Networking

Building a Service Mesh with AWS App Mesh - Controlling and Observing Microservice Communication

Learn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.

約 3 分で読めます

Overview of App Mesh

App Mesh is a service mesh that controls and monitors communication between microservices. It deploys an Envoy proxy as a sidecar alongside each service, routing inter-service traffic through the proxies. Without modifying application code, you can configure traffic weighting, retries, timeouts, and circuit breakers.

Traffic Control and Observability

Virtual routers let you configure traffic weighting for canary deployments, such as routing 10% of traffic to a new version. By gradually adjusting the weights (10% to 25% to 50% to 100%), you can safely migrate traffic. Retry policies allow you to declaratively define settings like retrying up to 3 times on HTTP 503 errors with exponential backoff. Circuit breakers use outlier detection to temporarily remove endpoints from the routing pool when their error rate exceeds a threshold. X-Ray integration enables Envoy proxies to automatically send trace data, visualizing call chains, latency, and error rates between services. CloudWatch metrics let you monitor request counts, latency, and error rates on a per-service basis. If cross-VPC or cross-account service communication is your primary requirement, VPC Lattice is also worth considering since it eliminates the need to operate Envoy.

mTLS and Access Control

App Mesh can encrypt communication between Envoy proxies using mTLS. When you configure certificates issued by ACM Private CA on virtual nodes, mutual authentication occurs during the proxy handshake, preventing impersonation. SDS (Secret Discovery Service) also automates certificate rotation. For access control, you explicitly define which services are allowed as backends for virtual nodes, blocking unintended inter-service communication. Envoy access logs can be sent to CloudWatch Logs to audit which services accessed which endpoints. To deepen your understanding of App Mesh network design, specialized books on Amazon can be helpful.

App Mesh Pricing and Optimization

App Mesh itself incurs no additional charges. Costs depend on the computing resources (CPU and memory) consumed by the Envoy proxies. Since they run as sidecars in ECS tasks or EKS Pods, it is important to properly size the resources allocated to the proxy in your task definition. A typical baseline is 256 MB of memory and 0.25 vCPU per proxy, though services with high traffic volumes may need more. When enabling X-Ray tracing, trace data storage costs apply, so adjust the sampling rate to balance cost and observability.

Summary

App Mesh is a service mesh that controls and monitors microservice communication through Envoy proxies. It enables canary deployments via traffic weighting, retry policies, and circuit breakers through declarative configuration, while encrypting communication with mTLS. X-Ray integration provides distributed tracing, visualizing service dependencies and latency.

Related Services

AWS App MeshA service mesh that controls and monitors communication between microservicesAmazon ECSA container orchestration service for easily running and managing containerized applicationsAmazon EKSA managed service for easily building and operating Kubernetes clusters on AWS

Related Articles

Serverless Container Operations with AWS Fargate - Usage Patterns for ECS and EKSRun serverless containers without managing instances. Learn how to choose between ECS and EKS, and optimize costs through task sizing.Service Discovery - Automating Microservice Connectivity with AWS Cloud MapLearn how to build service discovery with AWS Cloud Map. Covers DNS-based and API-based service detection, ECS/EKS integration, and App Mesh connectivity.Container-Optimized OS - Strengthening Container Host Security and Operations with BottlerocketLearn how to optimize container hosts with AWS Bottlerocket. Covers the minimal OS design, automatic updates, immutable infrastructure, and integration with ECS/EKS.

More on This Topic

Service Discovery with AWS Cloud Map - Dynamic Name Resolution for MicroservicesDynamically discover microservice endpoints using DNS-based and API-based approaches. Learn how to automate service registration and deregistration through integration with ECS and EKS.How CloudFront's 600+ PoPs Work - Anycast Routing and the Cache HierarchyLearn how CloudFront routes user requests to the nearest PoP using Anycast, the two-tier structure of edge locations and regional edge caches, and the design factors that determine cache hit rates.Dedicated Connection Design - Achieving Stable Private Network Connectivity with Direct ConnectLearn about dedicated connection design with AWS Direct Connect, including choosing between dedicated and hosted connections, redundancy configurations, and achieving stable private network connectivity through VPC integration.Building Dedicated Connections with AWS Direct Connect - Redundancy Design and Traffic ControlDesign redundant dedicated connections and connect to VPCs across multiple regions with Direct Connect Gateway. This article also covers bandwidth aggregation with LAG and MACsec encryption.Elastic IP Address Management and Design - Static IP Usage and Cost OptimizationLearn about Elastic IP allocation, EC2 association, cost implications of unused EIPs, and alternative approaches to consider.Why ELB Has Three Types - The Design Rationale Behind ALB, NLB, and CLBExplore why ALB, NLB, and CLB (Classic) coexist rather than being unified into a single service, examining OSI model layers, performance characteristics, and historical context.Global Network Optimization with AWS Global Accelerator - Low-Latency Delivery and FailoverLearn how to route traffic onto the AWS global network using Anycast IPs, design endpoint groups, and achieve failover through health checks.Global Network Acceleration - Low-Latency Delivery with AWS Global Accelerator and CloudFrontRoute traffic onto the AWS global network early using Anycast IPs to direct clients to the nearest edge location. This guide covers ALB/NLB integration and failover design.

Similar Articles and Services

Service Networking with Amazon VPC Lattice - Simplifying Microservice CommunicationSimplify cross-VPC and cross-account microservice communication with L7 service networking that requires no Envoy proxies. Learn about IAM authentication and when to choose VPC Lattice over App Mesh.Service Discovery - Automating Microservice Connectivity with AWS Cloud MapLearn how to build service discovery with AWS Cloud Map. Covers DNS-based and API-based service detection, ECS/EKS integration, and App Mesh connectivity.AWS X-RayTrace requests through distributed applications and identify performance bottlenecksDistributed Tracing with AWS X-Ray - Performance Analysis for MicroservicesVisualize the full request path across microservices with service maps, narrow down problem traces with filter expressions, and integrate with OpenTelemetry.