PrivateLink in AWS/Azure and Private Service Connect in GCP enable third parties to access a private web service applications without the traffic traversing the public Internet. Several of Konekti's clients take advantage of such service to offer SAS applications as well as private API connectivity. In classic AWS fashion, the company has further developed a service that builds on its PrivateLink offering. AWS named the service VPC Lattice and released it as generally available in March 2023.

PrivateLink: A Solid Foundation

Before delving into VPC Lattice, let's examine what's required for a business to offer a web-based service via PrivateLink (For simplicity's sake, we'll refer to the company offering the service as the producer and the entities consuming the service as the consumers). The producer must establish a network load balancer and associated target group(s). Aspects such as routing, service discovery and authentication are the responsibility of the producer. Through the producer-side PrivateLink service and consumer-side PrivateLink endpoints, the producer and consumer are linked yet decoupled at the network layer. The IP address ranges used by producer and consumer do not have to be coordinated (i.e., IP address overlap is not a concern).

What if AWS could simplify application networking even further, especially for complex multi-account and multi-VPC architectures? AWS apparently thought there were opportunities for simplification and the company developed VPC Lattice around hoisting certain burdens off the producer. Enter VPC Lattice, the next evolution of private connectivity in the AWS cloud.

VPC Lattice: Private Connectivity Simplified

VPC Lattice takes the idea of managed application hosting a step further. It's a fully managed application networking service that simplifies secure east-west communication (between services) within a single VPC or across multiple VPCs in one or more accounts. Here's how it builds on PrivateLink:

• Unified Connectivity: Instead of managing individual PrivateLink connections, VPC Lattice provides a single, unified fabric for service communication.

• Zero-Trust Security: Like PrivateLink, VPC Lattice enforces a zero-trust approach. Every request must be authenticated and authorized with granular permission policies, regardless of location within the network.

• Reduced Complexity: VPC Lattice minimizes the need for manual network configuration, such as routing tables, VPC peering, and Transit Gateways. This streamlines management and reduces the risk of errors.

• Focus on Development: By handling the underlying network complexities, VPC Lattice frees developers to focus on building and deploying applications.

In mid-2023, Konekti led a VPC Lattice proof-of-concept effort on behalf of one of its large clients. Through this exercise we were able to understand this service better, with two main takeaways:

1. VPC Lattice completely removes the need for a network infrastructure team to build out and maintain producer/consumer connectivity. A load balancer is even optional.

2. IAM integration is a powerful addition over the PrivateLink offering. Producers have extremely granular abilities to dictate what resources can communicate with the producer (e.g., restrictions based on tags).

3. VPC Lattice excels at developer driven environments by minimizing the need to have a detailed understanding of cloud networking constructs.

Conclusion

AWS VPC Lattice represents a significant leap forward in simplifying and securing application networking. The service builds upon the strong foundation of PrivateLink, offering a more centralized and automated approach for complex deployments. By reducing management overhead and enforcing zero-trust security, VPC Lattice empowers developers to focus on building innovative applications while maintaining a robust and secure network.

At Konekti, our detailed analysis of this service has convinced us that it is an impressive tool for building and scaling microservice software architectures. VPC Lattice doesn't replace PrivateLink, which still remains essential for secure connectivity to specific AWS services but some use cases will be a better fit for VPC Lattice.