Networking

Service Networking with Amazon VPC Lattice - Simplifying Microservice Communication

Simplify cross-VPC and cross-account microservice communication with L7 service networking that requires no Envoy proxies. Learn about IAM authentication and when to choose VPC Lattice over App Mesh.

約 4 分で読めます

Service Network Architecture

VPC Lattice provides application-layer (L7) service networking that simplifies service-to-service communication across multiple VPCs and accounts. A service network is a logical boundary that groups related services together. When you associate a VPC with a service network, resources within that VPC can access all services in the service network. Each service is assigned an auto-generated DNS name, enabling cross-VPC communication without configuring VPC peering or Transit Gateway. RAM (Resource Access Manager) lets you share service networks and services with other accounts.

Routing and Authentication

Services are configured with listeners (HTTP or HTTPS), and listener rules define routing based on request path, headers, and methods. Target groups can include EC2 instances, IP addresses, ECS tasks, Lambda functions, and ALBs, providing a unified way to handle different compute types. Weighted routing splits traffic across multiple target groups, enabling canary releases and blue/green deployments. IAM authentication policies applied to service networks or services control access based on the caller's IAM role. Requests are authenticated using SigV4 signatures, ensuring only policy-authorized services can communicate.

Choosing Between VPC Lattice and App Mesh

VPC Lattice and App Mesh both manage service-to-service communication, but they differ in target layer and operational model. VPC Lattice provides L7 service networking as an AWS-managed service, eliminating the need to deploy or manage Envoy proxies. App Mesh is an Envoy-based service mesh that offers fine-grained control over circuit breakers and retry policies, but comes with sidecar proxy operational overhead. VPC Lattice excels at cross-VPC and cross-account service communication, making it ideal for environments where microservices are distributed across multiple VPCs and accounts. App Mesh is better suited for fine-grained traffic control within a single VPC (canary deployments, traffic shifting). You can also use both together, with Lattice handling inter-VPC communication and App Mesh managing intra-VPC communication. To learn service mesh concepts from fundamentals to advanced topics, books (Amazon) offer a systematic approach.

VPC Lattice Pricing

VPC Lattice pricing consists of three components: hourly service charges, request counts, and data processing volume. Each service costs approximately $0.025/hour, requests are approximately $0.10 per million, and data processing is approximately $0.025 per GB. Compared to ALB, the per-request cost is lower, but in environments with many services, the hourly service charges add up. VPC associations to service networks are free, and accessing services from multiple VPCs incurs no additional network charges. Output access logs to S3 to analyze traffic patterns and consider consolidating low-usage services to optimize costs.

Summary

VPC Lattice simplifies network configuration for microservice communication and provides IAM-based authentication for service-to-service access control. It delivers cross-VPC and cross-account communication through service networks without Envoy proxies, significantly reducing operational overhead compared to App Mesh. L7 routing rules enable traffic control based on paths and headers, and access logs provide traffic pattern analysis.

Related Services

Amazon VPCBuild a logically isolated virtual network on AWSAmazon ECSA container orchestration service for easily running and managing containerized applicationsAWS LambdaA serverless compute service that runs code without server management

Related Articles

Zero Trust Network Access - VPN-Free Secure Access with AWS Verified AccessLearn about VPN-less zero trust access with AWS Verified Access. Covers identity provider integration, device trust, policy-based access control, and comparison with traditional VPNs.Private Connectivity with AWS PrivateLink - VPC Endpoints and Endpoint ServicesConnect to AWS services privately without traversing the internet. Learn about free Gateway Endpoints and building Endpoint Services.Container Orchestration - Optimizing Kubernetes Operations with Amazon EKSLearn about managed Kubernetes operations with Amazon EKS.

More on This Topic

Building a Service Mesh with AWS App Mesh - Controlling and Observing Microservice CommunicationLearn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.Service Discovery with AWS Cloud Map - Dynamic Name Resolution for MicroservicesDynamically discover microservice endpoints using DNS-based and API-based approaches. Learn how to automate service registration and deregistration through integration with ECS and EKS.How CloudFront's 600+ PoPs Work - Anycast Routing and the Cache HierarchyLearn how CloudFront routes user requests to the nearest PoP using Anycast, the two-tier structure of edge locations and regional edge caches, and the design factors that determine cache hit rates.Dedicated Connection Design - Achieving Stable Private Network Connectivity with Direct ConnectLearn about dedicated connection design with AWS Direct Connect, including choosing between dedicated and hosted connections, redundancy configurations, and achieving stable private network connectivity through VPC integration.Building Dedicated Connections with AWS Direct Connect - Redundancy Design and Traffic ControlDesign redundant dedicated connections and connect to VPCs across multiple regions with Direct Connect Gateway. This article also covers bandwidth aggregation with LAG and MACsec encryption.Elastic IP Address Management and Design - Static IP Usage and Cost OptimizationLearn about Elastic IP allocation, EC2 association, cost implications of unused EIPs, and alternative approaches to consider.Why ELB Has Three Types - The Design Rationale Behind ALB, NLB, and CLBExplore why ALB, NLB, and CLB (Classic) coexist rather than being unified into a single service, examining OSI model layers, performance characteristics, and historical context.Global Network Optimization with AWS Global Accelerator - Low-Latency Delivery and FailoverLearn how to route traffic onto the AWS global network using Anycast IPs, design endpoint groups, and achieve failover through health checks.

Similar Articles and Services

Amazon VPC LatticeAn application networking service that simplifies service-to-service connectivity, security, and monitoringAWS App MeshA service mesh that controls and monitors communication between microservicesBuilding a Service Mesh with AWS App Mesh - Controlling and Observing Microservice CommunicationLearn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.Multi-Account Design for Amazon VPC Lattice - RAM Sharing and Service Network Configuration PatternsLearn how to design VPC Lattice for multi-account environments, including RAM sharing strategies, service network partitioning, and hierarchical Auth Policy design.AWS Zero Trust Networking - Perimeterless Security with Verified Access and PrivateLinkLearn how AWS Verified Access, PrivateLink, and VPC Lattice implement zero trust networking, with a comparison of design differences from Azure Private Link.