diff --git a/patterns/vpc-lattice/cross-cluster-pod-communication/README.md b/patterns/vpc-lattice/cross-cluster-pod-communication/README.md index f6d4c60f23..e596b912aa 100644 --- a/patterns/vpc-lattice/cross-cluster-pod-communication/README.md +++ b/patterns/vpc-lattice/cross-cluster-pod-communication/README.md @@ -3,6 +3,8 @@ This pattern showcases secure multi-cluster communication between two EKS clusters in different VPCs using VPC Lattice with IAM authorization. It illustrates service discovery and highlights how VPC Lattice facilitates communication between services in EKS clusters with overlapping CIDRs, eliminating the need for networking constructs like private NAT Gateways and Transit Gateways. +> You can also find more informations in the [associated blog post](https://aws.amazon.com/blogs/containers/secure-cross-cluster-communication-in-eks-with-vpc-lattice-and-pod-identity-iam-session-tags/) + ## Scenario With this solution we showcase how to configure Amazon VPC Lattice using the AWS Gateway API Controller in order to manage Amazon VPC Lattice resources through native Kubernetes Gateway API objects. This pattern deploys two distinct VPCs each having it's own EKS cluster, which contain an application that will be used to demonstrate cross-cluster communication. @@ -11,6 +13,33 @@ The cross-cluster communication will be established through Amazon VPC Lattice, ![vpc-lattice-pattern-environment.png](https://raw.githubusercontent.com/aws-ia/terraform-aws-eks-blueprints/main/patterns/vpc-lattice/cross-cluster-pod-communication/assets/vpc-lattice-pattern-cross-cluster.png) +1. HttpRoute Configuration + - Defines service exposure through VPC Lattice Gateway API + - Specifies routing rules, paths, and backend services +2. Kyverno Policy Implementation + - Injects Envoy SigV4 proxy sidecar + - Automatically signs AWS API requests with AWS credentials + - Ensures secure authentication for service-to-service communication +3. AWS Private Certificate Authority (PCA) + - Issues and manages private certificates + - Validates custom domain names within VPC Lattice + - Enables TLS encryption for internal communications +4. IAM Authentication Policy + - Defines fine-grained access control rules + - Specifies which principals can access which services + - Implements least-privilege security model +5. ExternalDNS Integration + - Monitors Gateway API Controller's DNSEndpoint resources + - Automatically creates and updates DNS records + - Maintains service discovery through Route 53 +6. App1 → App2 Communication Flow + - Routes through VPC Lattice service network + - Authenticated via IAM policies + - Encrypted using TLS certificates from Private CA +7. App2 → App1 Communication Flow + - Utilizes bi-directional VPC Lattice connectivity + - Follows same security and authentication patterns + - Maintains consistent service mesh principles ## Deploy diff --git a/patterns/vpc-lattice/cross-cluster-pod-communication/assets/vpc-lattice-pattern-cross-cluster.png b/patterns/vpc-lattice/cross-cluster-pod-communication/assets/vpc-lattice-pattern-cross-cluster.png index b0bc642476..13a31455c1 100644 Binary files a/patterns/vpc-lattice/cross-cluster-pod-communication/assets/vpc-lattice-pattern-cross-cluster.png and b/patterns/vpc-lattice/cross-cluster-pod-communication/assets/vpc-lattice-pattern-cross-cluster.png differ