Package software.amazon.awscdk.services.appmesh


package software.amazon.awscdk.services.appmesh

AWS App Mesh Construct Library

AWS App Mesh is a service mesh based on the Envoy proxy that makes it easy to monitor and control microservices. App Mesh standardizes how your microservices communicate, giving you end-to-end visibility and helping to ensure high-availability for your applications.

App Mesh gives you consistent visibility and network traffic controls for every microservice in an application.

App Mesh supports microservice applications that use service discovery naming for their components. To use App Mesh, you must have an existing application running on AWS Fargate, Amazon ECS, Amazon EKS, Kubernetes on AWS, or Amazon EC2.

For further information on AWS App Mesh, visit the AWS App Mesh Documentation.

Create the App and Stack

 App app = new App();
 Stack stack = new Stack(app, "stack");
 

Creating the Mesh

A service mesh is a logical boundary for network traffic between the services that reside within it.

After you create your service mesh, you can create virtual services, virtual nodes, virtual routers, and routes to distribute traffic between the applications in your mesh.

The following example creates the AppMesh service mesh with the default egress filter of DROP_ALL. See the AWS CloudFormation EgressFilter resource for more info on egress filters.

 Mesh mesh = Mesh.Builder.create(this, "AppMesh")
         .meshName("myAwsMesh")
         .build();
 

The mesh can instead be created with the ALLOW_ALL egress filter by providing the egressFilter property.

 Mesh mesh = Mesh.Builder.create(this, "AppMesh")
         .meshName("myAwsMesh")
         .egressFilter(MeshFilterType.ALLOW_ALL)
         .build();
 

A mesh with an IP preference can be created by providing the property serviceDiscovery that specifes an ipPreference.

 Mesh mesh = Mesh.Builder.create(this, "AppMesh")
         .meshName("myAwsMesh")
         .serviceDiscovery(MeshServiceDiscovery.builder()
                 .ipPreference(IpPreference.IPV4_ONLY)
                 .build())
         .build();
 

Adding VirtualRouters

A mesh uses virtual routers as logical units to route requests to virtual nodes.

Virtual routers handle traffic for one or more virtual services within your mesh. After you create a virtual router, you can create and associate routes to your virtual router that direct incoming requests to different virtual nodes.

 Mesh mesh;
 
 VirtualRouter router = mesh.addVirtualRouter("router", VirtualRouterBaseProps.builder()
         .listeners(List.of(VirtualRouterListener.http(8080)))
         .build());
 

Note that creating the router using the addVirtualRouter() method places it in the same stack as the mesh (which might be different from the current stack). The router can also be created using the VirtualRouter constructor (passing in the mesh) instead of calling the addVirtualRouter() method. This is particularly useful when splitting your resources between many stacks: for example, defining the mesh itself as part of an infrastructure stack, but defining the other resources, such as routers, in the application stack:

 Stack infraStack;
 Stack appStack;
 
 
 Mesh mesh = Mesh.Builder.create(infraStack, "AppMesh")
         .meshName("myAwsMesh")
         .egressFilter(MeshFilterType.ALLOW_ALL)
         .build();
 
 // the VirtualRouter will belong to 'appStack',
 // even though the Mesh belongs to 'infraStack'
 VirtualRouter router = VirtualRouter.Builder.create(appStack, "router")
         .mesh(mesh) // notice that mesh is a required property when creating a router with the 'new' statement
         .listeners(List.of(VirtualRouterListener.http(8081)))
         .build();
 

The same is true for other add*() methods in the App Mesh construct library.

The VirtualRouterListener class lets you define protocol-specific listeners. The http(), http2(), grpc() and tcp() methods create listeners for the named protocols. They accept a single parameter that defines the port to on which requests will be matched. The port parameter defaults to 8080 if omitted.

Adding a VirtualService

A virtual service is an abstraction of a real service that is provided by a virtual node directly, or indirectly by means of a virtual router. Dependent services call your virtual service by its virtualServiceName, and those requests are routed to the virtual node or virtual router specified as the provider for the virtual service.

We recommend that you use the service discovery name of the real service that you're targeting (such as my-service.default.svc.cluster.local).

When creating a virtual service:

  • If you want the virtual service to spread traffic across multiple virtual nodes, specify a virtual router.
  • If you want the virtual service to reach a virtual node directly, without a virtual router, specify a virtual node.

Adding a virtual router as the provider:

 VirtualRouter router;
 
 
 VirtualService.Builder.create(this, "virtual-service")
         .virtualServiceName("my-service.default.svc.cluster.local") // optional
         .virtualServiceProvider(VirtualServiceProvider.virtualRouter(router))
         .build();
 

Adding a virtual node as the provider:

 VirtualNode node;
 
 
 VirtualService.Builder.create(this, "virtual-service")
         .virtualServiceName("my-service.default.svc.cluster.local") // optional
         .virtualServiceProvider(VirtualServiceProvider.virtualNode(node))
         .build();
 

Adding a VirtualNode

A virtual node acts as a logical pointer to a particular task group, such as an Amazon ECS service or a Kubernetes deployment.

When you create a virtual node, accept inbound traffic by specifying a listener. Outbound traffic that your virtual node expects to send should be specified as a back end.

The response metadata for your new virtual node contains the Amazon Resource Name (ARN) that is associated with the virtual node. Set this value (either the full ARN or the truncated resource name) as the APPMESH_VIRTUAL_NODE_NAME environment variable for your task group's Envoy proxy container in your task definition or pod spec. For example, the value could be mesh/default/virtualNode/simpleapp. This is then mapped to the node.id and node.cluster Envoy parameters.

Note If you require your Envoy stats or tracing to use a different name, you can override the node.cluster value that is set by APPMESH_VIRTUAL_NODE_NAME with the APPMESH_VIRTUAL_NODE_CLUSTER environment variable.

 Mesh mesh;
 Vpc vpc = new Vpc(this, "vpc");
 PrivateDnsNamespace namespace = PrivateDnsNamespace.Builder.create(this, "test-namespace")
         .vpc(vpc)
         .name("domain.local")
         .build();
 Service service = namespace.createService("Svc");
 VirtualNode node = mesh.addVirtualNode("virtual-node", VirtualNodeBaseProps.builder()
         .serviceDiscovery(ServiceDiscovery.cloudMap(service))
         .listeners(List.of(VirtualNodeListener.http(HttpVirtualNodeListenerOptions.builder()
                 .port(8081)
                 .healthCheck(HealthCheck.http(HttpHealthCheckOptions.builder()
                         .healthyThreshold(3)
                         .interval(Duration.seconds(5)) // minimum
                         .path("/health-check-path")
                         .timeout(Duration.seconds(2)) // minimum
                         .unhealthyThreshold(2)
                         .build()))
                 .build())))
         .accessLog(AccessLog.fromFilePath("/dev/stdout"))
         .build());
 

Create a VirtualNode with the constructor and add tags.

 Mesh mesh;
 Service service;
 
 
 VirtualNode node = VirtualNode.Builder.create(this, "node")
         .mesh(mesh)
         .serviceDiscovery(ServiceDiscovery.cloudMap(service))
         .listeners(List.of(VirtualNodeListener.http(HttpVirtualNodeListenerOptions.builder()
                 .port(8080)
                 .healthCheck(HealthCheck.http(HttpHealthCheckOptions.builder()
                         .healthyThreshold(3)
                         .interval(Duration.seconds(5))
                         .path("/ping")
                         .timeout(Duration.seconds(2))
                         .unhealthyThreshold(2)
                         .build()))
                 .timeout(HttpTimeout.builder()
                         .idle(Duration.seconds(5))
                         .build())
                 .build())))
         .backendDefaults(BackendDefaults.builder()
                 .tlsClientPolicy(TlsClientPolicy.builder()
                         .validation(TlsValidation.builder()
                                 .trust(TlsValidationTrust.file("/keys/local_cert_chain.pem"))
                                 .build())
                         .build())
                 .build())
         .accessLog(AccessLog.fromFilePath("/dev/stdout"))
         .build();
 
 Tags.of(node).add("Environment", "Dev");
 

Create a VirtualNode with the customized access logging format.

 Mesh mesh;
 Service service;
 
 VirtualNode node = VirtualNode.Builder.create(this, "node")
         .mesh(mesh)
         .serviceDiscovery(ServiceDiscovery.cloudMap(service))
         .listeners(List.of(VirtualNodeListener.http(HttpVirtualNodeListenerOptions.builder()
                 .port(8080)
                 .healthCheck(HealthCheck.http(HttpHealthCheckOptions.builder()
                         .healthyThreshold(3)
                         .interval(Duration.seconds(5))
                         .path("/ping")
                         .timeout(Duration.seconds(2))
                         .unhealthyThreshold(2)
                         .build()))
                 .timeout(HttpTimeout.builder()
                         .idle(Duration.seconds(5))
                         .build())
                 .build())))
         .backendDefaults(BackendDefaults.builder()
                 .tlsClientPolicy(TlsClientPolicy.builder()
                         .validation(TlsValidation.builder()
                                 .trust(TlsValidationTrust.file("/keys/local_cert_chain.pem"))
                                 .build())
                         .build())
                 .build())
         .accessLog(AccessLog.fromFilePath("/dev/stdout", LoggingFormat.fromJson(Map.of("testKey1", "testValue1", "testKey2", "testValue2"))))
         .build();
 

By using a key-value pair indexed signature, you can specify json key pairs to customize the log entry pattern. You can also use text format as below. You can only specify one of these 2 formats.

   accessLog: appmesh.AccessLog.fromFilePath('/dev/stdout', appmesh.LoggingFormat.fromText('test_pattern')),
 

For what values and operators you can use for these two formats, please visit the latest envoy documentation. (https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage) Create a VirtualNode with the constructor and add backend virtual service.

 Mesh mesh;
 VirtualRouter router;
 Service service;
 
 
 VirtualNode node = VirtualNode.Builder.create(this, "node")
         .mesh(mesh)
         .serviceDiscovery(ServiceDiscovery.cloudMap(service))
         .listeners(List.of(VirtualNodeListener.http(HttpVirtualNodeListenerOptions.builder()
                 .port(8080)
                 .healthCheck(HealthCheck.http(HttpHealthCheckOptions.builder()
                         .healthyThreshold(3)
                         .interval(Duration.seconds(5))
                         .path("/ping")
                         .timeout(Duration.seconds(2))
                         .unhealthyThreshold(2)
                         .build()))
                 .timeout(HttpTimeout.builder()
                         .idle(Duration.seconds(5))
                         .build())
                 .build())))
         .accessLog(AccessLog.fromFilePath("/dev/stdout"))
         .build();
 
 VirtualService virtualService = VirtualService.Builder.create(this, "service-1")
         .virtualServiceProvider(VirtualServiceProvider.virtualRouter(router))
         .virtualServiceName("service1.domain.local")
         .build();
 
 node.addBackend(Backend.virtualService(virtualService));
 

The listeners property can be left blank and added later with the node.addListener() method. The serviceDiscovery property must be specified when specifying a listener.

The backends property can be added with node.addBackend(). In the example, we define a virtual service and add it to the virtual node to allow egress traffic to other nodes.

The backendDefaults property is added to the node while creating the virtual node. These are the virtual node's default settings for all backends.

The VirtualNode.addBackend() method is especially useful if you want to create a circular traffic flow by having a Virtual Service as a backend whose provider is that same Virtual Node:

 Mesh mesh;
 
 
 VirtualNode node = VirtualNode.Builder.create(this, "node")
         .mesh(mesh)
         .serviceDiscovery(ServiceDiscovery.dns("node"))
         .build();
 
 VirtualService virtualService = VirtualService.Builder.create(this, "service-1")
         .virtualServiceProvider(VirtualServiceProvider.virtualNode(node))
         .virtualServiceName("service1.domain.local")
         .build();
 
 node.addBackend(Backend.virtualService(virtualService));
 

Adding TLS to a listener

The tls property specifies TLS configuration when creating a listener for a virtual node or a virtual gateway. Provide the TLS certificate to the proxy in one of the following ways:

  • A certificate from AWS Certificate Manager (ACM).
  • A customer-provided certificate (specify a certificateChain path file and a privateKey file path).
  • A certificate provided by a Secrets Discovery Service (SDS) endpoint over local Unix Domain Socket (specify its secretName).

 // A Virtual Node with listener TLS from an ACM provided certificate
 Certificate cert;
 Mesh mesh;
 
 
 VirtualNode node = VirtualNode.Builder.create(this, "node")
         .mesh(mesh)
         .serviceDiscovery(ServiceDiscovery.dns("node"))
         .listeners(List.of(VirtualNodeListener.grpc(GrpcVirtualNodeListenerOptions.builder()
                 .port(80)
                 .tls(ListenerTlsOptions.builder()
                         .mode(TlsMode.STRICT)
                         .certificate(TlsCertificate.acm(cert))
                         .build())
                 .build())))
         .build();
 
 // A Virtual Gateway with listener TLS from a customer provided file certificate
 VirtualGateway gateway = VirtualGateway.Builder.create(this, "gateway")
         .mesh(mesh)
         .listeners(List.of(VirtualGatewayListener.grpc(GrpcGatewayListenerOptions.builder()
                 .port(8080)
                 .tls(ListenerTlsOptions.builder()
                         .mode(TlsMode.STRICT)
                         .certificate(TlsCertificate.file("path/to/certChain", "path/to/privateKey"))
                         .build())
                 .build())))
         .virtualGatewayName("gateway")
         .build();
 
 // A Virtual Gateway with listener TLS from a SDS provided certificate
 VirtualGateway gateway2 = VirtualGateway.Builder.create(this, "gateway2")
         .mesh(mesh)
         .listeners(List.of(VirtualGatewayListener.http2(Http2GatewayListenerOptions.builder()
                 .port(8080)
                 .tls(ListenerTlsOptions.builder()
                         .mode(TlsMode.STRICT)
                         .certificate(TlsCertificate.sds("secrete_certificate"))
                         .build())
                 .build())))
         .virtualGatewayName("gateway2")
         .build();
 

Adding mutual TLS authentication

Mutual TLS authentication is an optional component of TLS that offers two-way peer authentication. To enable mutual TLS authentication, add the mutualTlsCertificate property to TLS client policy and/or the mutualTlsValidation property to your TLS listener.

tls.mutualTlsValidation and tlsClientPolicy.mutualTlsCertificate can be sourced from either:

  • A customer-provided certificate (specify a certificateChain path file and a privateKey file path).
  • A certificate provided by a Secrets Discovery Service (SDS) endpoint over local Unix Domain Socket (specify its secretName).

Note Currently, a certificate from AWS Certificate Manager (ACM) cannot be used for mutual TLS authentication.

 Mesh mesh;
 
 
 VirtualNode node1 = VirtualNode.Builder.create(this, "node1")
         .mesh(mesh)
         .serviceDiscovery(ServiceDiscovery.dns("node"))
         .listeners(List.of(VirtualNodeListener.grpc(GrpcVirtualNodeListenerOptions.builder()
                 .port(80)
                 .tls(ListenerTlsOptions.builder()
                         .mode(TlsMode.STRICT)
                         .certificate(TlsCertificate.file("path/to/certChain", "path/to/privateKey"))
                         // Validate a file client certificates to enable mutual TLS authentication when a client provides a certificate.
                         .mutualTlsValidation(MutualTlsValidation.builder()
                                 .trust(TlsValidationTrust.file("path-to-certificate"))
                                 .build())
                         .build())
                 .build())))
         .build();
 
 String certificateAuthorityArn = "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012";
 VirtualNode node2 = VirtualNode.Builder.create(this, "node2")
         .mesh(mesh)
         .serviceDiscovery(ServiceDiscovery.dns("node2"))
         .backendDefaults(BackendDefaults.builder()
                 .tlsClientPolicy(TlsClientPolicy.builder()
                         .ports(List.of(8080, 8081))
                         .validation(TlsValidation.builder()
                                 .subjectAlternativeNames(SubjectAlternativeNames.matchingExactly("mesh-endpoint.apps.local"))
                                 .trust(TlsValidationTrust.acm(List.of(CertificateAuthority.fromCertificateAuthorityArn(this, "certificate", certificateAuthorityArn))))
                                 .build())
                         // Provide a SDS client certificate when a server requests it and enable mutual TLS authentication.
                         .mutualTlsCertificate(TlsCertificate.sds("secret_certificate"))
                         .build())
                 .build())
         .build();
 

Adding outlier detection to a Virtual Node listener

The outlierDetection property adds outlier detection to a Virtual Node listener. The properties baseEjectionDuration, interval, maxEjectionPercent, and maxServerErrors are required.

 Mesh mesh;
 // Cloud Map service discovery is currently required for host ejection by outlier detection
 Vpc vpc = new Vpc(this, "vpc");
 PrivateDnsNamespace namespace = PrivateDnsNamespace.Builder.create(this, "test-namespace")
         .vpc(vpc)
         .name("domain.local")
         .build();
 Service service = namespace.createService("Svc");
 VirtualNode node = mesh.addVirtualNode("virtual-node", VirtualNodeBaseProps.builder()
         .serviceDiscovery(ServiceDiscovery.cloudMap(service))
         .listeners(List.of(VirtualNodeListener.http(HttpVirtualNodeListenerOptions.builder()
                 .outlierDetection(OutlierDetection.builder()
                         .baseEjectionDuration(Duration.seconds(10))
                         .interval(Duration.seconds(30))
                         .maxEjectionPercent(50)
                         .maxServerErrors(5)
                         .build())
                 .build())))
         .build());
 

Adding a connection pool to a listener

The connectionPool property can be added to a Virtual Node listener or Virtual Gateway listener to add a request connection pool. Each listener protocol type has its own connection pool properties.

 // A Virtual Node with a gRPC listener with a connection pool set
 Mesh mesh;
 
 VirtualNode node = VirtualNode.Builder.create(this, "node")
         .mesh(mesh)
         // DNS service discovery can optionally specify the DNS response type as either LOAD_BALANCER or ENDPOINTS.
         // LOAD_BALANCER means that the DNS resolver returns a loadbalanced set of endpoints,
         // whereas ENDPOINTS means that the DNS resolver is returning all the endpoints.
         // By default, the response type is assumed to be LOAD_BALANCER
         .serviceDiscovery(ServiceDiscovery.dns("node", DnsResponseType.ENDPOINTS))
         .listeners(List.of(VirtualNodeListener.http(HttpVirtualNodeListenerOptions.builder()
                 .port(80)
                 .connectionPool(HttpConnectionPool.builder()
                         .maxConnections(100)
                         .maxPendingRequests(10)
                         .build())
                 .build())))
         .build();
 
 // A Virtual Gateway with a gRPC listener with a connection pool set
 VirtualGateway gateway = VirtualGateway.Builder.create(this, "gateway")
         .mesh(mesh)
         .listeners(List.of(VirtualGatewayListener.grpc(GrpcGatewayListenerOptions.builder()
                 .port(8080)
                 .connectionPool(GrpcConnectionPool.builder()
                         .maxRequests(10)
                         .build())
                 .build())))
         .virtualGatewayName("gateway")
         .build();
 

Adding an IP Preference to a Virtual Node

An ipPreference can be specified as part of a Virtual Node's service discovery. An IP preference defines how clients for this Virtual Node will interact with it.

There a four different IP preferences available to use which each specify what IP versions this Virtual Node will use and prefer.

  • IPv4_ONLY - Only use IPv4. For CloudMap service discovery, only IPv4 addresses returned from CloudMap will be used. For DNS service discovery, Envoy's DNS resolver will only resolve DNS queries for IPv4.
  • IPv4_PREFERRED - Prefer IPv4 and fall back to IPv6. For CloudMap service discovery, an IPv4 address will be used if returned from CloudMap. Otherwise, an IPv6 address will be used if available. For DNS service discovery, Envoy's DNS resolver will first attempt to resolve DNS queries using IPv4 and fall back to IPv6.
  • IPv6_ONLY - Only use IPv6. For CloudMap service discovery, only IPv6 addresses returned from CloudMap will be used. For DNS service discovery, Envoy's DNS resolver will only resolve DNS queries for IPv6.
  • IPv6_PREFERRED - Prefer IPv6 and fall back to IPv4. For CloudMap service discovery, an IPv6 address will be used if returned from CloudMap. Otherwise, an IPv4 address will be used if available. For DNS service discovery, Envoy's DNS resolver will first attempt to resolve DNS queries using IPv6 and fall back to IPv4.

 Mesh mesh = Mesh.Builder.create(this, "mesh")
         .meshName("mesh-with-preference")
         .build();
 
 // Virtual Node with DNS service discovery and an IP preference
 VirtualNode dnsNode = VirtualNode.Builder.create(this, "dns-node")
         .mesh(mesh)
         .serviceDiscovery(ServiceDiscovery.dns("test", DnsResponseType.LOAD_BALANCER, IpPreference.IPV4_ONLY))
         .build();
 
 // Virtual Node with CloudMap service discovery and an IP preference
 Vpc vpc = new Vpc(this, "vpc");
 PrivateDnsNamespace namespace = PrivateDnsNamespace.Builder.create(this, "test-namespace")
         .vpc(vpc)
         .name("domain.local")
         .build();
 Service service = namespace.createService("Svc");
 
 Map<String, String> instanceAttribute = Map.of();
 instanceAttribute.getTestKey() = "testValue";
 
 VirtualNode cloudmapNode = VirtualNode.Builder.create(this, "cloudmap-node")
         .mesh(mesh)
         .serviceDiscovery(ServiceDiscovery.cloudMap(service, instanceAttribute, IpPreference.IPV4_ONLY))
         .build();
 

Adding a Route

A route matches requests with an associated virtual router and distributes traffic to its associated virtual nodes. The route distributes matching requests to one or more target virtual nodes with relative weighting.

The RouteSpec class lets you define protocol-specific route specifications. The tcp(), http(), http2(), and grpc() methods create a specification for the named protocols.

For HTTP-based routes, the match field can match on path (prefix, exact, or regex), HTTP method, scheme, HTTP headers, and query parameters. By default, HTTP-based routes match all requests.

For gRPC-based routes, the match field can match on service name, method name, and metadata. When specifying the method name, the service name must also be specified.

For example, here's how to add an HTTP route that matches based on a prefix of the URL path:

 VirtualRouter router;
 VirtualNode node;
 
 
 router.addRoute("route-http", RouteBaseProps.builder()
         .routeSpec(RouteSpec.http(HttpRouteSpecOptions.builder()
                 .weightedTargets(List.of(WeightedTarget.builder()
                         .virtualNode(node)
                         .build()))
                 .match(HttpRouteMatch.builder()
                         // Path that is passed to this method must start with '/'.
                         .path(HttpRoutePathMatch.startsWith("/path-to-app"))
                         .build())
                 .build()))
         .build());
 

Add an HTTP2 route that matches based on exact path, method, scheme, headers, and query parameters:

 VirtualRouter router;
 VirtualNode node;
 
 
 router.addRoute("route-http2", RouteBaseProps.builder()
         .routeSpec(RouteSpec.http2(HttpRouteSpecOptions.builder()
                 .weightedTargets(List.of(WeightedTarget.builder()
                         .virtualNode(node)
                         .build()))
                 .match(HttpRouteMatch.builder()
                         .path(HttpRoutePathMatch.exactly("/exact"))
                         .method(HttpRouteMethod.POST)
                         .protocol(HttpRouteProtocol.HTTPS)
                         .headers(List.of(HeaderMatch.valueIs("Content-Type", "application/json"), HeaderMatch.valueIsNot("Content-Type", "application/json")))
                         .queryParameters(List.of(QueryParameterMatch.valueIs("query-field", "value")))
                         .build())
                 .build()))
         .build());
 

Add a single route with two targets and split traffic 50/50:

 VirtualRouter router;
 VirtualNode node;
 
 
 router.addRoute("route-http", RouteBaseProps.builder()
         .routeSpec(RouteSpec.http(HttpRouteSpecOptions.builder()
                 .weightedTargets(List.of(WeightedTarget.builder()
                         .virtualNode(node)
                         .weight(50)
                         .build(), WeightedTarget.builder()
                         .virtualNode(node)
                         .weight(50)
                         .build()))
                 .match(HttpRouteMatch.builder()
                         .path(HttpRoutePathMatch.startsWith("/path-to-app"))
                         .build())
                 .build()))
         .build());
 

Add an http2 route with retries:

 VirtualRouter router;
 VirtualNode node;
 
 
 router.addRoute("route-http2-retry", RouteBaseProps.builder()
         .routeSpec(RouteSpec.http2(HttpRouteSpecOptions.builder()
                 .weightedTargets(List.of(WeightedTarget.builder().virtualNode(node).build()))
                 .retryPolicy(HttpRetryPolicy.builder()
                         // Retry if the connection failed
                         .tcpRetryEvents(List.of(TcpRetryEvent.CONNECTION_ERROR))
                         // Retry if HTTP responds with a gateway error (502, 503, 504)
                         .httpRetryEvents(List.of(HttpRetryEvent.GATEWAY_ERROR))
                         // Retry five times
                         .retryAttempts(5)
                         // Use a 1 second timeout per retry
                         .retryTimeout(Duration.seconds(1))
                         .build())
                 .build()))
         .build());
 

Add a gRPC route with retries:

 VirtualRouter router;
 VirtualNode node;
 
 
 router.addRoute("route-grpc-retry", RouteBaseProps.builder()
         .routeSpec(RouteSpec.grpc(GrpcRouteSpecOptions.builder()
                 .weightedTargets(List.of(WeightedTarget.builder().virtualNode(node).build()))
                 .match(GrpcRouteMatch.builder().serviceName("servicename").build())
                 .retryPolicy(GrpcRetryPolicy.builder()
                         .tcpRetryEvents(List.of(TcpRetryEvent.CONNECTION_ERROR))
                         .httpRetryEvents(List.of(HttpRetryEvent.GATEWAY_ERROR))
                         // Retry if gRPC responds that the request was cancelled, a resource
                         // was exhausted, or if the service is unavailable
                         .grpcRetryEvents(List.of(GrpcRetryEvent.CANCELLED, GrpcRetryEvent.RESOURCE_EXHAUSTED, GrpcRetryEvent.UNAVAILABLE))
                         .retryAttempts(5)
                         .retryTimeout(Duration.seconds(1))
                         .build())
                 .build()))
         .build());
 

Add an gRPC route that matches based on method name and metadata:

 VirtualRouter router;
 VirtualNode node;
 
 
 router.addRoute("route-grpc-retry", RouteBaseProps.builder()
         .routeSpec(RouteSpec.grpc(GrpcRouteSpecOptions.builder()
                 .weightedTargets(List.of(WeightedTarget.builder().virtualNode(node).build()))
                 .match(GrpcRouteMatch.builder()
                         // When method name is specified, service name must be also specified.
                         .methodName("methodname")
                         .serviceName("servicename")
                         .metadata(List.of(HeaderMatch.valueStartsWith("Content-Type", "application/"), HeaderMatch.valueDoesNotStartWith("Content-Type", "text/")))
                         .build())
                 .build()))
         .build());
 

Add a gRPC route that matches based on port:

 VirtualRouter router;
 VirtualNode node;
 
 
 router.addRoute("route-grpc-port", RouteBaseProps.builder()
         .routeSpec(RouteSpec.grpc(GrpcRouteSpecOptions.builder()
                 .weightedTargets(List.of(WeightedTarget.builder()
                         .virtualNode(node)
                         .build()))
                 .match(GrpcRouteMatch.builder()
                         .port(1234)
                         .build())
                 .build()))
         .build());
 

Add a gRPC route with timeout:

 VirtualRouter router;
 VirtualNode node;
 
 
 router.addRoute("route-http", RouteBaseProps.builder()
         .routeSpec(RouteSpec.grpc(GrpcRouteSpecOptions.builder()
                 .weightedTargets(List.of(WeightedTarget.builder()
                         .virtualNode(node)
                         .build()))
                 .match(GrpcRouteMatch.builder()
                         .serviceName("my-service.default.svc.cluster.local")
                         .build())
                 .timeout(GrpcTimeout.builder()
                         .idle(Duration.seconds(2))
                         .perRequest(Duration.seconds(1))
                         .build())
                 .build()))
         .build());
 

Adding a Virtual Gateway

A virtual gateway allows resources outside your mesh to communicate with resources inside your mesh. The virtual gateway represents an Envoy proxy running in an Amazon ECS task, in a Kubernetes service, or on an Amazon EC2 instance. Unlike a virtual node, which represents Envoy running with an application, a virtual gateway represents Envoy deployed by itself.

A virtual gateway is similar to a virtual node in that it has a listener that accepts traffic for a particular port and protocol (HTTP, HTTP2, gRPC). Traffic received by the virtual gateway is directed to other services in your mesh using rules defined in gateway routes which can be added to your virtual gateway.

Create a virtual gateway with the constructor:

 Mesh mesh;
 
 String certificateAuthorityArn = "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012";
 
 VirtualGateway gateway = VirtualGateway.Builder.create(this, "gateway")
         .mesh(mesh)
         .listeners(List.of(VirtualGatewayListener.http(HttpGatewayListenerOptions.builder()
                 .port(443)
                 .healthCheck(HealthCheck.http(HttpHealthCheckOptions.builder()
                         .interval(Duration.seconds(10))
                         .build()))
                 .build())))
         .backendDefaults(BackendDefaults.builder()
                 .tlsClientPolicy(TlsClientPolicy.builder()
                         .ports(List.of(8080, 8081))
                         .validation(TlsValidation.builder()
                                 .trust(TlsValidationTrust.acm(List.of(CertificateAuthority.fromCertificateAuthorityArn(this, "certificate", certificateAuthorityArn))))
                                 .build())
                         .build())
                 .build())
         .accessLog(AccessLog.fromFilePath("/dev/stdout"))
         .virtualGatewayName("virtualGateway")
         .build();
 

Add a virtual gateway directly to the mesh:

 Mesh mesh;
 
 
 VirtualGateway gateway = mesh.addVirtualGateway("gateway", VirtualGatewayBaseProps.builder()
         .accessLog(AccessLog.fromFilePath("/dev/stdout"))
         .virtualGatewayName("virtualGateway")
         .listeners(List.of(VirtualGatewayListener.http(HttpGatewayListenerOptions.builder()
                 .port(443)
                 .healthCheck(HealthCheck.http(HttpHealthCheckOptions.builder()
                         .interval(Duration.seconds(10))
                         .build()))
                 .build())))
         .build());
 

The listeners field defaults to an HTTP Listener on port 8080 if omitted. A gateway route can be added using the gateway.addGatewayRoute() method.

The backendDefaults property, provided when creating the virtual gateway, specifies the virtual gateway's default settings for all backends.

Adding a Gateway Route

A gateway route is attached to a virtual gateway and routes matching traffic to an existing virtual service.

For HTTP-based gateway routes, the match field can be used to match on path (prefix, exact, or regex), HTTP method, host name, HTTP headers, and query parameters. By default, HTTP-based gateway routes match all requests.

 VirtualGateway gateway;
 VirtualService virtualService;
 
 
 gateway.addGatewayRoute("gateway-route-http", GatewayRouteBaseProps.builder()
         .routeSpec(GatewayRouteSpec.http(HttpGatewayRouteSpecOptions.builder()
                 .routeTarget(virtualService)
                 .match(HttpGatewayRouteMatch.builder()
                         .path(HttpGatewayRoutePathMatch.regex("regex"))
                         .build())
                 .build()))
         .build());
 

For gRPC-based gateway routes, the match field can be used to match on service name, host name, port and metadata.

 VirtualGateway gateway;
 VirtualService virtualService;
 
 
 gateway.addGatewayRoute("gateway-route-grpc", GatewayRouteBaseProps.builder()
         .routeSpec(GatewayRouteSpec.grpc(GrpcGatewayRouteSpecOptions.builder()
                 .routeTarget(virtualService)
                 .match(GrpcGatewayRouteMatch.builder()
                         .hostname(GatewayRouteHostnameMatch.endsWith(".example.com"))
                         .build())
                 .build()))
         .build());
 

For HTTP based gateway routes, App Mesh automatically rewrites the matched prefix path in Gateway Route to “/”. This automatic rewrite configuration can be overwritten in following ways:

 VirtualGateway gateway;
 VirtualService virtualService;
 
 
 gateway.addGatewayRoute("gateway-route-http", GatewayRouteBaseProps.builder()
         .routeSpec(GatewayRouteSpec.http(HttpGatewayRouteSpecOptions.builder()
                 .routeTarget(virtualService)
                 .match(HttpGatewayRouteMatch.builder()
                         // This disables the default rewrite to '/', and retains original path.
                         .path(HttpGatewayRoutePathMatch.startsWith("/path-to-app/", ""))
                         .build())
                 .build()))
         .build());
 
 gateway.addGatewayRoute("gateway-route-http-1", GatewayRouteBaseProps.builder()
         .routeSpec(GatewayRouteSpec.http(HttpGatewayRouteSpecOptions.builder()
                 .routeTarget(virtualService)
                 .match(HttpGatewayRouteMatch.builder()
                         // If the request full path is '/path-to-app/xxxxx', this rewrites the path to '/rewrittenUri/xxxxx'.
                         // Please note both `prefixPathMatch` and `rewriteTo` must start and end with the `/` character.
                         .path(HttpGatewayRoutePathMatch.startsWith("/path-to-app/", "/rewrittenUri/"))
                         .build())
                 .build()))
         .build());
 

If matching other path (exact or regex), only specific rewrite path can be specified. Unlike startsWith() method above, no default rewrite is performed.

 VirtualGateway gateway;
 VirtualService virtualService;
 
 
 gateway.addGatewayRoute("gateway-route-http-2", GatewayRouteBaseProps.builder()
         .routeSpec(GatewayRouteSpec.http(HttpGatewayRouteSpecOptions.builder()
                 .routeTarget(virtualService)
                 .match(HttpGatewayRouteMatch.builder()
                         // This rewrites the path from '/test' to '/rewrittenPath'.
                         .path(HttpGatewayRoutePathMatch.exactly("/test", "/rewrittenPath"))
                         .build())
                 .build()))
         .build());
 

For HTTP/gRPC based routes, App Mesh automatically rewrites the original request received at the Virtual Gateway to the destination Virtual Service name. This default host name rewrite can be configured by specifying the rewrite rule as one of the match property:

 VirtualGateway gateway;
 VirtualService virtualService;
 
 
 gateway.addGatewayRoute("gateway-route-grpc", GatewayRouteBaseProps.builder()
         .routeSpec(GatewayRouteSpec.grpc(GrpcGatewayRouteSpecOptions.builder()
                 .routeTarget(virtualService)
                 .match(GrpcGatewayRouteMatch.builder()
                         .hostname(GatewayRouteHostnameMatch.exactly("example.com"))
                         // This disables the default rewrite to virtual service name and retain original request.
                         .rewriteRequestHostname(false)
                         .build())
                 .build()))
         .build());
 

Importing Resources

Each App Mesh resource class comes with two static methods, from<Resource>Arn and from<Resource>Attributes (where <Resource> is replaced with the resource name, such as VirtualNode) for importing a reference to an existing App Mesh resource. These imported resources can be used with other resources in your mesh as if they were defined directly in your CDK application.

 String arn = "arn:aws:appmesh:us-east-1:123456789012:mesh/testMesh/virtualNode/testNode";
 VirtualNode.fromVirtualNodeArn(this, "importedVirtualNode", arn);
 

 String virtualNodeName = "my-virtual-node";
 VirtualNode.fromVirtualNodeAttributes(this, "imported-virtual-node", VirtualNodeAttributes.builder()
         .mesh(Mesh.fromMeshName(this, "Mesh", "testMesh"))
         .virtualNodeName(virtualNodeName)
         .build());
 

To import a mesh, again there are two static methods, fromMeshArn and fromMeshName.

 String arn = "arn:aws:appmesh:us-east-1:123456789012:mesh/testMesh";
 Mesh.fromMeshArn(this, "imported-mesh", arn);
 

 Mesh.fromMeshName(this, "imported-mesh", "abc");
 

IAM Grants

VirtualNode and VirtualGateway provide grantStreamAggregatedResources methods that grant identities that are running Envoy access to stream generated config from App Mesh.

 Mesh mesh;
 
 VirtualGateway gateway = VirtualGateway.Builder.create(this, "testGateway").mesh(mesh).build();
 User envoyUser = new User(this, "envoyUser");
 
 /**
  * This will grant `grantStreamAggregatedResources` ONLY for this gateway.
  */
 gateway.grantStreamAggregatedResources(envoyUser);
 

Adding Resources to shared meshes

A shared mesh allows resources created by different accounts to communicate with each other in the same mesh:

 // This is the ARN for the mesh from different AWS IAM account ID.
 // Ensure mesh is properly shared with your account. For more details, see: https://github.com/aws/aws-cdk/issues/15404
 String arn = "arn:aws:appmesh:us-east-1:123456789012:mesh/testMesh";
 IMesh sharedMesh = Mesh.fromMeshArn(this, "imported-mesh", arn);
 
 // This VirtualNode resource can communicate with the resources in the mesh from different AWS IAM account ID.
 // This VirtualNode resource can communicate with the resources in the mesh from different AWS IAM account ID.
 VirtualNode.Builder.create(this, "test-node")
         .mesh(sharedMesh)
         .build();