AWS App Mesh Documentation

App Mesh is designed to run services by providing visibility and network traffic controls for services. App Mesh separates the logic needed for monitoring and controlling communications into a proxy that runs next to services. This helps you reduce the need to coordinate across teams or update application code to change how monitoring data is collected or traffic is routed. This allows you to pinpoint the location of errors and reroute network traffic when there are failures or when code changes need to be deployed.

You can use App Mesh with AWS Fargate, Amazon ECS, Amazon EKS, Amazon EC2, and Kubernetes on EC2 to better run services at scale. App Mesh uses Envoy, an open source proxy that is compatible with AWS partner and open source tools for monitoring services.

Open source proxy

App Mesh uses the open source Envoy proxy to manage traffic into and out of a service’s containers. App Mesh configures this proxy to handle the service’s application communications.  Envoy offers community-built integrations that work with App Mesh.
Compatible AWS services:

Amazon CloudWatch* – monitoring and logging service for visibility of resources and applications.

AWS X-Ray* – tracing service for an end-to-end view of application performance.

Compatible AWS partner and open source tools:

Datadog, Alcide, HashiCorp, Sysdig, Signalfx, Spotinst, Tetrate, Neuvector, Weaveworks, Twistlock, Wavefront by VMware, Aqua.

Traffic Routing

App Mesh lets you configure services to connect to each other instead of requiring code within the application or using a load balancer. When each service starts, its proxies connect to App Mesh and receives configuration data about the locations of other services in the mesh. You can use controls in App Mesh to update traffic routing between services with minimal changes to your application code. 

Client-side Traffic Policies

The proxies are designed to load balance traffic from clients in the mesh, and add and remove load balancing endpoints based on health checks and service registration. These capabilities help to deploy new versions of your services and tune applications to be resilient to failures.

Service-to-Service Authentication

Mutual TLS (mTLS) enables transport layer authentication, which provides service-to-service identity verification for the application components running in and outside service meshes. It allows customers to extend the security perimeter to the applications running in AWS App Mesh by provisioning certificates from AWS Certificate Manager Private Certificate Authority or a customer-managed Certificate Authority (CA) to workloads in the service mesh, and is designed to enforce authentication for client applications connecting to services.

Container orchestration native user experience

App Mesh works with services managed by Amazon ECS, Amazon EKS, AWS Fargate, Kubernetes running on EC2. For containerized workloads running on ECS, EKS, Fargate, or Kubernetes, you include the provided App Mesh proxy as part of the task or pod definition for each microservice and configure the services’ application container to communicate with the proxy. When the service starts, the proxy is designed to check in with and is configured by App Mesh.

Managed Service

AWS App Mesh is a managed service. App Mesh allows you to manage services communications without needing to install or manage application-level infrastructure for communications management.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.