Application Service Discovery with VPC Lattice on Amazon EKS

This repository contains examples for VPC Lattice implementation on Amazon EKS.

Amazon VPC Lattice is an application layer networking service that gives you a consistent way to connect, secure, and monitor service-to-service communication without any prior networking expertise.

The resources in this repository deploys The AWS Gateway API Controller and this controller is an implementation of the Kubernetes Gateway API. The controller then integrates VPC Lattice with the Kubernetes Gateway API. The controller watches for the creation of Gateway API resources such as gateways and routes and provisions corresponding Amazon VPC Lattice objects. This enables users to configure VPC Lattice Service Networks using Kubernetes APIs, without needing to write custom code or manage sidecar proxies.

Prerequisites

• A Kubernetes Cluster
• AWS IAM Permissions for creating and attaching IAM Roles
• Installation of required tools:
  • AWS CLI
  • kubectl
  • Terraform
  • eksctl

Installation

If you don't have an Amazon EKS cluster, you can use the Terraform code in cluster folder to deploy one. This Terraform code creates the following resources:

• A VPC with three private and three public subnets,
• An Amazon EKS Cluster with Kubernetes version set to 1.29 and a Managed Node Group with one instance,
• Some EKS and Custom Addons such as Karpenter and External Secrets Operator,
• Required IAM Roles for Addons and the AWS Gateway API Controller.

You can update the Terraform codes according to your requirements and environment.

Installation of EKS Cluster

terraform init
terraform plan
terraform apply --auto-approve

PS:

• These resources are not Free Tier eligible.
• You need to configure AWS Authentication for Terraform with either Environment Variables or AWS CLI named profiles.

You can connect to your cluster using this command:

aws eks --region <region> update-kubeconfig --name <cluster_name>

You need to change region and cluster_name parameters.

Installation of example application

You can find the Kubernetes manifests for an e-commerce application that consists of seven microservices in the example-application folder. Kustomize can be used to deploy the entire application stack.

kubectl apply -k example-application/

The service object of the UI service creates a Network Load Balancer.

Installation of the AWS Gateway API Controller

When you want to install the AWS Gateway API Controller and configure the Security Group access you can run ./vpc-lattice/.installation.sh.

The script has one function called install.

• Install function configures the Security Group authorisation and installs the required AWS Gateway API Controller Helm Chart to the Kubernetes cluster.

kubectl get deployment -n gateway-api-controller
NAME                                                  READY   UP-TO-DATE   AVAILABLE   AGE
gateway-api-controller-aws-gateway-controller-chart   2/2     2            2           24s

VPC Lattice Configuration

In the vpc-lattice folder you can find the resources for the controller. First you need to install the Gateway Class and the Gateway.

kubectl apply -f vpc-lattice/controller/gatewayclass.yaml
kubectl apply -f vpc-lattice/controller/gateway.yaml

kubectl get gateway -n checkout
NAME                CLASS                ADDRESS   PROGRAMMED   AGE
eks-cluster         amazon-vpc-lattice             True         29s

Wait until the status is Reconciled (this could take about five minutes).

kubectl wait --for=condition=Programmed gateway/eks-cluster -n checkout

There is also a v2 of the Checkout microservice with a minor change. The definitions for the v2 Checkout service are in applicationv2. In this example, we will route the traffic with VPC Lattice between v1 and v2 of the Checkout service.

kubectl apply -k vpc-lattice/applicationv2/
kubectl rollout status deployment/checkout -n checkoutv2

Now it's time to actually deploy the HTTPRoute resource.

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: checkoutroute
  namespace: checkout
spec:
  parentRefs:
  - name: eks-cluster
    sectionName: http 
  rules:
  - backendRefs:  
    - name: checkout
      namespace: checkout
      kind: Service
      port: 80
      weight: 25
    - name: checkout
      namespace: checkoutv2
      kind: Service
      port: 80
      weight: 75

As you can see, the Checkout Route Manifest distributes 75% traffic to checkoutv2 and remaining 25% traffic to checkout. There is also a Target Group Policy manifest that defines the Target Group behaviour.

kubectl apply -f vpc-lattice/controller/checkout-route.yaml
kubectl apply -f vpc-lattice/controller/target-group-policy.yaml

This creation of the associated resources may take 2-3 minutes, you can run the following command to wait for it to complete:

kubectl wait --for=jsonpath='{.status.parents[-1:].conditions[-1:].reason}'=ResolvedRefs httproute/checkoutroute -n checkout

Once completed, you will find the HTTPRoute's DNS name from HTTPRoute status.

kubectl describe httproute checkoutroute -n checkout

You can see the DNS name with this command:

kubectl get httproute checkoutroute -n checkout -o json | jq -r '.metadata.annotations["application-networking.k8s.aws/lattice-assigned-domain-name"]'

Finally you need to update the ConfigMap of the UI service to update the DNS name for the Checkout service.

apiVersion: v1
kind: ConfigMap
metadata:
  name: ui
  namespace: ui
data:
  ENDPOINTS_CHECKOUT: http://<NEW DNS ADDRESS FOR THE CHECKOUT SERVICE>
...

After restarting the UI service deployment, you should be able to see the updated version of the Checkout service.

kubectl rollout restart deployment/ui -n ui