Virtual gateways - AWS App Mesh

Virtual gateways

A virtual gateway allows resources that are outside of your mesh to communicate to resources that are inside of your mesh. The virtual gateway represents an Envoy proxy running in an Amazon ECS service, in a Kubernetes service, or on an Amazon EC2 instance. Unlike a virtual node, which represents Envoy running with an application, a virtual gateway represents Envoy deployed by itself.

External resources must be able to resolve a DNS name to an IP address assigned to the service or instance that runs Envoy. Envoy can then access all of the App Mesh configuration for resources that are inside of the mesh. The configuration for handling the incoming requests at the Virtual Gateway are specified using Gateway Routes.

Important

A virtual gateway with a HTTP or HTTP2 listener rewrites the incoming request's hostname to the Gateway Route target Virtual Service's name, and the matched prefix from the Gateway Route is rewritten to /, by default. For example, if you have configured the Gateway route match prefix to /chapter, and, if the incoming request is /chapter/1, the request would be rewritten to /1. For more details, refer to the Creating a gateway route section from Gateway Routes.

To complete an end-to-end walkthrough, see Configuring Inbound Gateway.

Creating a virtual gateway

To create a virtual gateway using the AWS Management Console

Note

When creating a Virtual Gateway, you must add a namespace selector with a label to identify the list of namespaces to associate Gateway Routes to the created Virtual Gateway.

To create a virtual gateway using the AWS CLI version 1.18.116 or higher, see the AWS CLI reference for the create-virtual-gateway command.

  1. Open the App Mesh console at https://console.aws.amazon.com/appmesh/.

  2. Choose the mesh that you want to create the virtual gateway in. All of the meshes that you own and that have been shared with you are listed.

  3. Choose Virtual gateways in the left navigation.

  4. Choose Create virtual gateway.

  5. For Virtual gateway name, enter a name for your virtual gateway.

  6. (Optional, but recommended) Configure Client policy defaults.

    1. (Optional) Select Enforce TLS if you want the gateway to only communicate with virtual services using Transport Layer Security (TLS).

    2. (Optional) For Ports, specify one or more ports that you want to enforce TLS communication with virtual services on.

    3. For Validation method, select one of the following options. The certificate that you specify must already exist and meet specific requirements. For more information, see Certificate requirements.

      • AWS Certificate Manager Private Certificate Authority hosting – Select one or more existing Certificates.

      • Envoy Secret Discovery Service (SDS) hosting – Enter the name of the secret Envoy will fetch using the Secret Discovery Service.

      • Local file hosting – Specify the path to the Certificate chain file on the file system where Envoy is deployed.

    4. (Optional) Enter a Subject Alternative Name. To add additional SANs, select Add SAN. SANs must be FQDN or URI formatted.

    5. (Optional) Select Provide client certificate and one of the options below to provide a client certificate when a server requests it and enable mutual TLS authentication. To learn more about mutual TLS, see the App Mesh Mutual TLS Authentication docs.

      • Envoy Secret Discovery Service (SDS) hosting – Enter the name of the secret Envoy will fetch using the Secret Discovery Service.

      • Local file hosting – Specify the path to the Certificate chain file, as well as the Private key, on the file system where Envoy is deployed. For a complete, end-to-end walk through of deploying a mesh with a sample application using encryption with local files, see Configuring TLS with File Provided TLS Certificates on GitHub.

    6. Specify a Port and Protocol for the Listener. Each virtual gateway can have only one port and protocol specified. If you need the virtual gateway to route traffic over multiple ports and protocols, then you must create a virtual gateway for each port or prototol.

  7. (Optional) To configure logging, selected Logging. Enter the HTTP access logs path that you want Envoy to use. We recommend the /dev/stdout path so that you can use Docker log drivers to export your Envoy logs to a service such as Amazon CloudWatch Logs.

    Note

    Logs must still be ingested by an agent in your application and sent to a destination. This file path only instructs Envoy where to send the logs.

  8. Configure the Listener.

    1. Select a Protocol and specify the Port that Envoy will listen for traffic on. The http listener permits connection transition to websockets.

    2. (Optional) Enable connection pool

      Connection pooling limits the number of connections that an Envoy can concurrently establish with all the hosts in the upstream cluster. It is intended to protect your local application from being overwhelmed with connections and lets you adjust traffic shaping for the needs of your applications.

      You can configure destination-side connection pool settings for a virtual gateway listener. App Mesh sets the client-side connection pool settings to infinite by default, simplifying mesh configuration.

      Note

      The connectionPool and portMapping protocols must be the same. If your listener protocol is grpc or http2, specify maxRequests only. If your listener protocol is http, you can specify both maxConnections and maxPendingRequests.

      • For Maximum connections, specify the maximum number of outbound connections.

      • For Maximum requests, specify maximum number of parallel requests that can occur to the upstream cluster.

      • (Optional) For Maximum pending requests, specify the number of overflowing requests after Maximum connections that an Envoy will queue. The default value is 2147483647.

    3. (Optional) If you want to configure a health check for your listener, then select Enable health check.

      A health check policy is optional, but if you specify any values for a health policy, then you must specify values for Healthy threshold, Health check interval, Health check protocol, Timeout period, and Unhealthy threshold.

      • For Health check protocol, choose a protocol. If you select grpc, then your service must conform to the GRPC Health Checking Protocol.

      • For Health check port, specify the port that the health check should run on.

      • For Healthy threshold, specify the number of consecutive successful health checks that must occur before declaring the listener healthy.

      • For Health check interval, specify the time period in milliseconds between each health check execution.

      • For Path, specify the destination path for the health check request. This value is only used if the Health check protocol is http or http2. The value is ignored for other protocols.

      • For Timeout period, specify the amount of time to wait when receiving a response from the health check, in milliseconds.

      • For Unhealthy threshold, specify the number of consecutive failed health checks that must occur before declaring the listener unhealthy.

    4. (Optional) If you want to specify whether virtual nodes communicate with this virtual gateway using TLS, then select Enable TLS termination.

      • For Mode, select the mode you want TLS to be configured for on the listener.

      • For Certificate method, select one of the following options. The certificate must meet specific requirements. For more information, see Certificate requirements.

        • AWS Certificate Manager hosting – Select an existing Certificate.

        • Envoy Secret Discovery Service (SDS) hosting – Enter the name of the secret Envoy will fetch using the Secret Discovery Service.

        • Local file hosting – Specify the path to the Certificate chain and Private key files on the file system where Envoy is deployed.

      • (Optional) Select Require client certificate and one of the options below to enable mutual TLS authentication if the client provides a certificate. To learn more about mutual TLS, see the App Mesh Mutual TLS Authentication docs.

        • Envoy Secret Discovery Service (SDS) hosting – Enter the name of the secret Envoy will fetch using the Secret Discovery Service.

        • Local file hosting – Specify the path to the Certificate chain file on the file system where Envoy is deployed.

      • (Optional) Enter a Subject Alternative Name. To add additional SANs, select Add SAN. SANs must be FQDN or URI formatted.

  9. Choose Create virtual gateway to finish.

Deploy virtual gateway

Deploy an Amazon ECS or Kubernetes service that contains only the Envoy container. You can also deploy the Envoy container on an Amazon EC2 instance. For more information, see Getting started with App Mesh and Amazon EC2. For more information on how to deploy on Amazon ECS see Getting started with App Mesh and Amazon ECS or Getting started with AWS App Mesh and Kubernetes to deploy to Kubernetes. You need to set the APPMESH_RESOURCE_ARN environment variable to mesh/mesh-name/virtualGateway/virtual-gateway-name and you must not specify proxy configuration so that the proxy's traffic doesn't get redirected to itself. By default, App Mesh uses the name of the resource you specified in APPMESH_RESOURCE_ARN when Envoy is referring to itself in metrics and traces. You can override this behavior by setting the APPMESH_RESOURCE_CLUSTER environment variable with your own name.

We recommend that you deploy multiple instances of the container and set up a Network Load Balancer to load balance traffic to the instances. The service discovery name of the load balancer is the name that you want external services to use to access resources that are in the mesh, such as myapp.example.com. For more information see Creating a Network Load Balancer (Amazon ECS), Creating an External Load Balancer (Kubernetes), or Tutorial: Increase the availability of your application on Amazon EC2. You can also find more examples and walkthroughs in our App Mesh examples.

Enable proxy authorization for Envoy. For more information, see Envoy Proxy authorization.

Deleting a virtual gateway

To delete a virtual gateway using the AWS CLI version 1.18.116 or higher, see the AWS CLI reference for the delete-virtual-gateway command.

To delete a virtual gateway using the AWS Management Console

  1. Open the App Mesh console at https://console.aws.amazon.com/appmesh/.

  2. Choose the mesh that you want to delete a virtual gateway from. All of the meshes that you own and that have been shared with you are listed.

  3. Choose Virtual gateways in the left navigation.

  4. Choose the virtual gateway that you want to delete and select Delete. You cannot delete a virtual gateway if it has any associated gateway routes. You must delete any associated gateway routes first. You can only delete a virtual gateway where your account is listed as Resource owner.

  5. In the confirmation box, type delete and then select Delete.