Brief Summary
This AWS Cloud Infrastructure Day segment features Tomsky, a principal solutions architect, discussing and demonstrating application networking with Amazon VPC Lattice. He explains how it simplifies connecting applications, enhances security through IAM integration, and provides better auditability compared to traditional networking methods. The demo covers setting up a service network, target groups, and connecting a client VPC, showcasing the ease of use and benefits of VPC Lattice.
- Highlights innovation in AWS networking, including custom hardware and optical failover.
- Introduces Amazon VPC Lattice for simplified application connectivity and enhanced security.
- Demonstrates the setup and benefits of VPC Lattice, including IAM integration and improved auditability.
Introduction
Fiona McCann and Art introduce Tomsky, a principal solutions architect specialising in networking, to discuss AWS cloud infrastructure. Tomsky mentions the innovations in AWS networking, including building custom chips, hypervisors, and network equipment. This end-to-end control allows for capabilities like adding multiple layers of encryption and optical failover, which significantly reduces packet loss during fiber cuts.
Fiber Optic Innovation
Tomsky introduces a "fiber tree" prop to illustrate the components used in forwarding network traffic. He highlights innovations such as termite-resistant coatings for fibres used in Australia and holo core fiber, which allows light to travel closer to the speed of light compared to traditional fiber optics. This improves the speed of data transmission.
Introduction to Application Networking
Tomsky transitions to the software side of networking, focusing on application networking and demonstrating Amazon VPC Lattice. He explains that application networking simplifies connecting different applications. The demonstration includes whiteboarding and a console demo to illustrate the concepts.
Traditional Networking vs. Application Networking
Tomsky uses a whiteboard to illustrate a simple VPC environment with EC2 instances. He explains that traditional networking involves creating logical connections between VPCs, which can be overly permissive. Application networking, specifically with Amazon VPC Lattice, allows for more granular control, making the network more aware of the applications it transports. This approach simplifies connectivity and enhances security by limiting access to specific applications.
Setting Up Service Network and Target Group
Tomsky explains the initial steps in setting up application networking with VPC Lattice, which involves creating a service network and a target group. The service network acts as a container for applications, while the target group tracks the EC2 instances or containers associated with an application. He then transitions to the AWS console to demonstrate these steps.
Creating a Service with VPC Lattice
Tomsky demonstrates creating a service within VPC Lattice, highlighting features such as custom domain support and IAM integration for controlling access to applications. He explains that IAM integration allows customers to use existing roles and policies to manage connectivity, enhancing security. Logging is also encouraged for auditing and tracking network activity.
Associating Service with Service Network
Tomsky continues the demo by configuring a listener on port 443 (HTTPS) and associating it with the target group and service network. This association enables the service network to connect to the application in VPC2 without additional networking constructs like peering or transit gateways. He emphasises that this simplifies the network architecture and reduces the number of components required.
Connecting Client VPC to Service Network
Tomsky demonstrates the final step: connecting the client VPC to the service network. He creates a VPC association, selecting the client VPC and specifying the security group. This allows the client VPC to access the service. He also addresses a question about migrating from traditional architectures to service networks, noting that it can be done incrementally on an application-by-application basis.
Testing the Connection and Additional Features
Tomsky tests the connection to the service using curl, showing the reflected information from the application, including IP addresses and connection details. He highlights that VPC Lattice integrates with both IPv4 and IPv6. He also answers questions about using existing Application Load Balancers (ALBs) as target groups and the service's ability to span multiple accounts. He notes that the service network provides a consolidated view of all exposed applications, making auditing easier for network administrators.
Conclusion
Tomsky encourages viewers to try out VPC Lattice, highlighting its simplicity and flexibility. He notes that it can be used with various compute options, from EC2 instances to Kubernetes deployments and Lambda functions.
