How to Establish External Connections to VPC Lattice?

adil
4 min readNov 5, 2023

Part 1: How to use VPC Lattice in AWS?

Establishing an external connection to a VPC Lattice installation is challenging. Because the services are located in the VPC Lattice’s link-local address range (169.254.171.0/24).

Photo by Sean Stratton on Unsplash

I set up an environment similar to what I did in Part 1.

I have 2 VPCs; Email-VPC and Payment-VPC
Each VPC has two subnets: 1 Private Subnet and 1 Public Subnet.

In this article, unlike Part 1, the Email server and Payment server are located in Private subnets.

But I have bastion servers that I can access via SSH. I access the servers through bastion servers.

For simplicity’s sake, I’ve already set up VPC Lattice.

A few screenshots from my setup

EC2 Instances

Routing table for Email-Private-Subnet:

Service associations in VPC Lattice:

The configuration for Email-svc:

Let’s try to access the services:

The Payment server and Email server can access each other.

Let’s enable external connection to the VPC Lattice service network

We will need an Nginx instance on EC2 and an Application Load Balancer.

The Application Load Balancer will forward the requests to the Nginx server, and the Nginx server will forward the requests to the correct VPC Lattice service.

(P.S.: Best practice is to run the Nginx on ECS)

I created an Nginx VPC:

I created two public and one private subnet in Nginx VPC:

I created an Nginx Bastion and an Nginx Private instance:

I installed an Nginx server on the Nginx-Private instance. This server will act as a reverse proxy.

I added this Nginx reverse proxy config:

server {
listen 80;
server_name _;

location / {
return 200 "Hello from nginx!";
}

location /payment/ {
proxy_pass http://169.254.171.0/;
proxy_http_version 1.1;
proxy_set_header Host "payment-svc-0e8ad10f028e52c3e.7d67968.vpc-lattice-svcs.eu-west-1.on.aws";
}

location /email/ {
proxy_pass http://169.254.171.0/;
proxy_http_version 1.1;
proxy_set_header Host "email-svc-009a34f72d46af938.7d67968.vpc-lattice-svcs.eu-west-1.on.aws";
}
}

I added Nginx-Private to the existing VPC Lattice Service Network (More details in Part 1):

A target group for Nginx in the VPC Lattice:

Let’s test the connection to other services from the Nginx-Private instance:

Let’s create a public application load balancer and route the requests to the Nginx-Private instance:

Target group for the application load balancer:

Let’s test the connection from my local computer:

Bastion instances do not affect this chain of connections. They were created to access instances on the private subnets.

I stopped them and tried to access the endpoints again:

Test:

--

--