This repository contains an example of how to use Vpc Lattice to Strangle your legacy application deployed in EC2. More often than not, throughout startup journey, there is a clear requirement for speed and experimentation. Once the feasibility, usage and MVP are proven, engineering teams will pivot to scaling goals. Usually, is a non trivial task to refactor your architecture and break your monolith in smaller chunks while reducing risk of downtime.
VPC Lattice can be leveraged that not only allows a lot of the network complexitites to be abstrated away from your application integrations, but it also offers routing, which can be used to strangle traffic from your monolith, while having the possibility to easily revert back traffic in case of issues start to be observed.
This set of 3 cloudformation templates are broken down by a ilustrative representation of the legacy system (cfn-legacy-product), new service running on Lambda (cfn-new-product) and a template which spin ups the most important resources to bare minimum, functional VPC lattice setup.
- This example is built under the premise that a vpc (the traditional one) is already setup.
- For demonstration purposes, the legacy-product template was generated so you could run these templates in your own account and see how it works. In a real world situation, the legacy environment has been already setup and you just have to feed in the details in the parameter section.
- The VPC this has been developed had 172.x.x.x CIDR range, please modify the parameter according to your own VPC configuration.
- This architecture will not work with stateful applications. If your application requires stateful requests, consider using [ALB] (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html).
- Cloud Formation references
- Strangler original Martin Fowler's article
- Workins with prefix lists
- AWS CloudFormation CLI
- AWS CLI installed
- Access to an AWS account
- Credentials configured
- git installed on your environment
-
Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
git clone https://github.com/aws-samples/add-the-repo-here
-
Modify the param-legacy-product.json file to be based on your local environment
-
From the command line, use AWS CLI to deploy the first cloudformation template. This template will deploy a mock legacy application (plain nginx) in EC2 box.
aws cloudformation deploy --template-file cfn-legacy-product.yaml --stack-name product-legacy --parameter-overrides "$(cat param-legacy-product.json)" --capabilities CAPABILITY_IAM
-
From the command line, use AWS CLI to deploy the second cloudformation template. This template will deploy a mock new application in lambda.
aws cloudformation deploy --template-file cfn-new-product.yaml --stack-name new-product-stack --capabilities CAPABILITY_NAMED_IAM
-
Look into the outputs of both stacks that have been deployed and replace the values in paral-lattice.json with the ones displayed in outputs section.
-
From the command line, use AWS CLI to deploy the third cloudformation template. This template will setup Vpc Lattice targets.
aws cloudformation deploy --template-file cfn-lattice-basic.yaml --stack-name vpc-lattice-stack --parameter-overrides "$(cat param-lattice.json)"
- Using the output from the third CFN stack you created, collect domain url and use it to hit it using curl, or your http IDE of choice. You should see different outputs depending of url matching
aws cloudformation deploy --template-file cfn-new-product.yaml --stack-name new-product-stack --capabilities CAPABILITY_NAMED_IAM
aws cloudformation deploy --template-file cfn-legacy-product.yaml --stack-name product-legacy --parameter-overrides "$(cat ./param-input/param-legacy-product.json)"
aws cloudformation deploy --template-file cfn-lattice-basic.yaml --stack-name vpc-lattice-stack --parameter-overrides "$(cat ./param-input/param-lattice.json)"
This library is licensed under the Apache 2.0 License.
Q:I am not being able to hit the service domain from my test environment. Why?
If you are hitting the domain from your VPC, most likely you have to allow inbound traffic from the resource you are doing it. If it is an EC2 box, add a new inbound rule refering its security group in the security group tied to the VPC association within the VPC lattice service network. Furthermore make sure the reference of the prefix list is the correct one, you can run the following command on the AWS CLI
aws ec2 describe-managed-prefix-lists --filters Name=owner-id,Values=AWS