Amazon App Mesh Documentation

App Mesh is designed to run services by providing visibility and network traffic controls for services. App Mesh separates the logic needed for monitoring and controlling communications into a proxy that runs next to services. This reduces the need to coordinate across teams or update application code to change how monitoring data is collected or traffic is routed. This allows you to pinpoint the exact location of errors and reroute network traffic when there are failures or when code changes need to be deployed.

You can use App Mesh with Amazon Fargate, Amazon ECS, Amazon EKS, Amazon EC2, and Kubernetes on EC2 to better run services at scale. 

App Mesh uses the open source Envoy proxy to manage traffic into and out of a service’s containers. App Mesh configures this proxy to handle the service’s application communications. 

App Mesh is compatible with Amazon CloudWatch* and Amazon X-Ray* as well as several Amazon Web Services partner and open source tools.

App Mesh lets you configure services to connect to each other instead of requiring code within the application or using a load balancer. When each service starts, its proxies connect to App Mesh and receive configuration data about the locations of other services in the mesh. You can use controls in App Mesh to update traffic routing between services with minimal changes to your application code. 

The proxies are designed to load balance traffic from clients in the mesh, and add and remove load balancing endpoints based on health checks and service registration. These capabilities help to deploy new versions of your services and tune applications to be resilient to failures.

Mutual TLS (mTLS) enables transport layer authentication, which provides service-to-service identity verification for the application components running in and outside service meshes. It allows customers to extend the security perimeter to the applications running in Amazon App Mesh by provisioning certificates from Amazon Certificate Manager Private Certificate Authority or a customer-managed Certificate Authority (CA) to workloads in the service mesh, and is designed to enforce authentication for client applications connecting to services.

For containerized workloads running on Amazon ECS, EKS, Fargate, or Kubernetes, you include the provided App Mesh proxy as part of the task or pod definition for each microservice and configure the services’ application container to communicate with the proxy. When the service starts, the proxy is designed to check in with and is configured by App Mesh.

Amazon App Mesh is a managed service. App Mesh allows you to manage services communications without needing to install or manage application-level infrastructure for communications management.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.amazonaws.cn/en_us/. This additional information does not form part of the Documentation for purposes of the Sinnet Customer Agreement for Amazon Web Services (Beijing Region), Western Cloud Data Customer Agreement for Amazon Web Services (Ningxia Region) or other agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China Regions.