Working with shared meshes
A shared mesh allows resources created by different accounts to communicate with each other in the same mesh.
An AWS Identity and Access Management account can be a mesh resource owner, a mesh consumer, or both. Consumers can create resources in a mesh that is shared with their account. Owners can create resources in any mesh the account owns. A mesh owner can share a mesh with the following types of mesh consumers:
-
Specific AWS accounts inside or outside of its organization in AWS Organizations
-
An organizational unit inside its organization in AWS Organizations
-
Its entire organization in AWS Organizations
For an end-to-end walk through of sharing a mesh, see Cross-account mesh walk through
Shared mesh permissions
A shared mesh has the following permissions:
-
Consumers can list and describe all resources in a mesh that is shared with the account.
-
Owners can list and describe all resources in any mesh the account owns.
-
Owners and consumers can modify resources in a mesh that the account created, but they cannot modify resources that other another account created.
-
Consumers can delete any resource in a mesh that the account created.
-
Owners can delete any resource in a mesh that any account created.
-
Owner's resources can only reference other resources in the same account. For example, a virtual node can only reference AWS Cloud Map or an AWS Certificate Manager certificate that is in the same account as the virtual node's owner.
-
Owners and consumers can connect an Envoy proxy to App Mesh as a virtual node that the account owns.
-
Owners can create virtual gateways and virtual gateway routes.
Prerequisites for sharing meshes
The following prerequisites must be met in order to share a mesh:
-
You must own the mesh in your AWS account. You cannot share a mesh that has been shared with you.
-
To share a mesh with your organization or an organizational unit in AWS Organizations, you must enable sharing with AWS Organizations. For more information, see Enable Sharing with AWS Organizations in the AWS RAM User Guide.
-
Your services must be deployed in an Amazon VPC that has shared connectivity across the accounts that include the mesh resources that you want to communicate with each other. One way to share network connectivity is to deploy all of the services that you want to use in your mesh to a shared subnet. For more information and limitations, see Sharing a Subnet.
-
Services must be discoverable through DNS or AWS Cloud Map. For more information about service discovery, see Virtual nodes.
Related services
mesh sharing integrates with AWS Resource Access Manager (AWS RAM). AWS RAM is a service that enables you to share your AWS resources with any AWS account or through AWS Organizations. With AWS RAM, you share resources that you own by creating a resource share. A resource share specifies the resources to share, and the consumers with whom to share them. Consumers can be individual AWS accounts, or organizational units or an entire organization in AWS Organizations.
For more information about AWS RAM, see the AWS RAM User Guide.
Sharing a mesh
Sharing a mesh enables mesh resources created by different accounts to communicate
with each other in the same mesh. You can only share a mesh that you own. To share
a
mesh, you must add it to a resource share. A resource share is an AWS RAM resource
that lets you share your resources across AWS accounts. A resource share specifies
the
resources to share, and the consumers with whom they are shared. When you share
a
mesh using the App Mesh console, you add it to an existing resource share. To add
the mesh to a new resource share, you must first create the resource share using
the AWS RAM console
If you are part of an organization in AWS Organizations and sharing within your organization is enabled, consumers in your organization can be automatically granted access to the shared mesh. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared mesh after accepting the invitation.
You can share a mesh that you own using the AWS RAM console or the AWS CLI.
To share a mesh that you own using the AWS RAM console
See Creating a Resource Share in the AWS RAM User Guide. When selecting a resource type, select Meshes, and then select the mesh you want to share. If no meshes are listed, then you need to create a mesh first. For more information, see Creating a service mesh.
To share a mesh that you own using the AWS CLI
Use the create-resource-share command. For the --resource-arns
option, specify the ARN of the mesh that you want to share.
Unsharing a shared mesh
When you unshare a mesh, App Mesh disables further access to the mesh by former consumers of the mesh but does not delete the resources created by the consumers. Once the mesh is unshared, only the mesh owner can access and delete the resources. App Mesh prevents the account that owned resources in the mesh, and any other accounts with resources in the mesh, from receiving any configuration information after the mesh is unshared. Only the owner of the mesh can unshare it.
To unshare a shared mesh that you own, you must remove it from the resource share. You can do this using the AWS RAM console or the AWS CLI.
To unshare a shared mesh that you own using the AWS RAM console
See Updating a Resource Share in the AWS RAM User Guide.
To unshare a shared mesh that you own using the AWS CLI
Use the disassociate-resource-share command.
Identifying a shared mesh
Owners and consumers can identify shared meshes and mesh resources using the App Mesh console and AWS CLI
To identify a shared mesh using the App Mesh console
-
Open the App Mesh console at https://console.aws.amazon.com/appmesh/
. -
From the left navigation, select Meshes. The account ID of the mesh owner for each mesh is listed in the Mesh owner column.
-
From the left navigation, select Virtual services, Virtual routers, or Virtual nodes. You see the account ID for the Mesh owner and Resource owner for each of the resources.
To identify a shared mesh using the AWS CLI
Use the aws appmesh list
command,
such as resource
aws appmesh list-meshes
. The command returns the meshes that you own and the
meshes that are shared with you. The meshOwner
property shows the AWS
account ID of the meshOwner
and the resourceOwner
property
shows the AWS account ID of the resource owner. Any command run against any mesh
resource returns these properties.
Billing and metering
There are no charges for sharing a mesh.
Instance quotas
All quotas for a mesh also apply to shared meshes, regardless of who created resources in the mesh. Only a mesh owner can request quota increases. For more information, see App Mesh service quotas. The AWS Resource Access Manager service also has quotas. For more information, see Service Quotas.