Skip to content

Share Kubernetes Gateway (VPC Lattice Service Network) between different AWS accounts

AWS Resource Access Manager (AWS RAM) helps you share your resources across AWS Accounts, within your AWS Organization or Organizational Units (OUs). RAM supports 2 types of VPC Lattice resource sharing: VPC Lattice services and service networks.

Let's build an example where Account A (sharer account) shares its service network with Account B (sharee account), and Account B can access all Kubernetes services (VPC Lattice Target Groups) and Kubernetes HTTPRoutes(VPC Lattice services) within this sharer account's service network.

Create a VPC Lattice Resources

In Account A, set up a cluster with the Controller and an example application installed. You can follow the Getting Started guide up to the "Single Cluster" section.

Share the VPC Lattice Service Network

Now that we have a VPC Lattice service network and service in Account A , share this service network to Account B.

  1. Retrieve the my-hotel service network Identifier:

    aws vpc-lattice list-service-networks --query "items[?name=="\'my-hotel\'"].id" | jq -r '.[]'

  2. Share the my-hotel service network, using the identifier retrieved in the previous step.

    1. Open the AWS RAM console in Account A and create a resource share.
      Resource Shares
    2. Select VPC Lattice service network resource sharing type.
      Resource Shares
    3. Select the my-hotel service network identifier retrieved in the previous step.
      Resource Shares
    4. Associate AWS Managed Permissions.
      Resource Shares
    5. Set Account B as principal.
      Resource Shares
    6. Review and create the resource share.
      Resource Shares
  3. Open the Account B's AWS RAM console and accept Account A's service network sharing invitation in the "Shared with me" section.

    Resource Shares

  4. Switch back to Account A, retrieve the service network ID.

    SERVICE_NETWORK_ID=$(aws vpc-lattice list-service-networks --query "items[?name=="\'my-hotel\'"].id" | jq -r '.[]')
  5. Switch to Account B and verify that my-hotel service network resource is available in Account B (referring to the SERVICE_NETWORK_ID retrived in the previous step).

  6. Now choose an Amazon VPC in Account B to attach to the my-hotel service network.

    aws vpc-lattice create-service-network-vpc-association --service-network-identifier $SERVICE_NETWORK_ID --vpc-identifier $VPC_ID


    VPC Lattice is a regional service, therefore the VPC must be in the same AWS Region of the service network you created in Account A.

Test cross-account connectivity

You can verify that the parking and review microservices - in Account A - can be consumed from resources in the assocuated VPC in Account B.

  1. To simplify, let's create and connect to a Cloud9 environment in the VPC you previously attached to the my-hotel service network.

  2. In Account A, retrieve the VPC Lattice services urls.

    ratesFQDN=$(aws vpc-lattice list-services --query "items[?name=="\'rates-default\'"].dnsEntry" | jq -r '.[].domainName')
    inventoryFQDN=$(aws vpc-lattice list-services --query "items[?name=="\'inventory-default\'"].dnsEntry" | jq -r '.[].domainName')
    echo "$ratesFQDN \n$inventoryFQDN"

  3. In the Cloud9 instance in Account B, install curl in the instance and curl parking and rates microservices:

    sudo apt-get install curl
    curl $ratesFQDN/parking $ratesFQDN/review


To avoid additional charges, remove the demo infrastructure from your AWS Accounts.

  1. Delete the service network Association you created in Account B. In Account A:

    SERVICE_NETWORK_ASSOCIATION_IDENTIFIER=$(aws vpc-lattice list-service-network-vpc-associations --vpc-id $VPC_ID --query "items[?serviceNetworkName=="\'my-hotel\'"].id" | jq -r '.[]')
    aws vpc-lattice delete-service-network-vpc-association  --service-network-vpc-association-identifier $SERVICE_NETWORK_ASSOCIATION_IDENTIFIER

    Ensure the service network Association is deleted:

    aws vpc-lattice list-service-network-vpc-associations --vpc-id $VPC_ID

  2. Delete the service network RAM share resource in AWS RAM Console.

  3. Follow the cleanup section of the getting Started guide to delete Cluster and service network Resources in Account A.

  4. Delete the Cloud9 Environment in Account B.