# Service networks in VPC Lattice
<a name="service-networks"></a>

A *service network* is a logical boundary for a collection of services and resource configurations. Services and resource configurations associated with the network can be authorized for discovery, connectivity, accessibility, and observability. To make requests to services and resource configurations in the network, your service or client must be in a VPC that is connected to the service network either through an association or through a VPC endpoint.

The following diagram shows the key components of a typical service network within Amazon VPC Lattice. Check marks on the arrows indicate that the services and the VPC are associated with the service network. Clients in the VPC associated with the service network can communicate with both services through the service network. 

![\[A service network with two services and a resource configuration.\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/images/service-network.png)


You can associate one or more services and resource configurations with multiple service networks. You can also connect multiple VPCs with one service network. You can connect a VPC to only one service network through an association. To connect a VPC to multiple service networks, you can use VPC endpoints of type service network. For more information on VPC endpoints of type service network, see the [https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html).

In the following diagram, the arrows represent the associations between services and service networks, as well as associations between the VPCs and service networks. You can see that multiple services are associated to multiple service networks, and multiple VPCs are associated to each service network. Each VPC has exactly one association to a service network. VPC 3 and VPC 4 however connect to two service-networks. VPC 3 connects to service-network 1 through a VPC endpoint. Similarly, VPC 4 connects to service-network 2 through a VPC endpoint.

![\[A service network with associated services, resource configurations, and VPCs.\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/images/service-network-vpc-associations.png)


For more information, see [Quotas for Amazon VPC Lattice](quotas.md).

**Topics**
+ [Create a service network](create-service-network.md)
+ [Manage associations](service-network-associations.md)
+ [Edit access settings](service-network-access.md)
+ [Edit monitoring details](service-network-monitoring.md)
+ [Manage tags](service-network-tags.md)
+ [Delete a service network](delete-service-network.md)

# Create a VPC Lattice service network
<a name="create-service-network"></a>

Use the console to create a service network and optionally configure it with services, associations, access settings, and access logs.

**To create a service network using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **VPC Lattice**, choose **Service networks**.

1. Choose **Create service network**.

1. For **Identifiers**, enter a name, an optional description, and optional tags. The name must be between 3 and 63 characters. You can use lowercase letters, numbers, and hyphens. The name must begin and end with a letter or number. Do not use consecutive hyphens. The description can have up to 256 characters. To add a tag, choose **Add new tag** and specify a tag key and tag value.

1. (Optional) To associate a service, choose the service from **Service associations**, **Services**. The list includes services that are in your account and any services that are shared with you from a different account. If there aren't any services in the list, you can create a service by choosing **Create an VPC Lattice service**.

   Alternatively, to associate a service after you've created the service network, see [Manage service network service associations](service-network-associations.md#service-network-service-associations).

1.  (Optional) To associate a resource configuration, choose the resource configuration service from **Resource Configuration associations**, **Resource configuration**. The list includes resource configurations that are in your account and any resource configurations that are shared with you from a different account. If there aren't any resource configurations in the list, you can create a resource configuration by choosing **Create an Amazon VPC Lattice resource configuration**.

   Alternatively, to associate a resource configuration after you've created the service network, see [Manage service network resource associations](service-network-associations.md#service-network-resource-config-associations).

1. (Optional) To associate a VPC, choose **Add VPC association**. Select the VPC to associate from **VPC**, and select up to five security groups from **Security groups**. To create a security group, choose **Create new security group**.

   Alternatively, you can skip this step and connect a VPC to the service network using a VPC endpoint (powered by AWS PrivateLink). For more information, see [Access service networks](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-service-networks.html) in the *AWS PrivateLink user guide*.

1. When creating a service network, you have to decide if you intend sharing the service network with other accounts or not. Your selection is immutable and cannot be changed after you create the service network. If you choose to allow sharing, the service network can be shared with other accounts through AWS Resource Access Manager.

   To [ share your service network](https://docs.aws.amazon.com/vpc-lattice/latest/ug/sharing.html) with other accounts, choose the AWS RAM resource shares from **Resource shares**.

   To create a resource share, go to the AWS RAM console and choose **Create a resource share**.

1. For **Network access**, you can leave the default auth type, **None**, if you want the clients in the associated VPCs to access the services in this service network. To apply an [auth policy](auth-policies.md) to control access to your services, choose **AWS IAM** and do one of the following for **Auth policy**:
   + Enter a policy in the input field. For example policies that you can copy and paste, choose **Policy examples**.
   + Choose **Apply policy template** and select the **Allow authenticated and unauthenticated access** template. This template allows a client from another account to access the service either by signing the request (meaning authenticated) or anonymously (meaning unauthenticated).
   + Choose **Apply policy template** and select the **Allow only authenticated access** template. This template allows a client from another account to access the service only by signing the request (meaning authenticated).

1. (Optional) To turn on [access logs](monitoring-access-logs.md), select the **Access logs** toggle switch and specify a destination for your access logs as follows:
   + Select **CloudWatch Log group** and choose a CloudWatch Log group. To create a log group, choose **Create a log group in CloudWatch**.
   + Select **S3 bucket** and enter the S3 bucket path, including any prefix. To search your S3 buckets, choose **Browse S3**.
   + Select **Kinesis Data Firehose delivery stream** and choose a delivery stream. To create a delivery stream, choose **Create a delivery stream in Kinesis**.

1. (Optional) To [share your service network](sharing.md) with other accounts, choose the AWS RAM resource shares from **Resource shares**. To create a resource share, choose **Create a resource share in RAM console**.

1. Review your configuration in the **Summary** section, and then choose **Create service network**.

**To create a service network using the AWS CLI**  
Use the [create-service-network](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/create-service-network.html) command. This command creates only the basic service network. To create a fully functional service network, you must also use the commands that create [service associations](service-network-associations.md#service-network-service-associations), [VPC associations](service-network-associations.md#service-network-vpc-associations), and [access settings](service-network-access.md).

# Manage the associations for a VPC Lattice service network
<a name="service-network-associations"></a>

When you associate a service or a resource configuration with the service network, it enables clients in VPCs connected to the service network, to make requests to the service and resource configuration. When you connect a VPC with the service network, it enables all the targets within that VPC to be clients and communicate with other services and resource configurations in the service network.

 The private DNS enabled property of the service network resource association overrides the private DNS enabled property of the service network endpoint and the service network VPC association. 

If a service network owner creates a service network resource association and doesn't enable private DNS, VPC Lattice won’t provision private hosted zones for that resource configuration in any VPCs that the service network is connected to, even though private DNS is enabled on the service network endpoint or service network VPC associations. 

**Topics**
+ [Manage service network service associations](#service-network-service-associations)
+ [Manage service network resource associations](#service-network-resource-config-associations)
+ [Manage service network VPC associations](#service-network-vpc-associations)
+ [Manage service network VPC endpoint associations](#service-network-vpc-endpoint-associations)

## Manage service network service associations
<a name="service-network-service-associations"></a>

You can associate services that reside in your account or services that are shared with you from different accounts. This is an optional step while creating a service network. However, a service network is not fully functional until you associate a service. Service owners can associate their services to a service network if their account has the required access. For more information, see [Identity-based policy examples for VPC Lattice](security_iam_id-based-policies.md#security_iam_id-based-policy-examples).

When you delete a service association, the service can no longer connect to other services in the service network.

**To manage service associations using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **VPC Lattice**, choose **Service networks**.

1. Select the name of the service network to open its details page.

1. Choose the **Service associations** tab.

1. To create an association, do the following:

   1. Choose **Create associations**.

   1. Select a service from **Services**. To create a service, choose **Create an Amazon VPC Lattice service**.

   1. (Optional) To add a tag, expand **Service association tags**, choose **Add new tag**, and enter a tag key and tag value.

   1. Choose **Save changes**.

1. To delete an association, select the check box for the association and then choose **Actions**, **Delete service associations**. When prompted for confirmation, enter **confirm** and then choose **Delete**.

**To create a service association using the AWS CLI**  
Use the [create-service-network-service-association](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/create-service-network-service-association.html) command.

**To delete a service association using the AWS CLI**  
Use the [delete-service-network-service-association](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/delete-service-network-service-association.html) command.

## Manage service network resource associations
<a name="service-network-resource-config-associations"></a>

A resource configuration is a logical object that represents either a single resource or a group of resources. You can associate resource configurations that reside in your account or resource configurations that are shared with you from different accounts. This is an optional step while creating a service network. Resource configuration owners can associate their resource configurations to a service network if their account has the required access. For more information, see [Identity-based policy examples for VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security_iam_id-based-policies.html#security_iam_id-based-policy-examples).

### Manage associations between service networks and resource configurations
<a name="service-network-resource-config-association-manage"></a>

You can create or delete the association between the service network and resource configuration.

**To manage resource configuration associations using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **PrivateLink and Lattice**, choose **Service networks**.

1. Select the name of the service network to open its details page.

1. Choose the **Resource configuration associations** tab.

1. To create an association, do the following:

   1. Choose **Create associations**.

   1. For **Resource configurations**, select a resource configuration.

   1. For **DNS name**, select **Private DNS enabled** to allow VPC Lattice to provision a private hosted zone for your resource configuration associations based on the domain name of the resource configuration.

   1. (Optional) To add a tag, expand **Service association tags**, choose **Add new tag**, and enter a tag key and tag value.

   1. Choose **Save changes**.

1. To delete an association, select the check box for the association and then choose **Actions**, **Delete**. When prompted for confirmation, enter **confirm** and then choose **Delete**.

**To create a resource configuration association using the AWS CLI**  
Use the [create-service-network-resource-association](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/create-service-network-resource-association.html) command.

**To delete a resource configuration association using the AWS CLI**  
Use the [delete-service-network-resource-association](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/delete-service-network-resource-association.html) command.

## Manage service network VPC associations
<a name="service-network-vpc-associations"></a>

Clients can send requests to services and resources specified in resource configurations associated with a service network if the client is in VPCs associated with the service network. Client traffic that traverses a VPC peering connection or a transit gateway is only allowed through a service network using a VPC endpoint of type service network.

Associating a VPC is an optional step when you create a service network. Network owners can associate VPCs to a service network if their account has the required access. For more information, see [Identity-based policy examples for VPC Lattice](security_iam_id-based-policies.md#security_iam_id-based-policy-examples).

When you create a VPC association to a resource configuration, you can specify the private DNS preference. This preference allows VPC Lattice to provision private hosted zones on the resource consumer's behalf. For more information, see [Custom domain names for resource providers](resource-configuration.md#custom-domain-name-resource-providers).

When you a delete a VPC association, clients in the VPCs can no longer connect to services in the service network.

**To manage VPC associations using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **VPC Lattice**, choose **Service networks**.

1. Select the name of the service network to open its details page.

1. Choose the **VPC associations** tab.

1. To create a VPC association, do the following:

   1. Choose **Create VPC associations**.

   1. Choose **Add VPC association**.

   1. Select a VPC from **VPC** and select up to five security groups from **Security groups**. To create a security group, choose **Create new security group**.

   1. (Optional) To allow VPC Lattice to provision a private hosted zone based on the domain name of a resource configuration, for **DNS name**, select **Enable DNS name** and do the following:

      1. For **Private DNS preference**, select a preference.

         If you choose **All domains**, VPC Lattice provisions a private hosted zone for any custom domain name for a resource configuration.

      1. (Optional) If you choose **Verified and specified domains** or **Specified domains**, enter a comma separated list of domains that you want VPC Lattice to provision hosted zones for. VPC Lattice only provisions a hosted zone if it matches your private domains list. You can use wildcard matching.

   1. (Optional) To add a tag, expand **VPC association tags**, choose **Add new tag**, and enter a tag key and tag value.

   1. Choose **Save changes**.

1. To edit the security groups for an association, select the check box for the association and then chose **Actions**, **Edit security groups**. Add and remove security groups as needed.

1. To delete an association, select the check box for the association and then choose **Actions**, **Delete VPC associations**. When prompted for confirmation, enter **confirm** and then choose **Delete**.

**To create a VPC association using the AWS CLI**  
Use the [create-service-network-vpc-association](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/create-service-network-vpc-association.html) command.

**To update the security groups for a VPC association using the AWS CLI**  
Use the [update-service-network-vpc-association](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/update-service-network-vpc-association.html) command.

**To delete a VPC association using the AWS CLI**  
Use the [delete-service-network-vpc-association](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/delete-service-network-vpc-association.html) command.

## Manage service network VPC endpoint associations
<a name="service-network-vpc-endpoint-associations"></a>

Clients can send requests to services and resources specified in resource configurations over a VPC endpoint (powered by AWS PrivateLink) in their VPC. A VPC endpoint of type *service network* connects a VPC to a service network. Client traffic that comes from outside the VPC over a VPC peering connection, Transit Gateway, Direct Connect, or VPN can use the VPC endpoint to reach services and resource configurations. With VPC endpoints, you can connect a VPC to multiple service networks. When you create a VPC endpoint in a VPC, IP addresses from the VPC (and not IP addresses from the [managed prefix list](security-groups.md#managed-prefix-list)) are used to establish connectivity to the service network.

When you create a VPC association to a resource configuration, you can specify the private DNS preference. This preference allows VPC Lattice to provision private hosted zones on the resource consumer's behalf. For more information, see [Custom domain names for resource providers](resource-configuration.md#custom-domain-name-resource-providers).

**To manage VPC endpoint associations using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **VPC Lattice**, choose **Service networks**.

1. Select the name of the service network to open its details page.

1. Choose the **Endpoint associations** tab to view the VPC endpoints connected to your service network.

1. Select the Endpoint ID of the VPC endpoint to open its details page. Then modify or delete the VPC endpoint association.

**To create a new VPC endpoint association using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **VPC Lattice**, choose **Endpoints**.

1. Choose **Create endpoints**.

1. For **Type**, choose **Service networks**.

1. Select the service network you want to connect to your VPC.

1. Select the VPC, subnets and security groups.

1. (Optional) To enable private DNS, choose **Enable private DNS**.

1. (Optional) To add a tag, expand **VPC association tags**, choose **Add new tag**, and enter a tag key and tag value.

1. Choose **Create endpoint**.

To learn more about VPC endpoint to how to connect to service networks, see [Access service networks](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-service-networks.html) in the *AWS PrivateLink user guide*.

# Edit access settings for a VPC Lattice service network
<a name="service-network-access"></a>

Access settings enable you to configure and manage client access to a service network. Access settings include *auth type* and *auth policies*. Auth policies help you authenticate and authorize traffic flowing to services within VPC Lattice. Access settings of the service network do not apply to the resource configurations associated to the service network.

You can apply auth policies at the service network level, the service level, or both. Typically, auth policies are applied by the network owners or cloud administrators. They can implement coarse-grained authorization, for example, allowing authenticated calls from within the organization, or allowing anonymous GET requests that match a certain condition. At the service level, service owners can apply fine-grained controls, which can be more restrictive. For more information, see [Control access to VPC Lattice services using auth policies](auth-policies.md).

**To add or update access policies using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **VPC Lattice**, choose **Service networks**.

1. Select the name of the service network to open its details page.

1. Choose the **Access** tab to check the current access settings.

1. To update the access settings, choose **Edit access settings**.

1. If you want the clients in the associated VPCs to access the services in this service network, choose **None** for **Auth type**.

1. To apply a resource policy to the service network, choose **AWS IAM** for **Auth type** and do one the following for **Auth policy**:
   + Enter a policy in the input field. For example policies that you can copy and paste, choose **Policy examples**.
   + Choose **Apply policy template** and select the **Allow authenticated and unauthenticated access** template. This template allows a client from another account to access the service either by signing the request (meaning authenticated) or anonymously (meaning unauthenticated).
   + Choose **Apply policy template** and select the **Allow only authenticated access** template. This template allows a client from another account to access the service only by signing the request (meaning authenticated).

1. Choose **Save changes**.

**To add or update an access policy using the AWS CLI**  
Use the [put-auth-policy](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/put-auth-policy.html) command.

# Edit monitoring details for a VPC Lattice service network
<a name="service-network-monitoring"></a>

VPC Lattice generates metrics and logs for every request and response, making it more efficient to monitor and troubleshoot applications.

You can enable access logs and specify the destination resource for your logs. VPC Lattice can send logs to the following resources: CloudWatch Log groups, Firehose delivery streams, and S3 buckets.

**To enable access logs or update a log destination using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **VPC Lattice**, choose **Service networks**.

1. Select the name of the service network to open its details page. 

1. Choose the **Monitoring** tab. Check **Access logs** to see whether access logs are enabled.

1. To enable or disable access logs, choose **Edit access logs**, and then turn the **Access logs** toggle switch on or off.

1. When you enable access logs, you must select the type of delivery destination, and then create or choose the destination for the access logs. You can also change the delivery destination at any time. For example:
   + Select **CloudWatch Log group** and choose a CloudWatch Log group. To create a log group, choose **Create a log group in CloudWatch**.
   + Select **S3 bucket** and enter the S3 bucket path, including any prefix. To search your S3 buckets, choose **Browse S3**.
   + Select **Kinesis Data Firehose delivery stream** and choose a delivery stream. To create a delivery stream, choose **Create a delivery stream in Kinesis**.

1. Choose **Save changes**.

**To enable access logs using the AWS CLI**  
Use the [create-access-log-subscription](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/create-access-log-subscription.html) command.

**To update the log destination using the AWS CLI**  
Use the [update-access-log-subscription](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/update-access-log-subscription.html) command.

**To disable access logs using the AWS CLI**  
Use the [delete-access-log-subscription](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/delete-access-log-subscription.html) command.

# Manage tags for a VPC Lattice service network
<a name="service-network-tags"></a>

Tags help you to categorize your service network in different ways, for example, by purpose, owner, or environment.

You can add multiple tags to each service network. Tag keys must be unique for each service network. If you add a tag with a key that is already associated with the service network, it updates the value of that tag. You can use characters such as letters, spaces, numbers (in UTF-8), and the following special characters: \$1 - = . \$1 : / @. Do not use leading or trailing spaces. Tag values are case sensitive.

**To add or delete tags using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **VPC Lattice**, choose **Service networks**.

1. Select the name of the service network to open its details page.

1. Choose the **Tags** tab.

1. To add a tag, choose **Add tags** and enter the tag key and tag value. To add another tag, choose **Add new tag**. When you are finished adding tags, choose **Save changes**.

1. To delete a tag, select the check box for the tag and choose **Delete**. When prompted for confirmation, enter **confirm** and then choose **Delete**.

**To add or delete tags using the AWS CLI**  
Use the [tag-resource](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/tag-resource.html) and [untag-resource](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/untag-resource.html) commands.

# Delete a VPC Lattice service network
<a name="delete-service-network"></a>

Before you can delete a service network, you must first delete all associations that the service network might have with any service, resource configuration, VPC, or VPC endpoint. When you delete a service network, we also delete all resources related to the service network, such as the resource policy, auth policy, and access log subscriptions.

**To delete a service network using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **VPC Lattice**, choose **Service networks**.

1. Select the check box for the service network, and then choose **Actions**, **Delete service network**.

1. When prompted for confirmation, enter **confirm**, and then choose **Delete**.

**To delete a service network using the AWS CLI**  
Use the [delete-service-network](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/delete-service-network.html) command.