Build secure application networks with VPC Lattice, HAQM ECS, and AWS Lambda

Introduction

In this post, we’ll explore how to publish and consume services running on HAQM Elastic Container Service (HAQM ECS) and AWS Lambda, as HAQM VPC Lattice services. For an introduction to HAQM VPC Lattice, please read the documentation here.

One main reason customer experience a lower velocity of innovation, is the complexity they deal with while trying to ensure that their applications can communicate in a simple and secure way. HAQM VPC Lattice is a powerful application networking service that removes this complexity, and gives developers a simpler user experience to share their application and connect with dependencies without having to setup any of the underlying network connectivity across HAQM Virtual Private Clouds (HAQM VPCs), AWS accounts, and even overlapping IP addressing. It handles both application layer load balancing and network connectivity, so that developers can focus on their applications, instead of infrastructure.

Solution overview

Figure 1: High-level solution architecture

While most AWS compute options include native integration with HAQM VPC Lattice, HAQM ECS requires an HAQM Elastic Load Balancing (ELB), either an Application Load Balancer (ALB) or Network Load Balancer (NLB), to frontend HAQM ECS services. For this walkthrough, we use an ALB to connect HAQM ECS service to an HAQM VPC Lattice Service Network. You can also associate a second ALB and listener to an HAQM VPC Lattice service to perform safe HAQM ECS deployments, such as blue/green or canary testing.

In this post, we use a sample retail store application to demonstrate how you can easily connect applications deployed on HAQM ECS and AWS Lambda using HAQM VPC Lattice, but you could also integrate services with other types of AWS compute. Original source code of this application can be found at this repository.

Figure 2: Application overview

The application has three main components:

1. Retail Storefront serves the HTML user interface (UI) and aggregates calls to the backend Application Programming Interfaces (APIs) for the internet-based users.
2. Checkout service provides an API for storing customer data during the checkout process.
3. Orders service provides an API for storing order information.

Retail storefront application is running on HAQM ECS and is exposed to internet users via public ALB. Checkout service is running on HAQM ECS, and Orders service is running on AWS Lambda. Both are published as HAQM VPC Lattice services and accessible with in the HAQM VPC Lattice service network.

All of these services utilize HTTPS and custom domain names to communicate with each other. So, Secure Sockets Layer (SSL) Certificates issued to custom domain name, are installed on HAQM VPC Lattice service listeners, public, and private ALB resources. Note: when exposing HTTPS HAQM ECS services via HAQM VPC Lattice, you have to use same SSL Certificate on both private ALB and HAQM VPC Lattice listener. Refer HTTPS listeners for VPC Lattice services for more details.

Walkthrough

Prerequisites

You will need the following for this walkthrough:

• AWS Account
• Access to the shell environment. In this post, we use the AWS CloudShell, but you can also use AWS Cloud9 or your own computer
• AWS Command Line Interface (AWS CLI) configured with your AWS Account credentials, instructions here
• GIT command line interface and npm
• Domain Name System (DNS) domain and a wild card SSL certificate(s) imported in AWS Certificate Manager (AWS ACM). We use example.com in this walkthrough.
• Follow the instructions in this documentation to import an SSL certificate in AWS ACM.
• A Route 53 hosted zone for your domain

Step 1: Access the AWS CloudShell and install the prerequisites

• AWS CloudShell is a browser-based shell, you can quickly run scripts with the AWS CLI, The AWS CloudShell icon appears in AWS Regions where it is available.
• Navigate to the Cloud Shell or choose the terminal icon on the right-hand upper portion, as shown in Figure 3.

Figure 3: AWS Console

• Install dependencies

npm install -g -f aws-cdk@2.87.0

• Ensure AWS CLI is configured properly:
  • Access the AWS CloudShell from required region or configure AWS CLI using aws configure for desired AWS_REGION
  • Ensure the role being used from AWS CLI has the permissions required for resources being created by AWS Cloud Development Kit (AWS CDK)

Step 2: Deploy the solution using AWS CDK

• Clone the GitHub code repository – http://github.com/aws-samples/connect-ecs-lambda-workloads-using-amazon-vpc-lattice

git clone http://github.com/aws-samples/connect-ecs-lambda-workloads-using-amazon-vpc-lattice.git

• Navigate to the repository

cd connect-ecs-lambda-workloads-using-amazon-vpc-lattice

• To work with the AWS CDK, you must have an AWS account and credentials and have installed Node.js and the AWS CDK Toolkit. You also need TypeScript itself (version 3.8 or later). If you don’t already have it, then you can install it using npm.

sudo npm install -g typescript

• Install dependencies and build

npm install

• Update the below lines with your own values in ./bin/scripts/env.sh

export AWS_REGION="us-west-2"
export CERT_ARN=<<Your_AWS_ACM_CERTIFICATE_ARN>>
export CUSTOM_DOMAIN_NAME="example.com" #<<Your_DNS_DOMAIN>>
export HOSTZONE_ID=<<Your_Route53_HostedzoneId>>

• Test the build

./bin/scripts/build-stack.sh

• Deploy the application, which takes about 5 minutes to complete.

./bin/scripts/deploy-stack.sh

• Once the deployment has completed successfully, you’ll see output similar to the following:

synthesis time: 12.69s

✨ Deployment time: 284.82s

Outputs:
LatticeEcsLambdaBlogStack.uisvcuiURLCAED6E74 = http://ui.example.com
LatticeEcsLambdaBlogStack.orderslambdastackordersURL085B6DBD = http://orders.example.com
LatticeEcsLambdaBlogStack.checkoutsvccheckoutURL1D72AA08 = http://checkout.example.com

Step 3: Navigate to the AWS Console and review the deployed resources

Retail store frontend service

The following resources are created by the AWS CDK for the store frontend service:

• An HAQM VPC
• Public and private subnets
• Network Address Translation (NAT) gateway
• HAQM ECS cluster
• ALB
• UI HAQM ECS service

Figure 4: Retail Store Frontend overview

When the tasks and services are in the RUNNING state, your HAQM UI HAQM ECS cluster looks like the following examples:

Figure 5: Retail store frontend HAQM ECS service

Checkout service

The following resources are created by the AWS CDK for the checkout service:

• An HAQM VPC
• Public and Private subnets
• NAT gateway
• HAQM ECS cluster
• ALB
• Checkout HAQM ECS service

Figure 6: Checkout service overview

Checkout service is exposed through a private ALB, so that it is reachable only from HAQM VPC Lattice service network.

When the tasks and services are in the RUNNING state, your HAQM Checkout ECS cluster looks like the following example:

Figure 7: Checkout HAQM ECS service

Orders service

Order service is running using AWS Lambda with Python 3.10 runtime:

Figure 8: Orders AWS Lambda function

Step 4: Configure the connectivity between services

• We are running Store front UI and checkout services in separate VPCs. The orders service is running as AWS Lambda. All VPCs have been deployed with Classless Inter-Domain Routing (CIDR) 10.0.0.0/16, which demonstrates HAQM VPC Lattice’s ability to cater for overlapping IP address ranges without needing any networking constructs. For the purpose of this post, all resources were deployed in a single AWS account; however, in practice these could be spread across multiple accounts and shared using AWS Resource Access Manager (AWS RAM).
• HAQM VPC Lattice simplifies service-to-service communications between applications across VPCs without the need for transit gateway or VPC peering.
• Review HAQM VPC Lattice in the AWS Management Console under VPC -> VPC Lattice, where you can see the HAQM VPC Lattice service networks, services, and target groups.

Figure 9: HAQM VPC Lattice service network overview

Figure 10: HAQM VPC Lattice service network console

Figure 11: HAQM VPC Lattice services

Figure 12: HAQM VPC Lattice target groups

• You can find the Retail store frontend endpoint in AWS CloudFormation Console, similar to the following:

Figure 13: AWS CloudFormation stack outputs

http://uisvcuiserviceServiceURL/

• Let’s take a look at this instance of the application just deployed:

Figure 14: Retail store application

This demonstrates UI service is calling the Checkout and Orders services via the HAQM VPC Lattice service network, even though they are running in different VPCs. The following figure gives a visual representation of various constructs involved in HAQM VPC Lattice service configuration.

Figure 15: HAQM VPC Lattice service network overview

Cleaning up

To avoid incurring any additional costs, destroy all the infrastructure that you provisioned in relation to the solution described in this post.

./bin/scripts/destroy-stack.sh

Conclusion

In this post, we showed you how you can utilize HAQM VPC Lattice to connect services running across HAQM ECS and AWS Lambda. We used custom domain names for easy service discovery and SSL certificates to implement end-to-end encryption. You can extend this solution to implement AWS IAM-based authorization policies among the HAQM VPC Lattice services and perform canary- or blue/green-style safe deployments.

Call to action

We encourage you to try this walkthrough to connect services running on HAQM ECS and AWS Lambda using HAQM VPC Lattice. Visit the HAQM VPC Lattice product page, documentation, and pricing page for additional information.