The aws:vpclattice/targetGroup:TargetGroup resource, part of the Pulumi AWS provider, defines VPC Lattice target groups that specify where service traffic should be routed: EC2 instances, IP addresses, Application Load Balancers, or Lambda functions. This guide focuses on three capabilities: target type selection, health check configuration, and protocol settings.
Target groups for instances, IPs, and ALBs require a VPC. Lambda target groups do not. Actual targets are registered separately via TargetGroupAttachment resources. The examples are intentionally small. Combine them with your own VPC infrastructure and target registration logic.
Route traffic to EC2 instances
Instance-based target groups send requests to EC2 instances running in your VPC.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.TargetGroup("example", {
name: "example",
type: "INSTANCE",
config: {
vpcIdentifier: exampleAwsVpc.id,
port: 443,
protocol: "HTTPS",
},
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.TargetGroup("example",
name="example",
type="INSTANCE",
config={
"vpc_identifier": example_aws_vpc["id"],
"port": 443,
"protocol": "HTTPS",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewTargetGroup(ctx, "example", &vpclattice.TargetGroupArgs{
Name: pulumi.String("example"),
Type: pulumi.String("INSTANCE"),
Config: &vpclattice.TargetGroupConfigArgs{
VpcIdentifier: pulumi.Any(exampleAwsVpc.Id),
Port: pulumi.Int(443),
Protocol: pulumi.String("HTTPS"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.TargetGroup("example", new()
{
Name = "example",
Type = "INSTANCE",
Config = new Aws.VpcLattice.Inputs.TargetGroupConfigArgs
{
VpcIdentifier = exampleAwsVpc.Id,
Port = 443,
Protocol = "HTTPS",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.TargetGroup;
import com.pulumi.aws.vpclattice.TargetGroupArgs;
import com.pulumi.aws.vpclattice.inputs.TargetGroupConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TargetGroup("example", TargetGroupArgs.builder()
.name("example")
.type("INSTANCE")
.config(TargetGroupConfigArgs.builder()
.vpcIdentifier(exampleAwsVpc.id())
.port(443)
.protocol("HTTPS")
.build())
.build());
}
}
resources:
example:
type: aws:vpclattice:TargetGroup
properties:
name: example
type: INSTANCE
config:
vpcIdentifier: ${exampleAwsVpc.id}
port: 443
protocol: HTTPS
The type property determines what kind of targets this group accepts. The config block specifies the VPC, port, and protocol. VPC Lattice routes traffic to registered instances on the specified port using the chosen protocol.
Monitor target health with custom checks
Production deployments probe targets at regular intervals to detect failures and remove unhealthy instances from rotation.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.TargetGroup("example", {
name: "example",
type: "IP",
config: {
vpcIdentifier: exampleAwsVpc.id,
ipAddressType: "IPV4",
port: 443,
protocol: "HTTPS",
protocolVersion: "HTTP1",
healthCheck: {
enabled: true,
healthCheckIntervalSeconds: 20,
healthCheckTimeoutSeconds: 10,
healthyThresholdCount: 7,
unhealthyThresholdCount: 3,
matcher: {
value: "200-299",
},
path: "/instance",
port: 80,
protocol: "HTTP",
protocolVersion: "HTTP1",
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.TargetGroup("example",
name="example",
type="IP",
config={
"vpc_identifier": example_aws_vpc["id"],
"ip_address_type": "IPV4",
"port": 443,
"protocol": "HTTPS",
"protocol_version": "HTTP1",
"health_check": {
"enabled": True,
"health_check_interval_seconds": 20,
"health_check_timeout_seconds": 10,
"healthy_threshold_count": 7,
"unhealthy_threshold_count": 3,
"matcher": {
"value": "200-299",
},
"path": "/instance",
"port": 80,
"protocol": "HTTP",
"protocol_version": "HTTP1",
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewTargetGroup(ctx, "example", &vpclattice.TargetGroupArgs{
Name: pulumi.String("example"),
Type: pulumi.String("IP"),
Config: &vpclattice.TargetGroupConfigArgs{
VpcIdentifier: pulumi.Any(exampleAwsVpc.Id),
IpAddressType: pulumi.String("IPV4"),
Port: pulumi.Int(443),
Protocol: pulumi.String("HTTPS"),
ProtocolVersion: pulumi.String("HTTP1"),
HealthCheck: &vpclattice.TargetGroupConfigHealthCheckArgs{
Enabled: pulumi.Bool(true),
HealthCheckIntervalSeconds: pulumi.Int(20),
HealthCheckTimeoutSeconds: pulumi.Int(10),
HealthyThresholdCount: pulumi.Int(7),
UnhealthyThresholdCount: pulumi.Int(3),
Matcher: &vpclattice.TargetGroupConfigHealthCheckMatcherArgs{
Value: pulumi.String("200-299"),
},
Path: pulumi.String("/instance"),
Port: pulumi.Int(80),
Protocol: pulumi.String("HTTP"),
ProtocolVersion: pulumi.String("HTTP1"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.TargetGroup("example", new()
{
Name = "example",
Type = "IP",
Config = new Aws.VpcLattice.Inputs.TargetGroupConfigArgs
{
VpcIdentifier = exampleAwsVpc.Id,
IpAddressType = "IPV4",
Port = 443,
Protocol = "HTTPS",
ProtocolVersion = "HTTP1",
HealthCheck = new Aws.VpcLattice.Inputs.TargetGroupConfigHealthCheckArgs
{
Enabled = true,
HealthCheckIntervalSeconds = 20,
HealthCheckTimeoutSeconds = 10,
HealthyThresholdCount = 7,
UnhealthyThresholdCount = 3,
Matcher = new Aws.VpcLattice.Inputs.TargetGroupConfigHealthCheckMatcherArgs
{
Value = "200-299",
},
Path = "/instance",
Port = 80,
Protocol = "HTTP",
ProtocolVersion = "HTTP1",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.TargetGroup;
import com.pulumi.aws.vpclattice.TargetGroupArgs;
import com.pulumi.aws.vpclattice.inputs.TargetGroupConfigArgs;
import com.pulumi.aws.vpclattice.inputs.TargetGroupConfigHealthCheckArgs;
import com.pulumi.aws.vpclattice.inputs.TargetGroupConfigHealthCheckMatcherArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TargetGroup("example", TargetGroupArgs.builder()
.name("example")
.type("IP")
.config(TargetGroupConfigArgs.builder()
.vpcIdentifier(exampleAwsVpc.id())
.ipAddressType("IPV4")
.port(443)
.protocol("HTTPS")
.protocolVersion("HTTP1")
.healthCheck(TargetGroupConfigHealthCheckArgs.builder()
.enabled(true)
.healthCheckIntervalSeconds(20)
.healthCheckTimeoutSeconds(10)
.healthyThresholdCount(7)
.unhealthyThresholdCount(3)
.matcher(TargetGroupConfigHealthCheckMatcherArgs.builder()
.value("200-299")
.build())
.path("/instance")
.port(80)
.protocol("HTTP")
.protocolVersion("HTTP1")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:vpclattice:TargetGroup
properties:
name: example
type: IP
config:
vpcIdentifier: ${exampleAwsVpc.id}
ipAddressType: IPV4
port: 443
protocol: HTTPS
protocolVersion: HTTP1
healthCheck:
enabled: true
healthCheckIntervalSeconds: 20
healthCheckTimeoutSeconds: 10
healthyThresholdCount: 7
unhealthyThresholdCount: 3
matcher:
value: 200-299
path: /instance
port: 80
protocol: HTTP
protocolVersion: HTTP1
When healthCheck.enabled is true, VPC Lattice sends requests to the specified path at healthCheckIntervalSeconds intervals. The matcher.value defines success codes. After healthyThresholdCount consecutive successes, a target enters rotation; after unhealthyThresholdCount failures, it’s removed.
Route traffic to Application Load Balancers
ALB target groups connect VPC Lattice services to existing load balancer infrastructure.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.TargetGroup("example", {
name: "example",
type: "ALB",
config: {
vpcIdentifier: exampleAwsVpc.id,
port: 443,
protocol: "HTTPS",
protocolVersion: "HTTP1",
},
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.TargetGroup("example",
name="example",
type="ALB",
config={
"vpc_identifier": example_aws_vpc["id"],
"port": 443,
"protocol": "HTTPS",
"protocol_version": "HTTP1",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewTargetGroup(ctx, "example", &vpclattice.TargetGroupArgs{
Name: pulumi.String("example"),
Type: pulumi.String("ALB"),
Config: &vpclattice.TargetGroupConfigArgs{
VpcIdentifier: pulumi.Any(exampleAwsVpc.Id),
Port: pulumi.Int(443),
Protocol: pulumi.String("HTTPS"),
ProtocolVersion: pulumi.String("HTTP1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.TargetGroup("example", new()
{
Name = "example",
Type = "ALB",
Config = new Aws.VpcLattice.Inputs.TargetGroupConfigArgs
{
VpcIdentifier = exampleAwsVpc.Id,
Port = 443,
Protocol = "HTTPS",
ProtocolVersion = "HTTP1",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.TargetGroup;
import com.pulumi.aws.vpclattice.TargetGroupArgs;
import com.pulumi.aws.vpclattice.inputs.TargetGroupConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TargetGroup("example", TargetGroupArgs.builder()
.name("example")
.type("ALB")
.config(TargetGroupConfigArgs.builder()
.vpcIdentifier(exampleAwsVpc.id())
.port(443)
.protocol("HTTPS")
.protocolVersion("HTTP1")
.build())
.build());
}
}
resources:
example:
type: aws:vpclattice:TargetGroup
properties:
name: example
type: ALB
config:
vpcIdentifier: ${exampleAwsVpc.id}
port: 443
protocol: HTTPS
protocolVersion: HTTP1
Setting type to ALB routes traffic to an Application Load Balancer instead of individual instances. Health checks are not supported for ALB target groups; the ALB’s own health checks determine target availability. The protocolVersion property controls HTTP version negotiation.
Invoke Lambda functions from services
Lambda target groups route service requests to serverless functions without requiring VPC configuration.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.TargetGroup("example", {
name: "example",
type: "LAMBDA",
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.TargetGroup("example",
name="example",
type="LAMBDA")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewTargetGroup(ctx, "example", &vpclattice.TargetGroupArgs{
Name: pulumi.String("example"),
Type: pulumi.String("LAMBDA"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.TargetGroup("example", new()
{
Name = "example",
Type = "LAMBDA",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.TargetGroup;
import com.pulumi.aws.vpclattice.TargetGroupArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TargetGroup("example", TargetGroupArgs.builder()
.name("example")
.type("LAMBDA")
.build());
}
}
resources:
example:
type: aws:vpclattice:TargetGroup
properties:
name: example
type: LAMBDA
Lambda target groups require only the name and type properties. The config block is not supported; Lambda functions don’t need port or protocol configuration. VPC Lattice invokes the function with the request payload and returns the response.
Beyond these examples
These snippets focus on specific target group features: target types (instances, IPs, ALBs, Lambda), health check configuration, and protocol and port settings. They’re intentionally minimal rather than full service deployments.
The examples may reference pre-existing infrastructure such as VPCs for instance, IP, and ALB target groups. They focus on configuring the target group rather than provisioning the surrounding infrastructure.
To keep things focused, common target group patterns are omitted, including:
- Target registration (aws.vpclattice.TargetGroupAttachment)
- Service network associations
- Cross-account target groups
- IP address type selection (ipAddressType)
These omissions are intentional: the goal is to illustrate how each target group feature is wired, not provide drop-in service modules. See the VPC Lattice TargetGroup resource reference for all available configuration options.
Let's create AWS VPC Lattice Target Groups
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Target Types & Configuration
What target types are available for VPC Lattice target groups?
VPC Lattice supports four target types:
IP, LAMBDA, INSTANCE, and ALB. Each type has different configuration requirements.Why can't I add health checks to my ALB target group?
The
healthCheck block isn’t supported when type is ALB. Health checks must be omitted for ALB target groups.Why can't I configure a Lambda target group with the config block?
The
config block isn’t supported when type is LAMBDA. Lambda target groups only require the name and type properties.Which target types require the config block?
The
config block is required for IP, INSTANCE, and ALB types to specify VPC, port, and protocol settings. It’s not supported for LAMBDA type.Health Checks
How do I configure health checks for my target group?
Add a
healthCheck block within config with settings like enabled, healthCheckIntervalSeconds, healthCheckTimeoutSeconds, path, protocol, and matcher. Health checks are supported for IP and INSTANCE types only.Naming & Immutability
What are the naming rules and can I change the name after creation?
Names must use a-z, 0-9, and hyphens only. Hyphens can’t appear at the start, end, or consecutively. The
name property is immutable—changing it forces resource replacement.Can I change the target type after creation?
No, the
type property is immutable. Changing it forces resource replacement, so choose carefully during initial creation.Using a different cloud?
Explore networking guides for other cloud providers: