Virtual gateways - AWS App Mesh

Virtual gateways

A virtual gateway allows resources that are outside of your mesh to communicate to resources that are inside of your mesh. The virtual gateway represents an Envoy proxy running in an Amazon ECS service, in a Kubernetes service, or on an Amazon EC2 instance. Unlike a virtual node, which represents Envoy running with an application, a virtual gateway represents Envoy deployed by itself.

External resources must be able to resolve a DNS name to an IP address assigned to the service or instance that runs Envoy. Envoy can then access all of the App Mesh configuration for resources that are inside of the mesh. To complete an end-to-end walkthrough, see Configuring Ingress Gateway.

Creating a virtual gateway

To create a virtual gateway using the AWS Management Console

To create a virtual gateway using the AWS CLI version 1.18.116 or higher, see the AWS CLI reference for the create-virtual-gateway command.

  1. Open the App Mesh console at https://console.aws.amazon.com/appmesh/.

  2. Choose the mesh that you want to create the virtual gateway in. All of the meshes that you own and that have been shared with you are listed.

  3. Choose Virtual gateways in the left navigation.

  4. Choose Create virtual gateway.

  5. For Virtual gateway name, enter a name for your virtual gateway.

  6. (Optional, but recommended) Configure Client policy defaults.

    1. (Optional) Select Enforce TLS if you want the gateway to only communicate with virtual services using Transport Layer Security (TLS).

    2. (Optional) For Ports, specify one or more ports that you want to enforce TLS communication with virtual services on.

    3. For Certificate discovery method, select one of the following options. The certificate that you specify must already exist and meet specific requirements. For more information, see Certificate requirements.

      • AWS Certificate Manager Private Certificate Authority hosting – Select one or more existing Certificates.

      • Local file hosting – Specify the path to the Certificate chain file on the file system where the Envoy is deployed.

    4. Specify a Port and Protocol for the Listener. Each virtual gateway can have only one port and protocol specified. If you need the virtual gateway to route traffic over multiple ports and protocols, then you must create a virtual gateway for each port or prototol.

  7. (Optional) To configure logging, selected Logging. Enter the HTTP access logs path that you want Envoy to use. We recommend the /dev/stdout path so that you can use Docker log drivers to export your Envoy logs to a service such as Amazon CloudWatch Logs.

    Note

    Logs must still be ingested by an agent in your application and sent to a destination. This file path only instructs Envoy where to send the logs.

  8. Configure the Listener.

    1. Select a Protocol and specify the Port that Envoy will listen for traffic on. The http listener permits connection transition to websockets.

    2. (Optional) Enable connection pool

      Connection pooling limits the number of connections that an Envoy can concurrently establish with all the hosts in the upstream cluster. It is intended to protect your local application from being overwhelmed with connections and lets you adjust traffic shaping for the needs of your applications.

      You can configure destination-side connection pool settings for a virtual gateway listener. App Mesh sets the client-side connection pool settings to infinite by default, simplifying mesh configuration.

      Note

      The connectionPool and portMapping protocols must be the same. If your listener protocol is grpc or http2, specify maxRequests only. If your listener protocol is http, you can specify both maxConnections and maxPendingRequests.

      • For Maximum connections, specify the maximum number of outbound connections.

      • For Maximum requests, specify maximum number of parallel requests that can occur to the upstream cluster.

      • (Optional) For Maximum pending requests, specify the number of overflowing requests after Maximum connections that an Envoy will queue. The default value is 2147483647.

    3. (Optional) If you want to configure a health check for your listener, then select Enable health check.

      A health check policy is optional, but if you specify any values for a health policy, then you must specify values for Healthy threshold, Health check interval, Health check protocol, Timeout period, and Unhealthy threshold.

      • For Health check protocol, choose a protocol. If you select grpc, then your service must conform to the GRPC Health Checking Protocol.

      • For Health check port, specify the port that the health check should run on.

      • For Healthy threshold, specify the number of consecutive successful health checks that must occur before declaring the listener healthy.

      • For Health check interval, specify the time period in milliseconds between each health check execution.

      • For Path, specify the destination path for the health check request. This value is only used if the Health check protocol is http or http2. The value is ignored for other protocols.

      • For Timeout period, specify the amount of time to wait when receiving a response from the health check, in milliseconds.

      • For Unhealthy threshold, specify the number of consecutive failed health checks that must occur before declaring the listener unhealthy.

    4. (Optional) If you want to specify whether virtual nodes communicate with this virtual gateway using TLS, then select Enable TLS termination.

      • For Mode, select the mode you want TLS to be configured for on the listener.

      • For Certificate method, select one of the following options. The certificate must meet specific requirements. For more information, see Certificate requirements.

        • AWS Certificate Manager hosting – Select an existing Certificate.

        • Local file hosting – Specify the path to the Certificate chain and Private key files on the file system where Envoy is deployed.

  9. Choose Create virtual gateway to finish.

Deploy virtual gateway

Deploy an Amazon ECS or Kubernetes service that contains only the Envoy container. You can also deploy the Envoy container on an Amazon EC2 instance. For more information see Getting started with App Mesh and Amazon ECS or Tutorial: Configure App Mesh integration with Kubernetes. You need to set the APPMESH_RESOURCE_ARN environment variable to mesh/mesh-name/virtualGateway/virtual-gateway-name and you must not specify proxy configuration so that the proxy's traffic doesn't get redirected to itself. By default, App Mesh uses the name of the resource you specified in APPMESH_RESOURCE_ARN when Envoy is referring to itself in metrics and traces. You can override this behavior by setting the APPMESH_RESOURCE_CLUSTER environment variable with your own name.

We recommend that you deploy multiple instances of the container and set up a Network Load Balancer to load balance traffic to the instances. The service discovery name of the load balancer is the name that you want external services to use to access resources that are in the mesh, such as myapp.example.com. For more information see Creating a Network Load Balancer (Amazon ECS), Creating an External Load Balancer (Kubernetes), or Tutorial: Increase the availability of your application on Amazon EC2.

Enable proxy authorization for Envoy. For more information, see Envoy Proxy authorization.

Deleting a virtual gateway

To delete a virtual gateway using the AWS CLI version 1.18.116 or higher, see the AWS CLI reference for the delete-virtual-gateway command.

To delete a virtual gateway using the AWS Management Console

  1. Open the App Mesh console at https://console.aws.amazon.com/appmesh/.

  2. Choose the mesh that you want to delete a virtual gateway from. All of the meshes that you own and that have been shared with you are listed.

  3. Choose Virtual gateways in the left navigation.

  4. Choose the virtual gateway that you want to delete and select Delete. You cannot delete a virtual gateway if it has any associated gateway routes. You must delete any associated gateway routes first. You can only delete a virtual gateway where your account is listed as Resource owner.

  5. In the confirmation box, type delete and then select Delete.