AWS/ECS

VPC Lattice

백셀건전지 2023. 9. 22. 17:00
  • VPC Lattice 는 Service Mesh 가 아니다.
  • VPC 와 account 간 간단한 연결과 안전성 제공
  • Istio나 Ambient mesh 처럼 Sidecar proxy 나 eBPF 형식의 agent 가 필요하지 않다.
  • EC2, EKS, ECS, serverless 호환 가능
  • Traffic & access control
  • Features
    • Service Discovery
      • 같은 service network 안에서 서비스들이 통신 가능. DNS 가 client-to-service나 service-to-service traffic을 route함.
      • Route 53 Resolver가 VPC Lattice에 traffic 전송하고, destination service 파악
    • Connectivity
      • Client-to-service connectivity is established using the VPC Lattice data plane within the AWS network infrastructure
    • Observability
      • generates metrics and logs for each request and response traversing the service network, to help you monitor and troubleshoot applications
      • VPC Lattice publishes metrics in the service owner account, and gives you the option to turn on logging
      • CloudWatch log groups, Kinesis Data Firehose delivery streams, and S3 buckets
    • Security
      • provides a framework that you can use to implement a defense strategy at multiple layers of the network
      • first layer is the service and VPC association
      • The second layer enables users to attach security groups to the association between the VPC and the service network
      • third and fourth layers are auth policies that can be applied individually at the service network level and the service level
  • Istio와 VPC Lattice를 같이 사용 가능

 

Components

  • Service Network
    • Global Boundary for a collection fo services
  • Service
    • independently deployable unit of software that delivers a specific task or function
    • listener rules which can be configured to help route treffic to the target
    • can associate a service with multiple service networks
  • Target groups
    • collection of targets, or compute resources, that run your application or service
    • Targets can be EC2 instances, IP addresses, serverless Lambda functions, Application Load Balancers, or Kubernetes Pods
    • Each target group is used to route requests to one or more registered targets
  • Listener
    • a process that checks for connection requests, using the protocol and port that you configure
저작자표시 (새창열림)