App Mesh makes it easy to run services by providing consistent visibility and network traffic controls for every service. App Mesh separates the logic needed for monitoring and controlling communications into a proxy that runs next to every service. This removes the need to coordinate across teams or update application code to change how monitoring data is collected or traffic is routed. This allows you to quickly pinpoint the exact location of errors and automatically reroute network traffic when there are failures or when code changes need to be deployed.
You can use App Mesh with Amazon Fargate, Amazon ECS, Amazon EKS, Amazon EC2, and Kubernetes on EC2 to better run services at scale. App Mesh uses Envoy, an open source proxy that is compatible with a wide range of Amazon partner and open source tools for monitoring services.
Open source proxy
App Mesh uses the open source Envoy proxy to manage all traffic into and out of a service’s containers. App Mesh configures this proxy to automatically handle all of the service’s application communications. Envoy has a vibrant ecosystem of community-built integrations that work with App Mesh.
Compatible Amazon services:
Amazon CloudWatch* – monitoring and logging service for complete visibility of resources and applications.
Amazon X-Ray* – tracing service for an end-to-end view of application performance.
Compatible Amazon partner and open source tools:
Datadog, Alcide, HashiCorp, Sysdig, Signalfx, Spotinst, Tetrate, Neuvector, Weaveworks, Twistlock, Wavefront by VMware, Aqua.
Traffic Routing
App Mesh lets you configure services to connect directly to each other instead of requiring code within the application or using a load balancer. When each service starts, its proxies connect to App Mesh and receives configuration data about the locations of other services in the mesh. You can use controls in App Mesh to dynamically update traffic routing between services with no changes to your application code.
Client-side Traffic Policies
The proxies automatically load balance traffic from all clients in the mesh, and add and remove load balancing endpoints based on health checks and service registration. These capabilities make it easier to deploy new versions of your services and help tune applications to be resilient to failures.
Service-to-Service Authentication
Mutual TLS (mTLS) enables transport layer authentication, which provides service-to-service identity verification for the application components running in and outside service meshes. It allows customers to extend the security perimeter to the applications running in Amazon App Mesh by provisioning certificates from Amazon Certificate Manager Private Certificate Authority or a customer-managed Certificate Authority (CA) to workloads in the service mesh, and to enforce automatic authentication for client applications connecting to services.
Container orchestration native user experience
App Mesh works with services managed by Amazon ECS, Amazon EKS, Amazon Fargate, Kubernetes running on EC2. For containerized workloads running on ECS, EKS, Fargate, or Kubernetes, you include the provided App Mesh proxy as part of the task or pod definition for each microservice and configure the services’ application container to communicate directly with the proxy. When the service starts, the proxy automatically checks in with and is configured by App Mesh.
Fully managed
Amazon App Mesh is a managed and highly available service. App Mesh allows you to manage services communications without needing to install or manage application-level infrastructure for communications management.