each other, you need a way to let them discover where they are, authorize access, and route traffic. When troubleshooting issues, you need to keep communication configurations under control so that you can quickly understand what is happening at the application, service, and network levels. This can take a lot of your time.</p>\n<p>Today, we are making available in preview <a href=\"https://aws.amazon.com/vpc/lattice/\" target=\"_blank\">Amazon VPC Lattice</a>, a new capability of <a href=\"https://aws.amazon.com/vpc/\" target=\"_blank\">Amazon Virtual Private Cloud (Amazon VPC)</a> that gives you a consistent way to connect, secure, and monitor communication between your services. With VPC Lattice, you can define policies for traffic management, network access, and monitoring so you can connect applications in a simple and consistent way across AWS compute services (instances, containers, and serverless functions). VPC Lattice automatically handles network connectivity between VPCs and accounts and network address translation between IPv4, IPv6, and overlapping IP addresses. VPC Lattice integrates with <a href=\"https://aws.amazon.com/iam/\" target=\"_blank\">AWS Identity and Access Management (IAM)</a> to give you the same authentication and authorization capabilities you are familiar with when interacting with AWS services today, but for your own service-to-service communication. With VPC Lattice, you have common controls to route traffic based on request characteristics and weighted routing for blue/green and canary-style deployments. For example, VPC Lattice allows you to mix and match compute types for a given service, which helps you modernize a monolith application architecture to microservices.</p>\n<p>VPC Lattice is designed to be noninvasive, allowing teams across your organization to incrementally opt in over time. In this way, you are able to deliver applications faster by focusing on your application logic, while VPC Lattice handles service-to-service networking, security, and monitoring requirements.</p>\n<p><strong><ins>How Amazon VPC Lattice Works</ins></strong></p>\n<p>With VPC Lattice, you create a logical application layer network, called a <strong>service network</strong>, that connects clients and services across different VPCs and accounts, abstracting network complexity. A service network is a logical boundary that is used to automatically implement service discovery and connectivity as well as apply access and observability policies to a collection of services. It offers inter-application connectivity over HTTP/HTTPS and gRPC protocols within a VPC.</p>\n<p>Once a VPC has been enabled for a service network, clients in the VPC will automatically be able to discover the services in the service network through DNS and will direct all inter-application traffic through VPC Lattice. You can use <a href=\"https://aws.amazon.com/ram/\" target=\"_blank\">AWS Resource Access Manager (RAM)</a> to control which accounts, VPCs, and applications can establish communication via VPC Lattice.</p>\n<p>A service is an independently deployable unit of software that delivers a specific task or function. In VPC Lattice, a <strong>service</strong> is a logical component that can live in any VPC or account and can run on a mixture of compute types (virtual machines, containers, and serverless functions). A service configuration consists of:</p>\n<ul>\n<li>One or two <strong>listeners</strong> that define the port and protocol that the service is expecting traffic on. Supported protocols are HTTP/1.1, HTTP/2, and gRPC, including HTTPS for TLS-enabled services.</li>\n<li>Listeners have <strong>rules</strong> that consist of a <strong>priority</strong>, which specifies the order in which rules should be processed, one or more <strong>conditions</strong> that define when to apply the rule, and <strong>actions</strong> that forward traffic to target groups. Each listener has a <strong>default rule</strong> that takes effect when no additional rules are configured, or no conditions are met.</li>\n<li>A <strong>target group</strong> is a collection of <strong>targets</strong>, or compute resources, that are running a specific workload you are trying to route toward. Targets can be <a href=\"https://aws.amazon.com/ec2/\" target=\"_blank\">Amazon Elastic Compute Cloud (Amazon EC2)</a> instances, IP addresses, and Lambda functions. For <a href=\"https://kubernetes.io/\" target=\"_blank\">Kubernetes </a>workloads, VPC Lattice can target services and pods via the <strong>AWS Gateway Controller for Kubernetes</strong>. To have access to the AWS Gateway Controller for Kubernetes, you can <a href=\"https://pages.awscloud.com/AmazonVPCLattice-Preview.html\" target=\"_blank\">join the preview.</a></li>\n</ul>\n<p><img src=\"https://dev-media.amazoncloud.cn/06bd0e30372542b6aa72e2376fcd13bb_image.png\" alt=\"image.png\" /></p>\n<p>To configure service access controls, you can use <strong>access policies</strong>. An access policy is an IAM resource policy that can be associated with a service network and individual services. With access policies, you can use the “PARC” (principal, action, resource, and condition) model to enforce context-specific access controls for services. For example, you can use an access policy to define which services can access a service you own. If you use <a href=\"https://aws.amazon.com/organizations/\" target=\"_blank\">AWS Organizations</a>, you can limit access to a service network to a specific organization.</p>\n<p>VPC Lattice also provides a <strong>service directory</strong>, a centralized view of the services that you own or have been shared with you via AWS RAM.</p>\n<p><strong><ins>Using Amazon VPC Lattice</ins></strong></p>\n<p>We expect people with different roles can use VPC Lattice. For example:</p>\n<ul>\n<li>\n<p>The <strong>service network administrator</strong> can:</p>\n</li>\n<li>\n<p>Create and manage a service network.</p>\n</li>\n<li>\n<p>Define access and monitoring for the service network.</p>\n</li>\n<li>\n<p>Associate client and services.</p>\n</li>\n<li>\n<p>Share the service network with other AWS accounts.</p>\n</li>\n<li>\n<p>The <strong>service owner</strong> can:</p>\n</li>\n<li>\n<p>Create and manage a service, including access and monitoring.</p>\n</li>\n<li>\n<p>Define routing, for example, configuring listeners and rules that point to the target groups where the service is running.</p>\n</li>\n<li>\n<p>Associate a service to service networks.</p>\n</li>\n</ul>\n<p>Let’s see how this works in practice. In this quick walkthrough, I am covering both roles.</p>\n<p><strong><ins>Creating Two Backend Services</ins></strong></p>\n<p>There is nothing specific to VPC Lattice in this section. I am just creating a couple of services, one running on Amazon EC2 and one on AWS Lambda, that I’ll use later when I configure networking with VPC Lattice.</p>\n<p>In an <a href=\"https://aws.amazon.com/amazon-linux-2/\" target=\"_blank\">Amazon Linux</a> EC2 instance, I create a web app that replies “Hello from the instance” to HTTP requests. To allow access to the instance from clients coming via VPC Lattice, I add an inbound rule to the security group to allow TCP traffic on port 8080 from the VPC Lattice <a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html\" target=\"_blank\">AWS-managed prefix list.</a></p>\n<p>Here’s the <code>app.py</code> file. I am using <a href=\"https://www.python.org/\" target=\"_blank\">Python</a> and <a href=\"https://flask.palletsprojects.com/\" target=\"_blank\">Flask</a> for this app, but you don’t need to know them to follow along with the post.</p>\n<p>Python</p>\n<pre><code class=\"lang-\">from flask import Flask\n\napp = Flask(__name__)\n\n@app.route('/')\ndef index():\n return 'Hello from the instance'\n\n@app.route('/&lt;path&gt;')\ndef somePath(path):\n return 'Hello from the instance at path &quot;{}&quot;'.format(path)\n\napp.run(host='0.0.0.0', port=8080)\n</code></pre>\n<p>Here’s the <code>requirements.txt</code> file with the Python dependencies. There’s only one line because the only module I need is <code>flask</code>:</p>\n<pre><code class=\"lang-\">flask\n</code></pre>\n<p>I install the dependencies:</p>\n<pre><code class=\"lang-\">pip3 install -r requirements.txt\n</code></pre>\n<p>Then, I start the web app using the nohup command to keep it running in case I log out of the instance:</p>\n<pre><code class=\"lang-\">nohup flask run --host=0.0.0.0 --port 8080 &amp;\n</code></pre>\n<p>On the EC2 instance, the web service is now listening to HTTP traffic on port 8080.</p>\n<p>In the Lambda console, I create a simple function using the <a href=\"https://aws.amazon.com/blogs/compute/node-js-18-x-runtime-now-available-in-aws-lambda/\" target=\"_blank\">Node.js 18.x runtime</a> that replies “Hello from the function” to all invocations.</p>\n<p>JavaScript</p>\n<pre><code class=\"lang-\">exports.handler = async (event) =&gt; {\n const response = {\n statusCode: 200,\n body: JSON.stringify('Hello from the function'),\n };\n return response;\n};\n</code></pre>\n<p>The two services are now both ready. Let’s use VPC Lattice to configure networking.</p>\n<p><strong><ins>Creating VPC Lattice Target Groups</ins></strong></p>\n<p>I start by creating two target groups, one for the EC2 instance and one for the Lambda function. In the VPC console, there is a new <strong>VPC Lattice</strong> section in the navigation pane. There, I choose <strong>Target groups</strong> and then <strong>Create target group</strong>.</p>\n<p>For the first target group, I choose the <strong>Instances</strong> target type and enter a name.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/8276adaca9404a248040c2c67aea77bf_image.png\" alt=\"image.png\" /></p>\n<p>I choose the protocol (<strong>HTTP</strong>) and port (<strong>8080</strong>) used by the web app running on the instance. I select the VPC where the instance is running and the protocol version (<strong>HTTP1</strong>).</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/362a7df67ab04cc6b603b2e83b92fb59_image.png\" alt=\"image.png\" /></p>\n<p>Now I can configure the health check that will be used to test the target status. In this case, I use the default values proposed by the console.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/c3034b147100490c8babf7980d529cb9_image.png\" alt=\"image.png\" /></p>\n<p>In the next step, I can register the targets. I select the instance on which the web app is running from the list and choose to include it.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/6dc4e3bffa164bc2be1f99982e7cd2c7_image.png\" alt=\"image.png\" /></p>\n<p>I review the selected targets (one instance in this case) and choose <strong>Submit</strong>.</p>\n<p>In a similar way, I create a target group for the Lambda function. This time, I select the function from the list. I can choose which <a href=\"https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html\" target=\"_blank\">function version</a> or <a href=\"https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html\" target=\"_blank\">function alias</a> to use. For simplicity, I use the <code>$LATEST</code> version.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/a6a71814be5244eba797d252c749b697_image.png\" alt=\"image.png\" /></p>\n<p><strong><ins>Creating VPC Lattice Services</ins></strong></p>\n<p>Now that the target groups are ready, I choose <strong>Services</strong> in the navigation pane and then <strong>Create service</strong>. I enter a name and a description.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/306242eca28e4e389312eaf54d5546fc_image.png\" alt=\"image.png\" /></p>\n<p>Now, I can choose the authentication type. If I choose <strong>None</strong>, the service network does not authenticate or authorize client access, and the <strong>auth policy</strong>, if present, is not used. I select** AWS IAM** and then, from the <strong>Apply policy template</strong> dropdown, the template that allows both authenticated and unauthenticated access.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/db2d6ed23ca04886b865964b01d251aa_image.png\" alt=\"image.png\" /></p>\n<p>In the <strong>Monitoring</strong> section, I turn on <strong>Access logs</strong>. As the destination for the access logs, I use an <a href=\"https://aws.amazon.com/cloudwatch/\" target=\"_blank\">Amazon CloudWatch</a> Log group that I created before. I also have the option to use an <a href=\"https://aws.amazon.com/s3/\" target=\"_blank\">Amazon Simple Storage Service (Amazon S3)</a> bucket or a <a href=\"https://aws.amazon.com/kinesis/data-firehose/\" target=\"_blank\">Amazon Kinesis Data Firehose</a> delivery stream.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/adf172925a4844be9aba00c3c031c9ef_image.png\" alt=\"image.png\" /></p>\n<p>In the next step, I define routing for the service. I choose <strong>Add listener</strong>. For the protocol, I configure the service to listen using <strong>HTTPS</strong>. In the default action, I choose to send two-thirds (<strong>Weight</strong> <code>20</code>) of the requests to the instance target group and one-third (<strong>Weight</strong> <code>10</code>) to the function target group.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/8bbfba871dde493484574b8a07e63073_image.png\" alt=\"image.png\" /></p>\n<p>Then, I add two additional rules. The first rule (<strong>Priority</strong> <code>10</code>) sends all requests where the path is <code>/to-instance</code> to the instance target group.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/6c390c09546b4c0ba48c407962aad25f_image.png\" alt=\"image.png\" /></p>\n<p>The second rule <strong>(Priority</strong> <code>20</code>) sends all traffic where the path is /to-function to the function target group.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/ac7a9cd6029548cabc8d60941b1ee1c8_image.png\" alt=\"image.png\" /></p>\n<p>In the next step, I am asked to associate the service with one or more service networks. I didn’t create a service network yet, so I skip this step for now and choose <strong>Next</strong>. I review the configuration and create the service.</p>\n<p><strong><ins>Creating VPC Lattice Service Networks</ins></strong></p>\n<p>Now, I create the service network so that I can associate the service and the VPCs I want to use. I choose <strong>Service network</strong> from the navigation pane and then <strong>Create service network</strong>. I enter a name and a description for the service network.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/4fcd24f33f244ded88dc98143ec921df_image.png\" alt=\"image.png\" /></p>\n<p>In the <strong>Associate services</strong>, I select the service I just created.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/6413c5878fc1469f9dd43ef951155be8_image.png\" alt=\"image.png\" /></p>\n<p>In the <strong>VPC associations</strong>, I select the VPC used by the instance where the web app runs. This can help in the future because it allows the web app to call other services associated with the service network.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/bc5cd8a3b79046eaad13d1d68f92db20_image.png\" alt=\"image.png\" /></p>\n<p>Then, I select a second VPC where I have another EC2 instance that I want to use to run some tests.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/4b2caa0e3f254de293a041f8fbe62e8e_image.png\" alt=\"image.png\" /></p>\n<p>For simplicity, in the <strong>Access</strong> section, I select the <strong>None</strong> auth type.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/136791d93cf548aea3f5a94b1d8f68d7_image.png\" alt=\"image.png\" /></p>\n<p>In the <strong>Monitoring</strong> section, I choose to send the access logs for the whole service network to an S3 bucket.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/41b90fe1416843499625db100829f9e4_image.png\" alt=\"image.png\" /></p>\n<p>I review the summary of the configuration and create the service network. After a few seconds all service and VPC associations are active, and I can start using the service.</p>\n<p>I write down the domain name of the service from the list of service associations.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/b66c7d833e5d468c8cb89429061fd1d9_image.png\" alt=\"image.png\" /></p>\n<p><strong><ins>Testing Access to the Service Using VPC Lattice</ins></strong></p>\n<p>I look at the <strong>Routing</strong> tab of the service to find a nice recap of how the listener is handling routing towards the different target groups.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/245563370fca4c0ba877d1478985011c_image.png\" alt=\"image.png\" /></p>\n<p>Then, I log into the EC2 instance in my second VPC and use curl to call the service domain name. As expected, I get about two-thirds of the responses from the instance and one-third from the function.</p>\n<pre><code class=\"lang-\">curl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws\nHello from the instance\n\ncurl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws\nHello from the instance\n\ncurl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws\n&quot;Hello from the function&quot;\n</code></pre>\n<p>When I call the <code>/to-instance</code> and <code>/to-function paths</code>, the additional rules forward the requests to the instance and the function, respectively.</p>\n<p>curl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws/to-instance<br />\nHello from the instance “to-instance” path</p>\n<pre><code class=\"lang-\">curl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws/to-function\n&quot;Hello from the function&quot;\n</code></pre>\n<p>I can now review access to my service using the access log subscriptions I configured before.</p>\n<p>For the service, I look in the CloudWatch Log group. There, I find a log stream containing detailed access information about the service.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/ca27742bf49c4812851c6f2974ff2880_image.png\" alt=\"image.png\" /></p>\n<p>The access log for all services associated with the service network is on the S3 bucket. I have only one service for now, but more are coming.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/56a1bed8d50b4d80bdf7853224b4a776_image.png\" alt=\"image.png\" /></p>\n<p><strong><ins>Available in Preview</ins></strong></p>\n<p><a href=\"https://aws.amazon.com/vpc/lattice/\" target=\"_blank\">Amazon VPC Lattice</a> is available <a href=\"https://pages.awscloud.com/AmazonVPCLattice-Preview.html\" target=\"_blank\">in preview</a> in the US West (Oregon) <a href=\"https://aws.amazon.com/about-aws/global-infrastructure/regions_az/\" target=\"_blank\">Region</a>.</p>\n<p>VPC Lattice provides deployment consistency across AWS compute types so that you can connect your services across instances, containers, and serverless functions. You can use VPC Lattice to apply granular and rich traffic controls, such as policy-based routing and weighted targets to support blue/green and canary-style deployments.</p>\n<p>VPC Lattice allows monitoring and troubleshooting service-to-service communication with detailed access logs and metrics that capture request type, volume of traffic, error rates, response time, and more. In this blog post, I only scratched the surface of what you can do with VPC Lattice.</p>\n<p><a href=\"https://aws.amazon.com/vpc/lattice/\" target=\"_blank\">Simplify the way you connect, secure, and monitor service-to-service communication with Amazon VPC Lattice.</a></p>\n<p><img src=\"https://dev-media.amazoncloud.cn/b8d2862a78344a009c0c9e2876d1b45a_6465c675a51d44aca59965f281504693_image%283%29.png\" alt=\"6465c675a51d44aca59965f281504693_image3.png\" /></p>\n<h3><a id=\"Danilo_Pocciahttpsawsamazoncomblogsawsauthordanilop_240\"></a><strong><a href=\"https://aws.amazon.com/blogs/aws/author/danilop/\" target=\"_blank\">Danilo Poccia</a></strong></h3>\n<p>Danilo works with startups and companies of any size to support their innovation. In his role as Chief Evangelist (EMEA) at Amazon Web Services, he leverages his experience to help people bring their ideas to life, focusing on serverless architectures and event-driven programming, and on the technical and business impact of machine learning and edge computing. He is the author of AWS Lambda in Action from Manning.</p>\n"}
0
目录
关闭