AWS App Mesh vs Amazon VPC Lattice

February 22, 2024

Introduction

Service-to-service networking is vital for modern applications, as it enables seamless collaboration, improved scalability, and secure data transmission. It relies on various protocols, infrastructure components, and security measures to ensure effective communication and data consistency. It is one of the core tenets of microservices architectures.

In this blog post, we will:

  • Cover an overview of AWS App Mesh and Amazon VPC Lattice
  • Examine the difficulty with service-to-service communication
  • Compare the merits of AWS App Mesh and Amazon VPC Lattice

Amazon VPC Lattice

A picture showing the various components of Amazon VPC Lattice
Amazon VPC Lattice is a new networking construct that provides consistent routing and service discovery for applications running on Amazon EC2, ECS, and Fargate. It's a highly available and scalable way to connect your applications to the internet and to each other (source)


Amazon VPC Lattice is an application networking service that simplifies service-to-service communication by providing common controls for network access, traffic management, and monitoring.

Key features and benefits of VPC Lattice include:

  • Service network: VPC Lattice creates a logical application layer network, called a service network, which simplifies the process of connecting applications across different compute types.
  • Simplified connectivity: VPC Lattice enables seamless connectivity between compute services, such as instances, containers, and serverless applications, across different VPCs and AWS accounts. It accomplishes this through the Service Network which is the actual logical application layer where all of the magic happens. The Service Network is built and operates in a way that eliminates the need for layer 3 routing and IP address management when connecting services. It doesn’t deploy any ENIs and none of the client’s VPC IPs are used. It uses link-local addresses which is how it enables connectivity to services in VPCs with overlapping CIDRs.
  • Improved security: VPC Lattice implements security-in-depth at 3 layers to enhance the application security. The first is the explicit association of a VPC or Service to be part of a Service Network. The second layer of security uses the security groups and NACLs. The third is by defining Auth policies for service networks and individual services. It supports coarse-grained auth policies at the service network level and fine-grained auth policies at the services level giving both service owners and service network owners, the capability to implement security-in-depth.
  • Scalability: VPC Lattice is a fully managed service and automatically scales to handle increased utilization with minimal user involvement. You have to however pay attention to the service quotas on this one as nothing scales to infinity by default.
  • Flexible deployment: VPC Lattice allows developers to deploy flexibly, focusing on application logic while the service handles service-to-service networking, security, and monitoring requirements.
  • Traffic management: VPC Lattice provides a policy-based approach for traffic management, enabling granular and rich traffic controls, such as request-level routing and weighted targets to support blue/green and canary-style deployments.
  • Monitoring: VPC Lattice enables monitoring and troubleshooting service-to-service communication with detailed access logs and metrics that capture request and response data. It sends data related to your target groups and services to Amazon CloudWatch where it can be processed into readable and near real-time metrics. Access logs can be used to analyze and audit all service-to-service communications in the network.

Amazon AppMesh

A picture showing the various components of AWS App Mesh
AWS App Mesh provides application-level networking so your services can communicate across multiple types of compute infrastructure. (source)

AWS App Mesh is a service mesh that makes it easier to run services by providing consistent visibility and network traffic controls and helping you deliver secure services. App Mesh removes the need to update application code to change how monitoring data is collected or traffic is routed between services. App Mesh configures each service to export monitoring data and implements consistent communications control logic across your application.

Key features and benefits of AWS App Mesh include:

  1. End-to-end Visibility: App Mesh enables users to achieve end-to-end visibility for their applications, ensuring high availability.
  2. Service Discovery: App Mesh integrates with AWS Cloud Map, which provides service discovery for microservices.
  3. Load Balancing: App Mesh maintains load balancing for microservices, ensuring optimal resource utilization.
  4. Traffic Control: App Mesh provides traffic control capabilities, such as policy-based routing and weighted targets to support blue/green and canary-style deployments.
  5. Monitoring and Troubleshooting: App Mesh integrates with various logging, monitoring, and tracing technologies, such as Amazon CloudWatch, Prometheus, AWS X-Ray, and Datadog, to simplify the observability experience.
  6. Compatibility: App Mesh is compatible with various forms of computing infrastructure, including Amazon EC2, Amazon ECS, Amazon EKS, and AWS Fargate,  as well as on-premises applications through AWS Outposts.
  7. Open Source Proxy: App Mesh uses the open source Envoy proxy, which is deployed alongside the microservice container, allowing for consistent visibility and network traffic control.

Challenges with service-to-service communications

It is crucial for services to discover and communicate with one another in a secure, reliable, and predictable way. Service-to-service and application networking can face several problems, including:

  1. Service Discovery: Service discovery is a challenge in microservice architectures, as it requires identifying the location of services and their endpoints. This can be challenging in dynamic environments where services are frequently added or removed
  2. Traffic Management: Managing traffic between services can be challenging, especially in microservices architectures, where there are many services communicating with each other. Traffic management requires sophisticated routing capabilities to optimize the flow of data between services and ensure secure communication.
  3. Security Risks: Implementing security between services, managing service-to-service authentication and authorization, and ensuring resilience in the face of failures or network issues are significant challenges in application networking.
  4. Complexity: Application networking can be complex, especially in microservices architectures, where there are many services communicating with each other. Each service may have its own technology stack, libraries, and frameworks, making it challenging to ensure consistent communication between services. Sometimes sophisticated routing capabilities must be utilized to optimize the flow of data between services and ensure secure communication.
  5. Observability: Observability can be a challenge in service-to-service communication, as it requires monitoring the flow and context of communication between services in a distributed environment. This includes tracking metrics, collecting logs, and implementing tracing to understand the flow of requests through the system.

Comparing App Mesh and VPC Lattice

AWS App Mesh shines as a comprehensive service mesh solution, granting you extensive control over traffic routing, observability, and security. However, its implementation necessitates the deployment of Envoy sidecar proxies on application instances, which can add complexity and demand a steeper learning curve. Despite this hurdle, App Mesh shines in its adaptability, seamlessly working across Kubernetes, ECS, and EC2 environments. Additionally, its client-side features, including granular traffic shifting, retries, and timeouts, empower developers with unparalleled control over application behavior. So, while App Mesh might require a bit more effort to get started, its flexibility and power make it a compelling choice for those seeking comprehensive service mesh capabilities across microservices architectures.

In contrast to App Mesh's service mesh focus, Amazon VPC Lattice takes a simpler approach, prioritizing the streamlining of service discovery, connectivity, and security across multiple VPCs and accounts. It supports multiple compute platforms as targets such as IPv4 or IPv6 of Elastic Network Interfaces (ENI), EC2, ECS via Application Load Balancer, EKS via the AWS Gateway API Controller and AWS Lambda. By ditching the complexities of sidecar proxies, Lattice boasts a lighter footprint and smoother deployment, ideal for beginners. However, this focus does come with limitations. While Lattice integrates seamlessly with EKS, its support for other platforms like ECS and EC2 is more restricted. Additionally, its traffic routing and authorization features operate on the server-side, potentially simplifying client applications but sacrificing some of the granular control offered by App Mesh's client-side capabilities. Ultimately, Lattice shines for its ease of use and streamlined approach, making it a compelling choice for those prioritizing straightforward application networking across VPCs, especially for projects in their early stages or for teams new to these complexities.

The table below summarizes the differences between both services:


Feature AWS APP Mesh Amazon
Type: Service Mesh Application Networking
Sidecar Proxies: Required Not required
Orchestration: Kubernetes, ECS, EC2 Primarily EKS
Compute Support: Kubernetes, ECS, EC2 EC2, ECS, Lambda, EKS, IP
Traffic Control: Client-side (retries, timeouts) Server-side
Learning Curve: Steeper Lower
Complexity:
Higher Lower
Best for: Advanced features, Multi-Orchestrator in containerized environments Ease of Use, EKS focus

Amazon VPC Lattice and Amazon AppMesh can be used together in a single architecture. Amazon VPC Lattice is designed to simplify networking for service-to-service communication across different VPCs and AWS accounts, providing common controls to route network connectivity and application layer routing between services.

On the other hand, Amazon AppMesh provides service mesh capabilities for microservices, supporting complex microservices architectures, traffic controls, and integration with other AWS services

By using both services together, organizations can benefit from the simplified networking between multiple VPCs and AWS accounts provided by VPC Lattice, as well as the advanced traffic controls and monitoring capabilities offered by AppMesh, thus creating a comprehensive and flexible architecture for managing service-to-service communication in a distributed application environment.

Conclusion

Modern applications thrive on seamless service-to-service communication, but navigating the complexities of network quality, security, observability, and latency can be challenging.

For microservice architects seeking in-depth control and flexibility, AWS App Mesh presents a full-fledged service mesh, offering granular traffic routing, robust observability, and comprehensive security. While requiring sidecar proxies and a steeper learning curve, App Mesh's adaptability across platforms and client-side features like retries and timeouts empower developers with unparalleled control.

For application networking requirements across multiple VPCs and AWS accounts, Amazon VPC Lattice simplifies service discovery, connectivity, and security and monitoring. Ditching sidecar proxies promotes smoother deployment and a lower learning curve, but comes with limitations like server-side features and restricted platform support for containerized applications compared to App Mesh.

Ultimately, the "right" tool depends on your specific needs. These services can complement each other beautifully. VPC Lattice can handle your basic networking, while App Mesh takes the reins for fine-grained traffic control and monitoring within your microservices. By combining these powerful tools, you can build a comprehensive and flexible architecture for managing service-to-service communication in a distributed application environment.

Remember, understanding your specific needs and weighing the pros and cons of each option is key to choosing the optimal tool for your unique application landscape.

References

https://aws.amazon.com/blogs/compute/learning-aws-app-mesh/

https://docs.aws.amazon.com/app-mesh/latest/userguide/what-is-app-mesh.html

https://www.youtube.com/watch?v=tUh26i8uY9Q

https://aws.amazon.com/what-is/service-mesh/

Tables from: https://www.htmltables.io/

Serverless Handbook
Access free book

The dream team

At Serverless Guru, we're a collective of proactive solution finders. We prioritize genuineness, forward-thinking vision, and above all, we commit to diligently serving our members each and every day.

See open positions

Looking for skilled architects & developers?

Join businesses around the globe that trust our services. Let's start your serverless journey. Get in touch today!
Ryan Jones - Founder
Ryan Jones
Founder
Speak to a Guru
arrow
Edu Marcos - CTO
Edu Marcos
Chief Technology Officer
Speak to a Guru
arrow
Mason Toberny
Mason Toberny
Head of Enterprise Accounts
Speak to a Guru
arrow

Join the Community

Gather, share, and learn about AWS and serverless with enthusiasts worldwide in our open and free community.