# Manage traffic flow with a VPC Lattice target group
You can use Amazon VPC Lattice to manage the flow of traffic and API calls between your applications and services that run on separate resources, such as Auto Scaling groups or Lambda functions. VPC Lattice is an application networking service that lets you connect, secure, and monitor all your services across multiple accounts and virtual private clouds (VPCs). To learn more about VPC Lattice, see [What is VPC Lattice?](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)
To get started with VPC Lattice, first create the necessary VPC Lattice resources that enable resources in a VPC associated with a service network to connect to each other. These resources include the services, listeners, listener rules, and target groups.
To associate an Auto Scaling group to a VPC Lattice service, create a target group for the service that routes requests to instances registered by instance ID, and add a listener to the service that sends requests to the target group. Then, attach the target group to your Auto Scaling group. Amazon EC2 Auto Scaling automatically registers the EC2 instances as targets with the target group. Later, when Amazon EC2 Auto Scaling needs to terminate an instance, it automatically deregisters the instance from the target group before termination.
After you attach the target group, it's the entry point for all incoming requests to your Auto Scaling group. As the example in the following diagram shows, incoming requests can then be routed to the appropriate target group using listener rules specified for a VPC Lattice service.
![\[VPC Lattice routes traffic to registered targets in two Auto Scaling groups using path-based routing.\]](http://docs.aws.amazon.com/autoscaling/ec2/userguide/images/vpc-lattice-diagram-auto-scaling-groups.png)
When traffic is routed through VPC Lattice to your Auto Scaling group, VPC Lattice balances requests among the instances in the group using round robin load balancing. VPC Lattice also can monitor the health of its registered instances and route traffic only to healthy instances.
To keep your instances available for incoming requests, you can optionally add VPC Lattice health checks to your Auto Scaling group. This way, if one of the EC2 instances fails, your Auto Scaling group automatically launches a new instance to replace it. The behavior of the VPC Lattice health checks is similar to the behavior of the Elastic Load Balancing health checks. The default health checks for an Auto Scaling group are EC2 health checks only.
To learn more about VPC Lattice, see [Simplify Service-to-Service Connectivity, Security, and Monitoring with Amazon VPC Lattice – Now Generally Available](https://aws.amazon.com/blogs/aws/simplify-service-to-service-connectivity-security-and-monitoring-with-amazon-vpc-lattice-now-generally-available/) on the AWS Blog.
**Topics**
+ [Prepare to attach a target group](getting-started-vpc-lattice.md)
+ [Attach a VPC Lattice target group](attach-vpc-lattice-target-group-asg.md)
+ [Verify the attachment status](verify-target-group-attachment-status.md)
# Prepare to attach a VPC Lattice target group to your Auto Scaling group
Before you attach a VPC Lattice target group to your Auto Scaling group, you must complete the following prerequisites:
+ You must have already created a VPC Lattice service network, service, listener, and target group. For more information, see the following topics in the *VPC Lattice User Guide*:
+ [Service networks](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-networks.html)
+ [Services](https://docs.aws.amazon.com/vpc-lattice/latest/ug/services.html)
+ [Listeners](https://docs.aws.amazon.com/vpc-lattice/latest/ug/listeners.html)
+ [Target groups](https://docs.aws.amazon.com/vpc-lattice/latest/ug/target-groups.html)
+ The target group must be in the same AWS account, VPC, and Region as your Auto Scaling group.
+ The target group must specify a target type of `instance`. You can't specify a target type of `ip` when using an Auto Scaling group.
+ You must have sufficient IAM permissions to attach the target group to the Auto Scaling group. The following example policy shows the minimum required permissions that are necessary to attach and detach target groups.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:AttachTrafficSources",
"autoscaling:DetachTrafficSources",
"autoscaling:DescribeTrafficSources",
"vpc-lattice:RegisterTargets",
"vpc-lattice:DeregisterTargets"
],
"Resource": "*"
}
]
}
```
------
+ If the launch template for your Auto Scaling group does not contain the correct settings for VPC Lattice, such as a compatible security group, you must update the launch template. Existing instances are not updated with the new settings when the launch template is modified. To update existing instances, you can start an instance refresh to replace the instances. For more information, see [Use an instance refresh to update instances in an Auto Scaling group](asg-instance-refresh.md).
+ Before enabling the VPC Lattice health checks on your Auto Scaling group, you can configure an application-based health check to verify that your application is responding as expected. For more information, see [Health checks for your target groups](https://docs.aws.amazon.com/vpc-lattice/latest/ug/target-group-health-checks.html) in the *VPC Lattice User Guide*.
## Security groups: Inbound and outbound rules
Security groups act as a firewall for associated EC2 instances, controlling both inbound and outbound traffic at the instance level.
**Note**
Network configuration is sufficiently complex that we strongly recommend that you create a new security group for use with VPC Lattice. It also makes it easier for Support to help you if you need to contact them. The following sections are based on the assumption that you follow this recommendation.
To learn more about creating security groups for VPC Lattice that you can use with your Auto Scaling group, see [Control traffic using security groups](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html) in the *VPC Lattice User Guide*. To troubleshoot issues with traffic flow, consult the *VPC Lattice User Guide* for further information.
For information about how to create a security group, see [Create a security group](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-security-group.html) in the *Amazon EC2 User Guide* and use the following table to determine what options to select.
| Option | Value |
| --- | --- |
| Name | A name that's easy for you to remember. |
| Description | A description to help you identify the security group. |
| VPC | The same VPC as the Auto Scaling group. |
### Inbound rules
When you create a security group, it has no inbound rules. No inbound traffic originating from clients within a VPC Lattice service network to your instance is allowed until you add inbound rules to the security group.
To allow clients within a VPC Lattice service network to connect to instances in your Auto Scaling group, the security group for your Auto Scaling group must be set up correctly. In this case, give it an inbound rule to allow traffic from the name of the AWS managed prefix list for VPC Lattice, instead of a specific IP address. The VPC Lattice prefix list is a range of IP addresses used by VPC Lattice in CIDR notation. For more information, see [Work with AWS-managed prefix lists](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) in the *Amazon VPC User Guide*.
For information about how to add rules to a security group, see [Configure security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-security-group-rules.html) in the *Amazon VPC User Guide* and use the following table to determine what options to select.
| Option | Value |
| --- | --- |
| HTTP rule | Type: HTTP Source: com.amazonaws.*region*.vpc-lattice |
| HTTPS rule | Type: HTTPS Source: com.amazonaws.*region*.vpc-lattice |
The security group is stateful: it allows traffic from clients within the VPC Lattice service network to instances in your Auto Scaling group, and then sends the response back to the client it previously left.
### Outbound rules
By default, a security group includes an outbound rule that allows all outbound traffic. You can optionally remove this default rule and add an outbound rule to accommodate specific security needs.
## Limitations
+ [Mixed instances groups](ec2-auto-scaling-mixed-instances-groups.md) are supported. If you attach a VPC Lattice target group to an Auto Scaling group that has a mixed instances policy, the load balancing algorithm evenly distributes load onto all available resources and assumes that instances are similar enough to handle equal loads.
# Attach a VPC Lattice target group to your Auto Scaling group
This topic describes how to attach a VPC Lattice target group to an Auto Scaling group. It also describes how to turn on VPC Lattice health checks to let Amazon EC2 Auto Scaling replace instances that VPC Lattice reports as unhealthy.
By default, Amazon EC2 Auto Scaling only replaces instances that are unhealthy or unreachable based on Amazon EC2 health checks. If you turn on VPC Lattice health checks, Amazon EC2 Auto Scaling can replace a running instance if any of the VPC Lattice target groups you attach to the Auto Scaling group report it as unhealthy. For more information, see [Health checks for instances in an Auto Scaling group](ec2-auto-scaling-health-checks.md).
**Important**
Before you continue, complete all [prerequisites](getting-started-vpc-lattice.md) in the previous section.
## Attach a VPC Lattice target group
You can attach one or more target groups to an Auto Scaling group when you create or update the group.
------
#### [ Console ]
Follow the steps in this section to use the console to:
+ Attach a VPC Lattice target group to an Auto Scaling group
+ Turn on the health checks for VPC Lattice
**To attach a VPC Lattice target group to a new Auto Scaling group**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/), and choose **Auto Scaling Groups** from the navigation pane.
1. On the navigation bar at the top of the screen, choose the AWS Region that you created your target group in.
1. Choose **Create Auto Scaling group**.
1. In steps 1 and 2, choose your desired options and proceed to **Step 3: Configure advanced options**.
1. For **VPC Lattice integration options**, choose **Attach to VPC Lattice service**.
1. Under **Choose VPC Lattice target group**, choose your target group.
1. (Optional) For **Health checks**, **Additional health check types**, select **Turn on VPC Lattice health checks**.
1. (Optional) For **Health check grace period**, enter the amount of time, in seconds. This amount of time is how long Amazon EC2 Auto Scaling needs to wait before checking the health status of an instance after it enters the `InService` state. For more information, see [Set the health check grace period for an Auto Scaling group](health-check-grace-period.md).
1. Proceed to create the Auto Scaling group. Your instances will be automatically registered to the VPC Lattice target group after the Auto Scaling group has been created.
**To attach a VPC Lattice target group to an existing Auto Scaling group**
Use the following procedure to attach a target group for a service to an existing Auto Scaling group.
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/), and choose **Auto Scaling Groups** from the navigation pane.
1. Select the check box next to your Auto Scaling group.
A split pane opens up in the bottom of the page.
1. On the **Details** tab, choose **VPC Lattice integration options**, **Edit**.
1. Under **VPC Lattice integration options**, choose **Attach to VPC Lattice service**.
1. Under **Choose VPC Lattice target group**, choose your target group.
1. Choose **Update**.
When you finish attaching the target group, you can optionally turn on the health checks that use it.
**To turn on the VPC Lattice health checks**
1. On the **Details** tab, choose **Health checks**, **Edit**.
1. For **Health checks**, **Additional health check types**, select **Turn on VPC Lattice health checks**.
1. For **Health check grace period**, enter the amount of time, in seconds. This amount of time is how long Amazon EC2 Auto Scaling needs to wait before checking the health status of an instance after it enters the `InService` state. For more information, see [Set the health check grace period for an Auto Scaling group](health-check-grace-period.md).
1. Choose **Update**.
------
#### [ AWS CLI ]
Follow the steps in this section to use the AWS CLI to:
+ Attach a VPC Lattice target group to an Auto Scaling group
+ Turn on the health checks for VPC Lattice
**To attach a VPC Lattice target group to an Auto Scaling group**
Use the following [create-auto-scaling-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/create-auto-scaling-group.html) command to create an Auto Scaling group and simultaneously attach a VPC Lattice target group by specifying its Amazon Resource Name (ARN).
Replace the sample values for `--auto-scaling-group-name`, `--vpc-zone-identifier`, `--min-size`, and `--max-size`. For the `--launch-template` option, replace `my-launch-template` and `1` with the name and version of the launch template that you created for instances registered to a VPC Lattice target group. For the `--traffic-sources` option, replace the sample ARN with the ARN of your VPC Lattice target group.
```
aws autoscaling create-auto-scaling-group --auto-scaling-group-name my-asg \
--launch-template LaunchTemplateName=my-launch-template,Version='1' \
--vpc-zone-identifier "subnet-5ea0c127,subnet-6194ea3b,subnet-c934b782" \
--min-size 1 --max-size 5 \
--traffic-sources "Identifier=arn:aws:vpc-lattice:region:account-id:targetgroup/tg-0e2f2665eEXAMPLE"
```
Use the following [attach-traffic-sources](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/attach-traffic-sources.html) command to attach a VPC Lattice target group to an Auto Scaling group after it's already created.
```
aws autoscaling attach-traffic-sources --auto-scaling-group-name my-asg \
--traffic-sources "Identifier=arn:aws:vpc-lattice:region:account-id:targetgroup/tg-0e2f2665eEXAMPLE"
```
**To turn on the health checks for VPC Lattice**
If you have configured an application-based health check for your **VPC Lattice** target group, you can turn on these health checks. Use the [create-auto-scaling-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/create-auto-scaling-group.html) or [update-auto-scaling-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/update-auto-scaling-group.html) command with the `--health-check-type` option and a value of `VPC_LATTICE`. To specify the grace period for the health checks performed by your Auto Scaling group, include the `--health-check-grace-period` option and provide its value in seconds.
```
--health-check-type "VPC_LATTICE" --health-check-grace-period 60
```
------
## Detach a VPC Lattice target group
If you no longer need to use VPC Lattice, use the following procedure to detach the target group from your Auto Scaling group.
------
#### [ Console ]
Follow the steps in this section to use the console to:
+ Detach a VPC Lattice target group from an Auto Scaling group
+ Turn off the health checks for VPC Lattice
**To detach a VPC Lattice target group from an Auto Scaling group**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/), and choose **Auto Scaling Groups** from the navigation pane.
1. Select the check box next to an existing group.
A split pane opens up in the bottom of the page.
1. On the **Details** tab, choose **VPC Lattice integration options**, **Edit**.
1. Under **VPC Lattice integration options**, choose the delete (X) icon next to the target group.
1. Choose **Update**.
When you finish detaching the target group, you can turn off the VPC Lattice health checks.
**To turn off the VPC Lattice health checks**
1. On the **Details** tab, choose **Health checks**, **Edit**.
1. For **Health checks**, **Additional health check types**, deselect **Turn on VPC Lattice health checks**.
1. Choose **Update**.
------
#### [ AWS CLI ]
Follow the steps in this section to use the AWS CLI to:
+ Detach a VPC Lattice target group from an Auto Scaling group
+ Turn off the health checks for VPC Lattice
Use the [detach-traffic-sources](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/detach-traffic-sources.html) command to detach a target group from your Auto Scaling group when you no longer need it.
```
aws autoscaling detach-traffic-sources --auto-scaling-group-name my-asg \
--traffic-sources "Identifier=arn:aws:vpc-lattice:region:account-id:targetgroup/tg-0e2f2665eEXAMPLE"
```
To update the health checks on an Auto Scaling group so that it no longer uses VPC Lattice health checks, use the [update-auto-scaling-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/update-auto-scaling-group.html) command. Include the `--health-check-type` option and a value of `EC2`.
```
aws autoscaling update-auto-scaling-group --auto-scaling-group-name my-asg \
--health-check-type "EC2"
```
------
# Verify the attachment status of your VPC Lattice target group
After you attach a VPC Lattice target group to an Auto Scaling group, it enters the `Adding` state while registering the instances in the group. When all instances in the group are registered, it enters the `Added` state. After at least one registered instance passes the health checks, it enters the `InService` state. When the target group is in the `InService` state, Amazon EC2 Auto Scaling can terminate and replace any instances that are reported as unhealthy. If no registered instances pass the health checks (for example, due to a misconfigured health check), the target group doesn't enter the `InService` state. Amazon EC2 Auto Scaling doesn't terminate and replace the instances.
When you detach a target group for a service, it enters the `Removing` state while deregistering the instances in the group. The instances remain running after they deregister. By default, connection draining (deregistration delay) is enabled. If connection draining is enabled, VPC Lattice waits for in-flight requests to complete or for the maximum timeout to expire (whichever comes first) before it deregisters the instances.
You can verify the attachment status by using the AWS Command Line Interface (AWS CLI) or AWS SDKs. You cannot verify the attachment status from the console.
**To use the AWS CLI to verify the attachment status**
The following [describe-traffic-sources](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/describe-traffic-sources.html) command returns the attachment status of all traffic sources for the specified Auto Scaling group.
```
aws autoscaling describe-traffic-sources --auto-scaling-group-name my-asg
```
The example returns the ARN of the VPC Lattice target group that's attached to the Auto Scaling group, along with the attachment status of the target group in the `State` element.
```
{
"TrafficSources": [
{
"Identifier": "arn:aws:vpc-lattice:region:account-id:targetgroup/tg-0e2f2665eEXAMPLE",
"State": "InService",
"Type": "vpc-lattice"
}
]
}
```