App Mesh interface VPC endpoints (AWS PrivateLink) - AWS App Mesh

App Mesh interface VPC endpoints (AWS PrivateLink)

You can improve the security posture of your Amazon VPC by configuring App Mesh to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access App Mesh APIs by using private IP addresses. PrivateLink restricts all network traffic between your Amazon VPC and App Mesh to the Amazon network.

You're not required to configure PrivateLink, but we recommend it. For more information about PrivateLink and interface VPC endpoints, see Accessing Services Through AWS PrivateLink.

Considerations for App Mesh interface VPC endpoints

Before you set up interface VPC endpoints for App Mesh, be aware of the following considerations:

  • If your Amazon VPC doesn't have an internet gateway and your tasks use the awslogs log driver to send log information to CloudWatch Logs, you must create an interface VPC endpoint for CloudWatch Logs. For more information, see Using CloudWatch Logs with Interface VPC Endpoints in the Amazon CloudWatch Logs User Guide.

  • VPC endpoints don't support AWS cross-Region requests. Ensure that you create your endpoint in the same Region where you plan to issue your API calls to App Mesh.

  • VPC endpoints only support Amazon-provided DNS through Amazon RouteĀ 53. If you want to use your own DNS, you can use conditional DNS forwarding. For more information, see DHCP Options Sets in the Amazon VPC User Guide.

  • The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the Amazon VPC.


    Controlling access to App Mesh by attaching an endpoint policy to the VPC endpoint (for example, using the service name com.amazonaws.Region.appmesh-envoy-management) isn't supported for Envoy connection.

For additional considerations and limitations, see Interface Endpoint Availability Zone Considerations and Interface Endpoint Properties and Limitations.

Create the interface VPC endpoint for App Mesh

To create the interface VPC endpoint for the App Mesh service, use the Creating an Interface Endpoint procedure in the Amazon VPC User Guide. Specify com.amazonaws.Region.appmesh-envoy-management for the service name for your Envoy proxy to connect to the App Mesh's public Envoy management service and com.amazonaws.Region.appmesh for mesh operations.


Region represents the Region identifier for an AWS Region supported by App Mesh, such as us-east-2 for the US East (Ohio) Region.

Though you can define an interface VPC endpoint for App Mesh in any Region where App Mesh is supported, you may not be able to define an endpoint for all Availability Zones in each Region. To find out which Availability Zones are supported with interface VPC endpoints in a Region, use the describe-vpc-endpoint-services command or use the AWS Management Console. For example, the following commands return the availability zones to which you can deploy an App Mesh interface VPC endpoints within the US East (Ohio) Region:

aws --region us-east-2 ec2 describe-vpc-endpoint-services --query 'ServiceDetails[?ServiceName==``].AvailabilityZones[]'
aws --region us-east-2 ec2 describe-vpc-endpoint-services --query 'ServiceDetails[?ServiceName==``].AvailabilityZones[]'