-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Amazon VPC Lattice L2 Construct #502
Labels
bar-raiser/assigned
l2-request
request for new L2 construct
management/tracking
status/approved
Ready for implementation
Comments
mrgrain
added
status/final-comment-period
Pending final approval
and removed
status/proposed
Newly proposed RFC
labels
Oct 19, 2023
mrgrain
added
status/approved
Ready for implementation
and removed
status/final-comment-period
Pending final approval
labels
Oct 27, 2023
mergify bot
pushed a commit
that referenced
this issue
Oct 27, 2023
This is a request for comments about L2 Constructs for vpclattice . See #502 for additional details. APIs are signed off by @TheRealAmazonKendra --- _By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license_
Closing this ticket as it is not a core library concern and we do not have bandwidth to collaborate on implementation. We believe the functionality is beneficial, but does not intersect with the core framework and should be vended and maintained separately. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bar-raiser/assigned
l2-request
request for new L2 construct
management/tracking
status/approved
Ready for implementation
Description
This RFC proposes a new L2 module for CDK to support AWS VPC Lattice.
This RFC supersedes #501
Roles
Workflow
status/proposed
)status/review
)api-approved
applied to pull request)status/final-comments-period
)status/approved
)status/planning
)status/implementing
)status/done
)PUBLIC ISSUES
USER STORIES
As Any User I would like to:
As a Service Owner I would like to:
As a Service Consumer I would like to:
As a Platform/Network Admin I would like to:
README
VpcLattice Construct
VPC associations
When you associate a VPC with a service network, it enables all the targets within that VPC to be clients and communicate with other services associated to that same service network.
You can optional make use of Security Groups to control the access of the VPC association, allowing some traffic segmentation before the traffic arrives to the Service Network.
Basic Use
Creating a new service network assosiation for a VPC:
Security Groups can optionaly be supplied to the association
Defining a service nerwork
Service network's can have an Auth Policy assigned to it. This can either be active (when the attribute
authType
is set toAWS_IAM
) or inactive (when the attributeauthType
is set toNone
). Note that Auth policies can also be assigned to Services (detailed below).Example Auth Policy that is active
Example Auth Policy that is inactive.
authType
is by defaultNone
Defining a service
Creates a service. A service is any software application that can run on instances containers, or serverless functions within an account or virtual private cloud (VPC).
We can add a listener to the service that will either forward to a target group or have a fixed response
Service's can have an Auth Policy assigned to it. This can either be active (when the attribute
authType
is set toAWS_IAM
) or inactive (when the attributeauthType
is set toNone
). Note that Auth policies can also be assigned to Service networks.Example Auth Policy that is active
Defining a listener
Creates a listener for a service we must add one or more listeners to the service. On the listener we can select to either have a default action that will give us a fixed response or a default target group that will forward the trafic to the relevant target groups.
It's possible to route traffic to targets based on conditions in the incoming HTTP request.
we can add targets like above that will automate the creation of the target group and the action but we can also specify both actions if we want more control by creating the target group and action by using
we can define listener rules
and then we can add the action:
Defining Service Network
Creates a service network. A service network is a logical boundary for a collection of services. You can associate services and VPCs with a service network.
Adding a VPC Lattice Service to Service Network
Associate a VPC to Service Network
Target Groups
A Target Group is a collection of targets, or compute resources that run your application or service. Targets in VPC Lattice can be EC2 instances, IP addresses, Lambda functions, Application Load Balancers, or Kubernetes Pods.
Auth policies
Auth policies are attached to service or service networks to control whether a specified principal has access to a group of services or specific service. You can attach one auth policy to each service network or service that you want to control access to. Since Auth policies must be associated to a service or service network, we cannot create a standalone resource for it (this differs from IAM policies which can be standalone). Instead we must use an
addAuthPolicy
method on the Service or Service Network. This method reference the service or service network IDthis.serviceId
orthis.serviceNetworkId
. The function takes in thepolicy
parameter which defines the actions, resources, principals and conditions, like an IAM policy.Public FAQ
What are we launching today?
Amazon VPC Lattice AWS CDK L2 Construct
Why should I use this construct?
This CDK L2 Construct can be used to deploy resources from Amazon VPC Lattice. VPC Lattice is a fully managed application networking service that you use to connect, secure, and monitor all your services across multiple accounts and virtual private clouds (VPCs).
This construct handles all the different resources you can use with VPC Lattice: Service Network, Service, Listeners, Listener Rules, Target Groups (and targets), and Associations (Service or VPC). You have the freedom to create the combination of resources you need, so in multi-AWS Account environments you can make use of the module as many times as needed (different providers) to create your application network architecture.
You can check common Amazon VPC Lattice Reference Architectures to understand the different use cases you can build with the AWS service.
Internal FAQ
Why are we doing this?
Why should we not do this?
What is the technical solution (design) of this feature?
Is this a breaking change?
What are the drawbacks of this solution?
Ticking the box below indicates that the public API of this RFC has been signed-off by the API bar raiser (the
api-approved
label was applied to the RFC pull request):The text was updated successfully, but these errors were encountered: