Amazon VPC Lattice
An application networking service that provides unified management of service-to-service communication across VPCs and accounts, with built-in authentication, authorization, and traffic control
Overview
Amazon VPC Lattice is an application networking service that simplifies service-to-service communication across VPCs and accounts. It provides a consistent way to connect, secure, and monitor communication between services regardless of their compute type (EC2, ECS, EKS, Lambda) or account location. Built-in authentication via IAM, authorization policies, and traffic management capabilities eliminate the need for custom service mesh infrastructure.
Service Networks and Service Design
VPC Lattice organizes connectivity through two key concepts: service networks and services. A service network is a logical boundary that groups services that need to communicate with each other. Services registered to the same service network can discover and communicate with each other automatically. A service represents an application component with one or more target groups (EC2 instances, IP addresses, Lambda functions, or ALBs). Listener rules on services define how incoming requests are routed to target groups based on path, headers, or method. VPCs associate with service networks to gain access to all services within that network. This model decouples network connectivity from VPC topology - services in different VPCs and accounts communicate through the service network without VPC peering or Transit Gateway.
Authentication, Authorization, and Zero-Trust Networking
VPC Lattice implements zero-trust networking principles with built-in IAM authentication and authorization. Auth policies on service networks and individual services define which principals can invoke which services. Requests are authenticated using SigV4 signing, with the caller's IAM identity verified before traffic reaches the target. This eliminates the need for application-level authentication between services. Authorization policies use IAM policy language to express fine-grained access rules such as 'service A in account 123 can invoke POST /orders on service B.' Combined with service network-level policies, you can implement defense in depth with both network-level and service-level access controls. For services that need to accept unauthenticated traffic (e.g., public APIs behind CloudFront), auth policies can be configured to allow anonymous access on specific paths.
Traffic Management and Migration from Existing Architectures
VPC Lattice provides weighted routing for gradual traffic shifting between target groups, enabling blue-green deployments and canary releases at the network layer. Header-based routing enables A/B testing by directing traffic based on custom headers. Health checks automatically remove unhealthy targets from rotation. For migration from existing architectures, VPC Lattice can coexist with existing load balancers and service meshes. A common migration pattern registers existing ALBs as VPC Lattice targets, enabling gradual adoption without disrupting current traffic flows. Services can be migrated one at a time from direct VPC peering or Transit Gateway connectivity to VPC Lattice, with the service network providing a consistent access layer regardless of the underlying connectivity method. Access logs provide detailed request-level visibility including caller identity, latency, and response codes for operational monitoring.