The aws:vpclattice/targetGroup:TargetGroup resource, part of the Pulumi AWS provider, defines a VPC Lattice target group that specifies where service traffic should be routed: EC2 instances, IP addresses, Application Load Balancers, or Lambda functions. This guide focuses on three capabilities: target type selection, health check configuration for IP targets, and protocol settings.
Target groups reference VPCs for non-Lambda types and require separate target registration to attach actual compute resources. The examples are intentionally small. Combine them with target registration and service associations for complete routing configurations.
Route traffic to EC2 instances
Instance-type target groups send service requests to EC2 instances running in your VPC.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.TargetGroup("example", {
name: "example",
type: "INSTANCE",
config: {
vpcIdentifier: exampleAwsVpc.id,
port: 443,
protocol: "HTTPS",
},
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.TargetGroup("example",
name="example",
type="INSTANCE",
config={
"vpc_identifier": example_aws_vpc["id"],
"port": 443,
"protocol": "HTTPS",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewTargetGroup(ctx, "example", &vpclattice.TargetGroupArgs{
Name: pulumi.String("example"),
Type: pulumi.String("INSTANCE"),
Config: &vpclattice.TargetGroupConfigArgs{
VpcIdentifier: pulumi.Any(exampleAwsVpc.Id),
Port: pulumi.Int(443),
Protocol: pulumi.String("HTTPS"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.TargetGroup("example", new()
{
Name = "example",
Type = "INSTANCE",
Config = new Aws.VpcLattice.Inputs.TargetGroupConfigArgs
{
VpcIdentifier = exampleAwsVpc.Id,
Port = 443,
Protocol = "HTTPS",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.TargetGroup;
import com.pulumi.aws.vpclattice.TargetGroupArgs;
import com.pulumi.aws.vpclattice.inputs.TargetGroupConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TargetGroup("example", TargetGroupArgs.builder()
.name("example")
.type("INSTANCE")
.config(TargetGroupConfigArgs.builder()
.vpcIdentifier(exampleAwsVpc.id())
.port(443)
.protocol("HTTPS")
.build())
.build());
}
}
resources:
example:
type: aws:vpclattice:TargetGroup
properties:
name: example
type: INSTANCE
config:
vpcIdentifier: ${exampleAwsVpc.id}
port: 443
protocol: HTTPS
The type property determines what kind of targets this group accepts. For INSTANCE targets, the config block specifies the VPC, port, and protocol. VPC Lattice routes traffic to registered EC2 instances on the specified port.
Monitor target health with custom checks
IP-based target groups route to specific IP addresses and verify targets are responding before sending traffic.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.TargetGroup("example", {
name: "example",
type: "IP",
config: {
vpcIdentifier: exampleAwsVpc.id,
ipAddressType: "IPV4",
port: 443,
protocol: "HTTPS",
protocolVersion: "HTTP1",
healthCheck: {
enabled: true,
healthCheckIntervalSeconds: 20,
healthCheckTimeoutSeconds: 10,
healthyThresholdCount: 7,
unhealthyThresholdCount: 3,
matcher: {
value: "200-299",
},
path: "/instance",
port: 80,
protocol: "HTTP",
protocolVersion: "HTTP1",
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.TargetGroup("example",
name="example",
type="IP",
config={
"vpc_identifier": example_aws_vpc["id"],
"ip_address_type": "IPV4",
"port": 443,
"protocol": "HTTPS",
"protocol_version": "HTTP1",
"health_check": {
"enabled": True,
"health_check_interval_seconds": 20,
"health_check_timeout_seconds": 10,
"healthy_threshold_count": 7,
"unhealthy_threshold_count": 3,
"matcher": {
"value": "200-299",
},
"path": "/instance",
"port": 80,
"protocol": "HTTP",
"protocol_version": "HTTP1",
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewTargetGroup(ctx, "example", &vpclattice.TargetGroupArgs{
Name: pulumi.String("example"),
Type: pulumi.String("IP"),
Config: &vpclattice.TargetGroupConfigArgs{
VpcIdentifier: pulumi.Any(exampleAwsVpc.Id),
IpAddressType: pulumi.String("IPV4"),
Port: pulumi.Int(443),
Protocol: pulumi.String("HTTPS"),
ProtocolVersion: pulumi.String("HTTP1"),
HealthCheck: &vpclattice.TargetGroupConfigHealthCheckArgs{
Enabled: pulumi.Bool(true),
HealthCheckIntervalSeconds: pulumi.Int(20),
HealthCheckTimeoutSeconds: pulumi.Int(10),
HealthyThresholdCount: pulumi.Int(7),
UnhealthyThresholdCount: pulumi.Int(3),
Matcher: &vpclattice.TargetGroupConfigHealthCheckMatcherArgs{
Value: pulumi.String("200-299"),
},
Path: pulumi.String("/instance"),
Port: pulumi.Int(80),
Protocol: pulumi.String("HTTP"),
ProtocolVersion: pulumi.String("HTTP1"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.TargetGroup("example", new()
{
Name = "example",
Type = "IP",
Config = new Aws.VpcLattice.Inputs.TargetGroupConfigArgs
{
VpcIdentifier = exampleAwsVpc.Id,
IpAddressType = "IPV4",
Port = 443,
Protocol = "HTTPS",
ProtocolVersion = "HTTP1",
HealthCheck = new Aws.VpcLattice.Inputs.TargetGroupConfigHealthCheckArgs
{
Enabled = true,
HealthCheckIntervalSeconds = 20,
HealthCheckTimeoutSeconds = 10,
HealthyThresholdCount = 7,
UnhealthyThresholdCount = 3,
Matcher = new Aws.VpcLattice.Inputs.TargetGroupConfigHealthCheckMatcherArgs
{
Value = "200-299",
},
Path = "/instance",
Port = 80,
Protocol = "HTTP",
ProtocolVersion = "HTTP1",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.TargetGroup;
import com.pulumi.aws.vpclattice.TargetGroupArgs;
import com.pulumi.aws.vpclattice.inputs.TargetGroupConfigArgs;
import com.pulumi.aws.vpclattice.inputs.TargetGroupConfigHealthCheckArgs;
import com.pulumi.aws.vpclattice.inputs.TargetGroupConfigHealthCheckMatcherArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TargetGroup("example", TargetGroupArgs.builder()
.name("example")
.type("IP")
.config(TargetGroupConfigArgs.builder()
.vpcIdentifier(exampleAwsVpc.id())
.ipAddressType("IPV4")
.port(443)
.protocol("HTTPS")
.protocolVersion("HTTP1")
.healthCheck(TargetGroupConfigHealthCheckArgs.builder()
.enabled(true)
.healthCheckIntervalSeconds(20)
.healthCheckTimeoutSeconds(10)
.healthyThresholdCount(7)
.unhealthyThresholdCount(3)
.matcher(TargetGroupConfigHealthCheckMatcherArgs.builder()
.value("200-299")
.build())
.path("/instance")
.port(80)
.protocol("HTTP")
.protocolVersion("HTTP1")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:vpclattice:TargetGroup
properties:
name: example
type: IP
config:
vpcIdentifier: ${exampleAwsVpc.id}
ipAddressType: IPV4
port: 443
protocol: HTTPS
protocolVersion: HTTP1
healthCheck:
enabled: true
healthCheckIntervalSeconds: 20
healthCheckTimeoutSeconds: 10
healthyThresholdCount: 7
unhealthyThresholdCount: 3
matcher:
value: 200-299
path: /instance
port: 80
protocol: HTTP
protocolVersion: HTTP1
The healthCheck block defines how VPC Lattice monitors target availability. The enabled property activates health checks; healthCheckIntervalSeconds controls check frequency. The matcher property defines success criteria using HTTP status codes. VPC Lattice removes unhealthy targets from rotation after unhealthyThresholdCount consecutive failures.
Route traffic to Application Load Balancers
ALB-type target groups forward traffic to existing Application Load Balancers, integrating VPC Lattice with load balancer-fronted applications.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.TargetGroup("example", {
name: "example",
type: "ALB",
config: {
vpcIdentifier: exampleAwsVpc.id,
port: 443,
protocol: "HTTPS",
protocolVersion: "HTTP1",
},
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.TargetGroup("example",
name="example",
type="ALB",
config={
"vpc_identifier": example_aws_vpc["id"],
"port": 443,
"protocol": "HTTPS",
"protocol_version": "HTTP1",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewTargetGroup(ctx, "example", &vpclattice.TargetGroupArgs{
Name: pulumi.String("example"),
Type: pulumi.String("ALB"),
Config: &vpclattice.TargetGroupConfigArgs{
VpcIdentifier: pulumi.Any(exampleAwsVpc.Id),
Port: pulumi.Int(443),
Protocol: pulumi.String("HTTPS"),
ProtocolVersion: pulumi.String("HTTP1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.TargetGroup("example", new()
{
Name = "example",
Type = "ALB",
Config = new Aws.VpcLattice.Inputs.TargetGroupConfigArgs
{
VpcIdentifier = exampleAwsVpc.Id,
Port = 443,
Protocol = "HTTPS",
ProtocolVersion = "HTTP1",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.TargetGroup;
import com.pulumi.aws.vpclattice.TargetGroupArgs;
import com.pulumi.aws.vpclattice.inputs.TargetGroupConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TargetGroup("example", TargetGroupArgs.builder()
.name("example")
.type("ALB")
.config(TargetGroupConfigArgs.builder()
.vpcIdentifier(exampleAwsVpc.id())
.port(443)
.protocol("HTTPS")
.protocolVersion("HTTP1")
.build())
.build());
}
}
resources:
example:
type: aws:vpclattice:TargetGroup
properties:
name: example
type: ALB
config:
vpcIdentifier: ${exampleAwsVpc.id}
port: 443
protocol: HTTPS
protocolVersion: HTTP1
For ALB targets, the config block omits health check configuration because VPC Lattice relies on the ALB’s own health checks. The protocolVersion property specifies HTTP/1.1 or HTTP/2 for communication with the load balancer.
Invoke Lambda functions from service requests
Lambda-type target groups route service requests directly to Lambda functions without managing compute infrastructure.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.TargetGroup("example", {
name: "example",
type: "LAMBDA",
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.TargetGroup("example",
name="example",
type="LAMBDA")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewTargetGroup(ctx, "example", &vpclattice.TargetGroupArgs{
Name: pulumi.String("example"),
Type: pulumi.String("LAMBDA"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.TargetGroup("example", new()
{
Name = "example",
Type = "LAMBDA",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.TargetGroup;
import com.pulumi.aws.vpclattice.TargetGroupArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TargetGroup("example", TargetGroupArgs.builder()
.name("example")
.type("LAMBDA")
.build());
}
}
resources:
example:
type: aws:vpclattice:TargetGroup
properties:
name: example
type: LAMBDA
Lambda target groups require only the type property. The config block is not supported because Lambda functions don’t need VPC, port, or protocol configuration. VPC Lattice invokes the function directly with request data.
Beyond these examples
These snippets focus on specific target group features: target types (INSTANCE, IP, ALB, LAMBDA), health check configuration, and protocol and port settings. They’re intentionally minimal rather than complete routing configurations.
The examples reference pre-existing infrastructure such as VPC identifiers for non-Lambda target groups. They focus on target group configuration rather than target registration or service associations.
To keep things focused, common target group patterns are omitted, including:
- Target registration (attaching actual targets to the group)
- Service associations (connecting target groups to VPC Lattice services)
- Cross-account or cross-VPC routing
- Advanced health check tuning (timeout, interval, threshold combinations)
These omissions are intentional: the goal is to illustrate how each target group type is wired, not provide drop-in routing modules. See the VPC Lattice Target Group resource reference for all available configuration options.
Let's create AWS VPC Lattice Target Groups
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Target Types & Configuration
What target types are available for VPC Lattice target groups?
Four types are supported:
IP (IP addresses), LAMBDA (Lambda functions), INSTANCE (EC2 instances), and ALB (Application Load Balancers).Can I use the config block with Lambda target groups?
No, the
config block is not supported when type is LAMBDA. Lambda target groups only require the name and type properties.What configuration is required for IP, INSTANCE, or ALB target groups?
These types require a
config block with vpcIdentifier, port, and protocol. IP targets also need ipAddressType, while ALB targets cannot include health checks.Health Checks
Can I configure health checks for ALB target groups?
No, the
healthCheck block is not supported when type is ALB. Health checks are only available for IP and INSTANCE target types.How do I configure health checks for my target group?
Add a
healthCheck block within config, specifying parameters like enabled, healthCheckIntervalSeconds, healthCheckTimeoutSeconds, path, port, protocol, and matcher values for success codes.Naming & Immutability
What properties can't I change after creating a target group?
Both
name and type are immutable. Changing either property forces replacement of the entire target group.What are the naming rules for target groups?
Names must use only lowercase letters (a-z), numbers (0-9), and hyphens (-). Hyphens can’t appear at the start, end, or consecutively.
Using a different cloud?
Explore networking guides for other cloud providers: