Docs
Launch GraphOS Studio

Securely communicate with subgraphs on your AWS VPC

Configure AWS VPC Lattice to communicate with your Cloud Dedicated router


Cloud is currently in invite-only preview. Don't hesitate to get in touch if you'd like to request access or have any questions or feedback.

Cloud uses AWS VPC Lattice to send traffic to your running in an AWS VPC without exposing them to the internet. With Lattice, you can define services and share them with the Apollo AWS organization.

You can provision AWS VPC Lattice with the Apollo Terraform module. Refer to the module's README for more information.

AWS Virtual Private Cloud
Apollo Cloud
Requests
AWS VPC
Lattice
Service
Subgraph 1
Subgraph 2
Subgraph 3
Cloud
Dedicated
Clients
AWS RAM
Resource
Share

NOTE

  • You can only use Lattice for in the same AWS region as your . If you need to run subgraphs in different AWS regions or run your workloads in a region not yet supported by Cloud , please let us know.
  • Using AWS VPC Lattice incurs costs outside of your Cloud spend. Refer to the Lattice pricing page to learn more.

Create and share an AWS VPC Lattice service

To allow Cloud to send traffic to your , you must:

  1. Create one or more AWS VPC Lattice target groups.
  2. Create one or more AWS VPC Lattice services.
  3. Share the service(s) with the Apollo AWS Organization.
  4. Provide the service(s) routing information in your Apollo Organization configuration page.

This guide offers step-by-step instructions for each stage.

NOTE

The AWS Console interface may differ slightly from the screenshots in this guide.

Step 1. Create AWS VPC Lattice target groups

A Lattice target group is a collection of targets, or compute resources, that run your application or service. You must set these up so your Lattice services can route requests accurately. Check out the AWS documentation to learn more.

  1. In the AWS Console for your region of choice, go to the VPC service page:
  1. In the menu on the left, scroll down and open Target groups in the VPC Lattice section.

    AWS VPC service page left menu
  2. Click Create target group on the top right.

    AWS VPC service page
  3. In the Basic configuration section, set the properties that match your resources.

    AWS VPC service page
  4. (Optional) If you use a target type with health checks, ensure you configure your health checks correctly, or Lattice will not be able to send traffic to your .

    AWS VPC service page
  5. Register the targets based on your chosen target type.

    AWS VPC service page
  6. Review your targets to make sure all information is correct.

    AWS VPC service page
  7. Click Create target group at the bottom right corner of the page.

    AWS VPC service page

Congratulations! You've created an AWS VPC Lattice target group. Repeat this process for each resource you want to share with Cloud .

Step 2. Create an AWS VPC Lattice service

  1. In the AWS Console for your region, go to the VPC service page:
  1. In the menu on the left, scroll down and open Services in the VPC Lattice section.

    AWS VPC service page left menu
  2. Click Create service in the top right.

    AWS VPC service page
  3. In the Identifiers section, give the name, description, and tags of your choice for the service.

    AWS VPC service page
  4. In the Custom domain configuration section, leave the Specify a custom domain configuration checkbox unselected.

    AWS VPC service page
  5. In the Service access section, select the AWS IAM authentication type and paste the following authorization policy. This policy ensures that only the AWS Organization for Cloud can send traffic to your .

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "vpc-lattice-svcs:Invoke",
    "Resource": "*",
    "Condition": {
    "ForAnyValue:StringLike": {
    "aws:PrincipalOrgPaths": "o-9vaxczew6u/*/ou-leyb-l9pccq2t/ou-leyb-fvqz35yo/*"
    }
    }
    }
    ]
    }
    AWS VPC service page
  6. (Optional) For extra security, you can audit all the traffic coming to your by enabling access logs in the Monitoring section.

  7. Once you've configured the service, click Next on the bottom right of the page.

    AWS VPC service page
  8. Define routing information to your target groups. Set the protocol to HTTPS and the port to 443.

    NOTE

    For security reasons, we require you to use HTTPS for your listener. This enforces encryption in transit of the traffic between your and your Lattice listener.

    AWS VPC service page
  9. If you have multiple target groups, add a rule for each .

    AWS VPC service page
  10. Click Next at the bottom right of the page once you've configured your listener.

    AWS VPC service page
  11. Do NOT select a VPC Lattice service network. Your will integrate with a service network managed by Apollo. Instead, click the Next button at the bottom right of the page.

    AWS VPC service page
  12. Ensure the information you've entered is correct, then click Create VPC Lattice service at the bottom right of the page.

    AWS VPC service page

Congratulations! You've now created a Lattice service for your .

Step 3. Share the AWS VPC Lattice service with Cloud Dedicated

  1. In the AWS Console for your region of choice, go to the Resource Access Manager service page:
  1. In the menu on the left, click Resource shares in the Shared by me section.

    AWS VPC service page left menu
  2. Click Create resource share in the top right corner.

    AWS VPC shared resources page
  3. In the Resource share name section, enter a name for your resource share.

    AWS VPC shared resources page
  4. In the Resources section, select the resource type VPC Lattice Services.

    AWS VPC shared resources page
  5. Select all the Lattice services that contain your .

    AWS VPC shared resources page
  6. (Optional) Set tags for your resource share.

    AWS VPC shared resources page
  7. Click the Next button at the bottom right corner of the page.

    AWS VPC shared resources page
  8. Verify that the managed permissions give access to associate the Lattice services with a service network (vpc-lattice:CreateServiceNetworkServiceAssociation and vpc-lattice:GetService). Then click the Next button at the bottom right of the page.

    AWS VPC shared resources page
  9. In the Principals section, select Allow sharing with anyone with a principal type of AWS account, enter the following value for the account ID: 282421723282, then click the Add button.

    AWS VPC shared resources page
  10. Confirm that 282421723282 is the only selected principal for this resource share, then click the Next button on the bottom right corner.

    AWS VPC shared resources page
  11. Confirm that all the information is correct, then click Create resource share at the bottom right of the page.

    AWS VPC shared resources page

Congratulations! You've now shared your Lattice services with Cloud .

The last step is associating your resource share with the Apollo Organization account.

NOTE

  • You have 12 hours to associate your resource share—otherwise, AWS Resource Access Manager will fail to process the invitation, and you will have to restart this step.
  • For security purposes, we recommend you continue to the next step immediately after creating the resource share. If you see that the resource share was Accepted or Failed in the AWS console and you did not follow step 4 of this guide, follow the steps to remove access to private subgraphs and restart this step.

Step 4. Associate your resource share with your Apollo Organization

  1. In the AWS Console for your region of choice, go to the Resource Access Manager service page:
  1. In the menu on the left, click Resource shares in the Shared by me section.

    AWS VPC service page left menu
  2. Click the resource share you created in the previous step.

    AWS VPC resource share page
  3. Copy the ARN for the resource share.

    AWS VPC resource share page

Setup from this point differs based on whether this is your first private subgraph or if you're adding this service to an existing graph.

Setup for new private subgraphs

  1. Go to GraphOS Studio.

  2. Click the Create New Graph tab at the top right of the screen.

  3. Follow Studio's onboarding steps to create a with a new .

    Onboarding a new private supergraph
  4. When prompted to Provide your GraphQL API endpoint, select My endpoint is not directly accessible at the bottom of the page.

    Select private subgraph option
  5. Choose the backend provider you want to use for your and the region where your subgraph should be provisioned.

    NOTE

    All connected to a must be in the same region.
    Choosing a backend Cloud Provider
  6. Paste the ARN of the resource share you created and copied from your AWS Console, then click Link my Resource and Next to continue.

    Linking a Lattice resource
  7. From the dropdown menu, select the Lattice service that you would like to connect to your . A default path of /api/graphql is automatically added to the URL. You can change this path if you want to.

    Selecting a private Lattice service
  8. Add a Service Name to describe your Lattice service. This name will be used to identify your Lattice service in .

    Adding a Service Name
  9. Paste the for this in the Schema . You can also upload a schema file by clicking the Upload Schema button.

    Adding a private schema
  1. Update the ID and the name of the that you want to add this to. An ID and name are automatically generated based on your organization's name, but you can change both as needed.

    Configuring a private supergraph
  2. To finish, click Create GraphOS Router.

    Pressing the Create GraphOS Router button

Congratulations! You've now created a with a .

Setup for existing graphs

  1. Go to the you want to connect in GraphOS Studio.

  2. From the left sidebar, open the Subgraphs tab of your .

  3. Click Add a Subgraph on the right of the page.

    Clicking the Add a Subgraph button
  4. In the modal, select the Private option, then select the AWS service you want to add from the dropdown menu. A default path of /api/graphql is automatically added to the URL. You can change this path if you like.

    Selecting a private service from existing services
  5. Add a Service Name to describe your Lattice service. This name will be used to identify your Lattice service in .

    Adding a Service Name
  6. Paste the for this in the Schema . You can also upload a schema file by clicking the Upload Schema button.

    Adding a private schema
  1. To finish, click Add Subgraph.

Congratulations! You've now added a to your .

Further restrict access to private subgraphs

Once you configure an AWS VPC Lattice service to accept traffic from the Apollo AWS Organization, it is protected by multiple security layers:

  • The AWS VPC Lattice service network only allows traffic with a valid signature and over HTTPS.
  • The Lattice service's configured authorization policy ensures traffic only comes from Apollo's AWS accounts. (This is the authorization policy you configured in step 6 when creating your Lattice service.)
  • Apollo provisioning compares in a 's configuration against the list of known in its Apollo account. It refuses to create or update cloud routers with unknown private subgraphs.
  • only have permission to invoke listed in their configuration.

You can further restrict access to your by configuring additional conditions in your service's authorization policy. Specifically, you can add conditions to restrict traffic based on your organization's Apollo account ID or your 's .

Update Lattice service authorization policy

To update a Lattice service's authorization policy with additional restrictions, you first need the Apollo account ID and/or graph ref to which you want to restrict access.

Obtain account ID and graph ref

  • Contact Apollo to obtain your account ID. Specify you would like the account ID needed to update your Lattice service's authorization policy.

    NOTE

    The Apollo account ID you specify in your authorization policy is not the Apollo organization ID you can find in .

  • You can find your 's in your Apollo account:

    • Log in to GraphOS Studio.
    • Click on a on the Graphs page. The will be at the top of the page—click it to copy.

If you want to provide access to multiple Apollo accounts or , you can specify multiple account IDs and when updating your policy.

Update policy

If you are using the Apollo Terraform module, you can set the apollo_account_ids and apollo_graph_refs variables to update your authorization policy. Provide one or more Apollo account IDs or :

apollo_account_ids = ["my_account_id", "another_account_id"]
apollo_graph_refs = ["my-graph@my-variant", "another-graph@my-variant"]

If you aren't using the Apollo Terraform module, follow these steps:

  1. In the AWS Console for your region of choice, go to the VPC service page:
  1. In the menu on the left, scroll down and open Services in the VPC Lattice section.

    AWS VPC service page left menu
  2. Click the name of the Lattice service whose authorization policy you want to configure.

    AWS VPC service page
  3. In the Service access section, update your authorization policy. You can use the following as an examplemake sure to replace the account ID and with your own.

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "vpc-lattice-svcs:Invoke",
    "Resource": "*",
    "Condition": {
    "ForAnyValue:StringLike": {
    "aws:PrincipalOrgPaths": "o-9vaxczew6u/*/ou-leyb-l9pccq2t/ou-leyb-fvqz35yo/*"
    },
    // Restrict traffic based on Apollo account IDs or graphRefs
    "StringEquals": {
    "aws:PrincipalTag/Apollo:accountId": "my_account_id_xezf34",
    "aws:PrincipalTag/Apollo:graphRef": "my-graph@my-variant"
    }
    }
    }
    ]
    }

If there are multiple which should have access to the , use a comma-separated string of for aws:PrincipalTag/Apollo:graphRef. For example:

"aws:PrincipalTag/Apollo:graphRef": "my-graph@my-variant, my-graph@another-variant, another-graph@another-variant"

Similarly, you can use a comma-separated string of account IDs for aws:PrincipalTag/Apollo:accountId:

"aws:PrincipalTag/Apollo:accountId": "my_account_id_xezf34, "my_account_id_dehs56"

Remove access to private subgraphs

To remove Cloud access to , you need to remove both resource shares and service network associations. Keep in mind that any existing that sends traffic to your private subgraphs will stop working once you remove access.

Remove resource shares

  1. In the AWS Console for your region of choice, go to the Resource Access Manager service page:
  1. In the menu on the left, click Resource shares in the Shared by me section.

    AWS VPC service page left menu
  2. Select the resource share(s) associated with Cloud and click the Delete button in the top right corner.

    AWS VPC resource share page
  3. Click Delete in the popup modal.

    AWS VPC resource share page

Remove service network associations

  1. In the AWS Console for your region of choice, go to the VPC service page:
  1. In the menu on the left, scroll down and open Services in the VPC Lattice section.

    AWS VPC service page left menu
  2. Click the name of the Lattice service you want to disconnect.

    AWS VPC service page
  3. In the Service network associations, select the graphos-cloud service name.

    AWS VPC service page
  4. Click the Actions button in the top right of that section, and click Delete network associations.

    AWS VPC service page
  5. Follow the confirmation instructions and click Delete.

    AWS VPC service page

Deleting the network association can take a few seconds. Once the network association is deleted, Cloud cannot contact your anymore.

AWS VPC Lattice monitoring

To validate that traffic is flowing to your , you can use the metrics and access logs emitted by AWS VPC Lattice:

  1. In the AWS Console for your region of choice, go to the VPC service page.

  2. In the menu on the left, scroll down and open Services in the VPC Lattice section.

    AWS VPC service page left menu
  3. Click on the name of the Lattice service used by the in question.

    AWS VPC Lattice service
  4. Click on the Monitoring tab.

From there, you can configure and enable access logs for your AWS VPC Lattice service. You can also navigate to the Metrics tab to get a quick overview if traffic is flowing to your .

AWS VPC Lattice access logsAWS VPC Lattice metrics

You can also use Amazon CloudWatch metrics emitted by AWS VPC Lattice to set up dashboards and alarms to understand the health of your .

Frequently asked questions

How does Cloud Dedicated prevent other users from accessing my private subgraphs?

When you associate a resource share for the first time, Cloud will scan the Lattice services contained in the resource share to retrieve their ARNs and domain names.

When you add a to one of your , Cloud will check that the domain for that subgraph matches one of the Lattice services you have associated with your Apollo Organization.

As a second line of defense, use AWS IAM permissions and SigV4 to only allow traffic to the in the same Apollo organization.

I want to use AWS VPC Lattice within my own organization. Can I still use Lattice for private subgraphs?

Yes. Cloud will associate your Lattice services with its own service network, and you can associate a Lattice service with multiple service networks. You can also create multiple Lattice target groups or Lattice services for the same load balancer, IP addresses, Lambda functions, or other resources supported by Lattice target groups.

Tips and troubleshooting

See the troubleshooting guide for tips and common errors.

Previous
Custom domains
Next
AWS Lattice troubleshooting
Edit on GitHubEditForumsDiscord

© 2024 Apollo Graph Inc.

Privacy Policy

Company