# App Mesh Concepts Concepts **Important** End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect). **Topics** + [ # Service Meshes ](meshes.md) + [ # Virtual services ](virtual_services.md) + [ # Virtual gateways ](virtual_gateways.md) + [ # Virtual nodes ](virtual_nodes.md) + [ # Virtual routers ](virtual_routers.md) # Service Meshes Meshes **Important** End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect). A service mesh is a logical boundary for network traffic between the services that reside within it. After you create your service mesh, you can create virtual services, virtual nodes, virtual routers, and routes to distribute traffic between the applications in your mesh. ## Creating a service mesh **Note** When creating a Mesh, you must add a namespace selector. If the namespace selector is empty, it selects all namespaces. To restrict the namespaces, use a label to associate App Mesh resources to the created mesh. ------ #### [ AWS Management Console ] **To create a service mesh using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose **Create mesh**. 1. For **Mesh name**, specify a name for your service mesh. 1. (Optional) Choose **Allow external traffic**. By default, proxies in the mesh only forward traffic between each other. If you allow external traffic, the proxies in the mesh also forward TCP traffic directly to services that aren't deployed with a proxy that is defined in the mesh. **Note** If you specify any backends on a virtual node when using `ALLOW_ALL`, you must specifiy all egress for that virtual node as backends. Otherwise, `ALLOW_ALL` will no longer work for that virtual node. 1. **IP version preference** Control which IP version should be used for traffic within the mesh by toggling on **Override default IP version behavior**. By default, App Mesh uses a variety of IP versions. **Note** The mesh applies the IP preference to all of the virtual nodes and virtual gateways within a mesh. This behavior can be overridden on a individual virtual node by setting the IP preference when you make or edit the node. The IP preference can't be overridden on a virtual gateway because the configuration for virtual gateways that allows them to listen for both IPv4 and IPv6 traffic is the same regardless of which preference is set on the mesh. + Default + Envoy's DNS resolver prefers `IPv6` and falls back to `IPv4`. + We use the `IPv4` address returned by AWS Cloud Map if available and falls back to using the `IPv6` address. + The endpoint created for the local app uses an `IPv4` address. + The Envoy listeners bind to all `IPv4` addresses. + IPv6 preferred + Envoy's DNS resolver prefers `IPv6` and falls back to `IPv4`. + The `IPv6` address returned by AWS Cloud Map is used if available and falls back to using the `IPv4` address + The endpoint created for the local app uses an `IPv6` address. + The Envoy listeners bind to all `IPv4` and `IPv6` addresses. + IPv4 preferred + Envoy's DNS resolver prefers `IPv4` and falls back to `IPv6`. + We use the `IPv4` address returned by AWS Cloud Map if available and falls back to using the `IPv6` address. + The endpoint created for the local app uses an `IPv4` address. + The Envoy listeners bind to all `IPv4` and `IPv6` addresses. + IPv6 only + Envoy's DNS resolver only uses `IPv6`. + Only the `IPv6` address returned by AWS Cloud Map is used. If AWS Cloud Map returns an `IPv4` address, no IP addresses are used and empty results are returned to the Envoy. + The endpoint created for the local app uses an `IPv6` address. + The Envoy listeners bind to all `IPv4` and `IPv6` addresses. + IPv4 only + Envoy's DNS resolver only uses `IPv4`. + Only the `IPv4` address returned by AWS Cloud Map is used. If AWS Cloud Map returns an `IPv6` address, no IP addresses are used and empty results are returned to the Envoy. + The endpoint created for the local app uses an `IPv4` address. + The Envoy listeners bind to all `IPv4` and `IPv6` addresses. 1. Choose **Create mesh** to finish. 1. (Optional) Share the mesh with other accounts. A shared mesh allows resources created by different accounts to communicate with each other in the same mesh. For more information, see [Working with shared meshes](sharing.md). ------ #### [ AWS CLI ] **To create a mesh using the AWS CLI.** Create a service mesh using the following command (replace the *red* values with your own): 1. ``` aws appmesh create-mesh --mesh-name meshName ``` 1. Example output: ``` { "mesh":{ "meshName":"meshName", "metadata":{ "arn":"arn:aws:appmesh:us-west-2:123456789012:mesh/meshName", "createdAt":"2022-04-06T08:45:50.072000-05:00", "lastUpdatedAt":"2022-04-06T08:45:50.072000-05:00", "meshOwner": "123456789012", "resourceOwner": "123456789012", "uid":"a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version":1 }, "spec":{}, "status":{ "status":"ACTIVE" } } } ``` For more information on creating a mesh with the AWS CLI for App Mesh, see the [create-mesh](https://docs.aws.amazon.com/cli/latest/reference/appmesh/create-mesh.html) command in the AWS CLI reference. ------ ## Deleting a mesh ------ #### [ AWS Management Console ] **To delete a virtual gateway using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh you want to delete. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. In the confirmation box, type **delete** and then click on **Delete**. ------ #### [ AWS CLI ] **To delete a mesh using the AWS CLI** 1. Use the following command to delete your mesh (replace the *red* values with your own): ``` aws appmesh delete-mesh \ --mesh-name meshName ``` 1. Example output: ``` { "mesh": { "meshName": "meshName", "metadata": { "arn":"arn:aws:appmesh:us-west-2:123456789012:mesh/meshName", "createdAt": "2022-04-06T08:45:50.072000-05:00", "lastUpdatedAt": "2022-04-07T11:06:32.795000-05:00", "meshOwner": "123456789012", "resourceOwner": "123456789012", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 1 }, "spec": {}, "status": { "status": "DELETED" } } } ``` For more information on deleting a mesh with the AWS CLI for App Mesh, see the [delete-mesh](https://docs.aws.amazon.com/cli/latest/reference/appmesh/delete-mesh.html) command in the AWS CLI reference. ------ # Virtual services **Important** End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect). A virtual service is an abstraction of a real service that is provided by a virtual node directly or indirectly by means of a virtual router. Dependent services call your virtual service by its `virtualServiceName`, and those requests are routed to the virtual node or virtual router that is specified as the provider for the virtual service. ## Creating a virtual service ------ #### [ AWS Management Console ] **To create a virtual service using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh in which you want to create the virtual service. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual services** in the left navigation. 1. Choose **Create virtual service**. 1. For **Virtual service name**, choose a name for your virtual service. You can choose any name, but the service discovery name of the real service that you're targeting, such as `my-service.default.svc.cluster.local`, is recommended to make it easier to correlate your virtual services to real services. This way you don't need to change your code to reference a different name than your code currently references. The name that you specify must resolve to a non-loopback IP address because the app container must be able to successfully resolve the name before the request is sent to the Envoy proxy. You can use any non-loopback IP address because neither the app or proxy containers communicate with this IP address. The proxy communicates with other virtual services through the names you’ve configured for them in App Mesh, not through IP addresses to which the names resolve. 1. For **Provider**, choose the provider type for your virtual service: + If you want the virtual service to spread traffic across multiple virtual nodes, select **Virtual router** and then choose the virtual router to use from the drop-down menu. + If you want the virtual service to reach a virtual node directly without a virtual router, select **Virtual node** and then choose the virtual node to use from the drop-down menu. **Note** App Mesh may automatically create a default Envoy route retry policy for each virtual node provider that you define on or after July 29, 2020, even though you can't define such a policy through the App Mesh API. For more information, see [Default route retry policy](envoy-defaults.md#default-retry-policy). + If you don't want the virtual service to route traffic at this time (for example, if your virtual nodes or virtual router doesn't exist yet), choose **None**. You can update the provider for this virtual service later. 1. Choose **Create virtual service** to finish. ------ #### [ AWS CLI ] **To create a virtual service using the AWS CLI.** Create a virtual service with a virtual node provider using the following command and an input JSON file (replace the *red* values with your own): 1. ``` aws appmesh create-virtual-service \ --cli-input-json file://create-virtual-service-virtual-node.json ``` 1. Contents of **example** create-virtual-service-virtual-node.json: ``` { "meshName": "meshName", "spec": { "provider": { "virtualNode": { "virtualNodeName": "nodeName" } } }, "virtualServiceName": "serviceA.svc.cluster.local" } ``` 1. Example output: ``` { "virtualService": { "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:210987654321:mesh/meshName/virtualService/serviceA.svc.cluster.local", "createdAt": "2022-04-06T09:45:35.890000-05:00", "lastUpdatedAt": "2022-04-06T09:45:35.890000-05:00", "meshOwner": "123456789012", "resourceOwner": "210987654321", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 1 }, "spec": { "provider": { "virtualNode": { "virtualNodeName": "nodeName" } } }, "status": { "status": "ACTIVE" }, "virtualServiceName": "serviceA.svc.cluster.local" } } ``` For more information on creating a virtual service with the AWS CLI for App Mesh, see the [create-virtual-service](https://docs.aws.amazon.com/cli/latest/reference/appmesh/create-virtual-service.html) command in the AWS CLI reference. ------ ## Deleting a virtual service **Note** You can't delete a virtual service that is referenced by a gateway route. You need to delete the gateway route first. ------ #### [ AWS Management Console ] **To delete a virtual service using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh from which you want to delete a virtual service. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual services** in the left navigation. 1. Choose the virtual service that you want to delete and click on **Delete** in the top right corner. You can only delete a virtual gateway where your account is listed as **Resource owner**. 1. In the confirmation box, type **delete** and then click on **Delete**. ------ #### [ AWS CLI ] **To delete a virtual service using the AWS CLI** 1. Use the following command to delete your virtual service (replace the *red* values with your own): ``` aws appmesh delete-virtual-service \ --mesh-name meshName \ --virtual-service-name serviceA.svc.cluster.local ``` 1. Example output: ``` { "virtualService": { "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:210987654321:mesh/meshName/virtualService/serviceA.svc.cluster.local", "createdAt": "2022-04-06T09:45:35.890000-05:00", "lastUpdatedAt": "2022-04-07T10:39:42.772000-05:00", "meshOwner": "123456789012", "resourceOwner": "210987654321", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 2 }, "spec": { "provider": { "virtualNode": { "virtualNodeName": "nodeName" } } }, "status": { "status": "DELETED" }, "virtualServiceName": "serviceA.svc.cluster.local" } } ``` For more information on deleting a virtual service with the AWS CLI for App Mesh, see the [delete-virtual-service](https://docs.aws.amazon.com/cli/latest/reference/appmesh/delete-virtual-service.html) command in the AWS CLI reference. ------ # Virtual gateways **Important** End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect). A virtual gateway allows resources that are outside of your mesh to communicate to resources that are inside of your mesh. The virtual gateway represents an Envoy proxy running in an Amazon ECS service, in a Kubernetes service, or on an Amazon EC2 instance. Unlike a virtual node, which represents Envoy running with an application, a virtual gateway represents Envoy deployed by itself. External resources must be able to resolve a DNS name to an IP address assigned to the service or instance that runs Envoy. Envoy can then access all of the App Mesh configuration for resources that are inside of the mesh. The configuration for handling the incoming requests at the Virtual Gateway are specified using [Gateway Routes](https://docs.aws.amazon.com/app-mesh/latest/userguide/gateway-routes.html). **Important** A virtual gateway with a HTTP or HTTP2 listener rewrites the incoming request's hostname to the Gateway Route target Virtual Service's name, and the matched prefix from the Gateway Route is rewritten to `/`, by default. For example, if you have configured the Gateway route match prefix to `/chapter`, and, if the incoming request is `/chapter/1`, the request would be rewritten to `/1`. To configure rewrites, refer to the [Creating a gateway route](https://docs.aws.amazon.com/app-mesh/latest/userguide/gateway-routes.html#create-gateway-route) section from Gateway Routes. When creating a virtual gateway, `proxyConfiguration` and `user` should not be configured. To complete an end-to-end walkthrough, see [Configuring Inbound Gateway](https://github.com/aws/aws-app-mesh-examples/tree/main/walkthroughs/howto-ingress-gateway). ## Creating a virtual gateway **Note** When creating a Virtual Gateway, you must add a namespace selector with a label to identify the list of namespaces with which to associate Gateway Routes to the created Virtual Gateway. ------ #### [ AWS Management Console ] **To create a virtual gateway using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh in which you want to create the virtual gateway. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual gateways** in the left navigation. 1. Choose **Create virtual gateway**. 1. For **Virtual gateway name**, enter a name for your virtual gateway. 1. (Optional, but recommended) Configure **Client policy defaults**. 1. (Optional) Select **Enforce TLS** if you want the gateway to only communicate with virtual services using Transport Layer Security (TLS). 1. (Optional) For **Ports**, specify one or more ports on which you want to enforce TLS communication with virtual services. 1. For **Validation method**, select one of the following options. The certificate that you specify must already exist and meet specific requirements. For more information, see [Certificate requirements](tls.md#virtual-node-tls-prerequisites). + **AWS Private Certificate Authority** hosting – Select one or more existing **Certificates**. + **Envoy Secret Discovery Service (SDS)** hosting – Enter the name of the secret that Envoy fetches using the Secret Discovery Service. + **Local file hosting** – Specify the path to the **Certificate chain** file on the file system where Envoy is deployed. 1. (Optional) Enter a **Subject Alternative Name**. To add additional SANs, select **Add SAN**. SANs must be FQDN or URI formatted. 1. (Optional) Select **Provide client certificate** and one of the options below to provide a client certificate when a server requests it and enable mutual TLS authentication. To learn more about mutual TLS, see the App Mesh [Mutual TLS Authentication](https://docs.aws.amazon.com/app-mesh/latest/userguide/mutual-tls.html) docs. + **Envoy Secret Discovery Service (SDS)** hosting – Enter the name of the secret that Envoy fetches using the Secret Discovery Service. + **Local file hosting** – Specify the path to the **Certificate chain** file, as well as the **Private key**, on the file system where Envoy is deployed. For a complete, end-to-end walk through of deploying a mesh with a sample application using encryption with local files, see [Configuring TLS with File Provided TLS Certificates](https://github.com/aws/aws-app-mesh-examples/tree/main/walkthroughs/howto-tls-file-provided) on GitHub. 1. (Optional) To configure logging, selected **Logging**. Enter the **HTTP access logs path** that you want Envoy to use. We recommend the `/dev/stdout` path so that you can use Docker log drivers to export your Envoy logs to a service such as Amazon CloudWatch Logs. **Note** Logs must still be ingested by an agent in your application and sent to a destination. This file path only instructs Envoy where to send the logs. 1. Configure the **Listener**. 1. Select a **Protocol** and specify the **Port** on which Envoy listens for traffic. The **http** listener permits connection transition to websockets. You can click **Add Listener** to add multiple listeners. The **Remove** button will remove that listener. 1. (Optional) **Enable connection pool** Connection pooling limits the number of connections that the Virtual Gateway Envoy can concurrently establish. It is intended to protect your Envoy instance from being overwhelmed with connections and lets you adjust traffic shaping for the needs of your applications. You can configure destination-side connection pool settings for a virtual gateway listener. App Mesh sets the client-side connection pool settings to infinite by default, simplifying mesh configuration. **Note** The `connectionPool` and `connectionPool`portMapping protocols must be the same. If your listener protocol is `grpc` or `http2`, specify `maxRequests` only. If your listener protocol is `http`, you can specify both `maxConnections` and `maxPendingRequests`. + For **Maximum connections**, specify the maximum number of outbound connections. + For **Maximum requests**, specify maximum number of parallel requests that can be established with the Virtual Gateway Envoy. + (Optional) For **Maximum pending requests**, specify the number of overflowing requests after **Maximum connections** that an Envoy queues. The default value is `2147483647`. 1. (Optional) If you want to configure a health check for your listener, then select **Enable health check**. A health check policy is optional, but if you specify any values for a health policy, then you must specify values for **Healthy threshold**, **Health check interval**, **Health check protocol**, **Timeout period**, and **Unhealthy threshold**. + For **Health check protocol**, choose a protocol. If you select **grpc**, then your service must conform to the [GRPC Health Checking Protocol](https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + For **Health check port**, specify the port that the health check should run on. + For **Healthy threshold**, specify the number of consecutive successful health checks that must occur before declaring the listener healthy. + For **Health check interval**, specify the time period in milliseconds between each health check execution. + For **Path**, specify the destination path for the health check request. This value is only used if the **Health check protocol** is `http` or `http2`. The value is ignored for other protocols. + For **Timeout period**, specify the amount of time to wait when receiving a response from the health check in milliseconds. + For **Unhealthy threshold**, specify the number of consecutive failed health checks that must occur before declaring the listener unhealthy. 1. (Optional) If you want to specify whether clients communicate with this virtual gateway using TLS, then select **Enable TLS termination**. + For **Mode**, select the mode that you want TLS to be configured for on the listener. + For **Certificate method**, select one of the following options. The certificate must meet specific requirements. For more information, see [Certificate requirements](tls.md#virtual-node-tls-prerequisites). + **AWS Certificate Manager hosting** – Select an existing **Certificate**. + **Envoy Secret Discovery Service (SDS)** hosting – Enter the name of the secret that Envoy fetches using the Secret Discovery Service. + **Local file hosting** – Specify the path to the **Certificate chain** and **Private key** files on the file system where Envoy is deployed. + (Optional) Select **Require client certificate** and one of the options below to enable mutual TLS authentication if the client provides a certificate. To learn more about mutual TLS, see the App Mesh [Mutual TLS Authentication](https://docs.aws.amazon.com/app-mesh/latest/userguide/mutual-tls.html) docs. + **Envoy Secret Discovery Service (SDS)** hosting – Enter the name of the secret that Envoy fetches using the Secret Discovery Service. + **Local file hosting** – Specify the path to the **Certificate chain** file on the file system where Envoy is deployed. + (Optional) Enter a **Subject Alternative Name**. To add additional SANs, select **Add SAN**. SANs must be FQDN or URI formatted. 1. Choose **Create virtual gateway** to finish. ------ #### [ AWS CLI ] **To create a virtual gateway using the AWS CLI.** Create a virtual gateway using the following command and input JSON (replace the *red* values with your own): 1. ``` aws appmesh create-virtual-gateway \ --mesh-name meshName \ --virtual-gateway-name virtualGatewayName \ --cli-input-json file://create-virtual-gateway.json ``` 1. Contents of **example** create-virtual-gateway.json: ``` { "spec": { "listeners": [ { "portMapping": { "port": 9080, "protocol": "http" } } ] } } ``` 1. Example output: ``` { "virtualGateway": { "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:123456789012:mesh/meshName/virtualGateway/virtualGatewayName", "createdAt": "2022-04-06T10:42:42.015000-05:00", "lastUpdatedAt": "2022-04-06T10:42:42.015000-05:00", "meshOwner": "123456789012", "resourceOwner": "123456789012", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 1 }, "spec": { "listeners": [ { "portMapping": { "port": 9080, "protocol": "http" } } ] }, "status": { "status": "ACTIVE" }, "virtualGatewayName": "virtualGatewayName" } } ``` For more information on creating a virtual gateway with the AWS CLI for App Mesh, see the [create-virtual-gateway](https://docs.aws.amazon.com/cli/latest/reference/appmesh/create-virtual-gateway.html) command in the AWS CLI reference. ------ ## Deploy virtual gateway Deploy an Amazon ECS or Kubernetes service that contains only the [Envoy container](envoy.md). You can also deploy the Envoy container on an Amazon EC2 instance. For more information, see [Getting started with App Mesh and Amazon EC2](https://docs.aws.amazon.com/app-mesh/latest/userguide/getting-started-ec2.html). For more information on how to deploy on Amazon ECS see [Getting started with App Mesh and Amazon ECS](https://docs.aws.amazon.com/app-mesh/latest/userguide/getting-started-ecs.html) or [Getting started with AWS App Mesh and Kubernetes](https://docs.aws.amazon.com/app-mesh/latest/userguide/getting-started-kubernetes.html) to deploy to Kubernetes. You need to set the `APPMESH_RESOURCE_ARN` environment variable to `mesh/mesh-name/virtualGateway/virtual-gateway-name` and you must not specify proxy configuration so that the proxy's traffic doesn't get redirected to itself. By default, App Mesh uses the name of the resource you specified in `APPMESH_RESOURCE_ARN` when Envoy is referring to itself in metrics and traces. You can override this behavior by setting the `APPMESH_RESOURCE_CLUSTER `environment variable with your own name. We recommend that you deploy multiple instances of the container and set up a Network Load Balancer to load balance traffic to the instances. The service discovery name of the load balancer is the name that you want external services to use to access resources that are in the mesh, such as *myapp.example.com*. For more information see [Creating a Network Load Balancer](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-network-load-balancer.html) (Amazon ECS), [Creating an External Load Balancer](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/) (Kubernetes), or [Tutorial: Increase the availability of your application on Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-increase-availability.html). You can also find more examples and walkthroughs in our [App Mesh examples](https://docs.aws.amazon.com/app-mesh/latest/userguide/examples.html). Enable proxy authorization for Envoy. For more information, see [Envoy Proxy authorization](proxy-authorization.md). ## Deleting a virtual gateway ------ #### [ AWS Management Console ] **To delete a virtual gateway using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh from which you want to delete a virtual gateway. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual gateways** in the left navigation. 1. Choose the virtual gateway that you want to delete and select **Delete**. You cannot delete a virtual gateway if it has any associated gateway routes. You must delete any associated gateway routes first. You can only delete a virtual gateway where your account is listed as **Resource owner**. 1. In the confirmation box, type **delete** and then select **Delete**. ------ #### [ AWS CLI ] **To delete a virtual gateway using the AWS CLI** 1. Use the following command to delete your virtual gateway (replace the *red* values with your own): ``` aws appmesh delete-virtual-gateway \ --mesh-name meshName \ --virtual-gateway-name virtualGatewayName ``` 1. Example output: ``` { "virtualGateway": { "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:123456789012:mesh/meshName/virtualGateway/virtualGatewayName", "createdAt": "2022-04-06T10:42:42.015000-05:00", "lastUpdatedAt": "2022-04-07T10:57:22.638000-05:00", "meshOwner": "123456789012", "resourceOwner": "123456789012", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 2 }, "spec": { "listeners": [ { "portMapping": { "port": 9080, "protocol": "http" } } ] }, "status": { "status": "DELETED" }, "virtualGatewayName": "virtualGatewayName" } } ``` For more information on deleting a virtual gateway with the AWS CLI for App Mesh, see the [delete-virtual-gateway](https://docs.aws.amazon.com/cli/latest/reference/appmesh/delete-virtual-gateway.html) command in the AWS CLI reference. ------ # Gateway routes **Important** End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect). A gateway route is attached to a virtual gateway and routes traffic to an existing virtual service. If a route matches a request, it can distribute traffic to a target virtual service. This topic helps you work with gateway routes in a service mesh. ## Creating a gateway route ------ #### [ AWS Management Console ] **To create a gateway route using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh in which you want to create the gateway route. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual gateways** in the left navigation. 1. Choose the virtual gateway with which you want to associate a new gateway route. If none are listed, then you need to [create a virtual gateway](virtual_gateways.md#create-virtual-gateway) first. You can only create a gateway route for a virtual gateway of which your account is listed as the **Resource owner**. 1. In the **Gateway routes** table, choose **Create gateway route**. 1. For **Gateway route name**, specify the name to use for your gateway route. 1. For **Gateway route type** choose either **http**, **http2**, or **grpc**. 1. Select an existing **Virtual service name**. If none are listed, then you need to create a [virtual service](virtual_services.md#create-virtual-service) first. 1. Choose the port that corresponds to the target for **Virtual service provider port**. Virtual service provider port is **required** when the provider (router or node) of the selected virtual service has multiple listeners. 1. (Optional) For **Priority**, specify the priority for this gateway route. 1. For **Match** configuration, specify: + If **http/http2** is the selected type: + (Optional) **Method** ‐ Specifies the method header to be matched in the incoming **http**/**http2** requests. + (Optional) **Port match** ‐ Match the port for incoming traffic. Port match is **required** if this virtual gateway has multiple listeners. + (Optional) **Exact/Suffix hostname** ‐ Specifies the hostname that should be matched on the incoming request to route to the target virtual service. + (Optional) **Prefix/Exact/Regex path** ‐ The method of matching the path of the URL. + **Prefix match** ‐ A matched request by a gateway route is rewritten to the target virtual service's name and the matched prefix is rewritten to `/`, by default. Depending on how you configure your virtual service, it could use a virtual router to route the request to different virtual nodes, based on specific prefixes or headers. **Important** You can't specify either `/aws-appmesh*` or `/aws-app-mesh*` for **Prefix match**. These prefixes are reserved for future App Mesh internal use. If multiple gateway routes are defined, then a request is matched to the route with the longest prefix. For example, if two gateway routes existed, with one having a prefix of `/chapter` and one having a prefix of `/`, then a request for `www.example.com/chapter/` would be matched to the gateway route with the `/chapter` prefix. **Note** If you enable **Path**/**Prefix** based matching, App Mesh enables path normalization ([normalize\$1path](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) and [merge\$1slashes](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-merge-slashes)) to minimize the probability of path confusion vulnerabilities. Path confusion vulnerabilities occur when parties participating in the request use different path representations. + **Exact match** ‐ The exact parameter disables the partial matching for a route and makes sure that it only returns the route if the path is an **EXACT** match to the current URL. + **Regex match** ‐ Used to describe patterns where multiple URLs may actually identify a single page on the website. + (Optional) **Query parameters** ‐ This field allows you to match on the query parameters. + (Optional) **Headers** ‐ Specifies the headers for **http** and **http2**. It should match the incoming request to route to the target virtual service.. + If **grpc** is the selected type: + **Hostname match type** and (optional) **Exact/Suffix match** ‐ Specifies the hostname that should be matched on the incoming request to route to the target virtual service. + **grpc service name** ‐ The **grpc** service acts as an API for your application and is defined with ProtoBuf. **Important** You can't specify `/aws.app-mesh*` or `aws.appmesh` for the **Service name**. These service names are reserved for future App Mesh internal use. + (Optional) **Metadata** ‐ Specifies the metadata for **grpc**. It should match the incoming request to route to the target virtual service. 1. (Optional) For **Rewrite** configuration: + If **http/http2** is the selected type: + If **Prefix** is the selected match type: + **Override automatic rewrite of hostname** ‐ By default the hostname is rewritten to the target virtual service's name. + **Override automatic rewrite of prefix** ‐ When toggled on, **Prefix rewrite** specifies the value of the rewritten prefix. + If **Exact Path** is the selected match type: + **Override automatic rewrite of hostname** ‐ by default the hostname is rewritten to the target virtual service's name. + **Path rewrite** ‐ Specifies the value of the rewritten path. No default path. + If **Regex Path** is the selected match type: + **Override automatic rewrite of hostname** ‐ by default the hostname is rewritten to the target virtual service's name. + **Path rewrite** ‐ Specifies the value of the rewritten path. No default path. + If **grpc** is the selected type: + **Override automatic rewrite of hostname** ‐ By default the hostname is rewritten to the target virtual service's name. 1. Choose **Create gateway route** to finish. ------ #### [ AWS CLI ] **To create a gateway route using the AWS CLI.** Create a gateway route using the following command and input JSON (replace the *red* values with your own): 1. ``` aws appmesh create-virtual-gateway \ --mesh-name meshName \ --virtual-gateway-name virtualGatewayName \ --gateway-route-name gatewayRouteName \ --cli-input-json file://create-gateway-route.json ``` 1. Contents of **example** create-gateway-route.json: ``` { "spec": { "httpRoute" : { "match" : { "prefix" : "/" }, "action" : { "target" : { "virtualService": { "virtualServiceName": "serviceA.svc.cluster.local" } } } } } } ``` 1. Example output: ``` { "gatewayRoute": { "gatewayRouteName": "gatewayRouteName", "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:210987654321:mesh/meshName/virtualGateway/virtualGatewayName/gatewayRoute/gatewayRouteName", "createdAt": "2022-04-06T11:05:32.100000-05:00", "lastUpdatedAt": "2022-04-06T11:05:32.100000-05:00", "meshOwner": "123456789012", "resourceOwner": "210987654321", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 1 }, "spec": { "httpRoute": { "action": { "target": { "virtualService": { "virtualServiceName": "serviceA.svc.cluster.local" } } }, "match": { "prefix": "/" } } }, "status": { "status": "ACTIVE" }, "virtualGatewayName": "gatewayName" } } ``` For more information on creating a gateway route with the AWS CLI for App Mesh, see the [create-gateway-route](https://docs.aws.amazon.com/cli/latest/reference/appmesh/create-gateway-route.html) command in the AWS CLI reference. ------ ## Deleting a gateway route ------ #### [ AWS Management Console ] **To delete a gateway route using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh from which you want to delete a gateway route. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual gateways** in the left navigation. 1. Choose the virtual gateway from which you want to delete a gateway route. 1. In the **Gateway routes** table, choose the gateway route that you want to delete and select **Delete**. You can only delete a gateway route if your account is listed as **Resource owner**. 1. In the confirmation box, type **delete** and then click on **Delete**. ------ #### [ AWS CLI ] **To delete a gateway route using the AWS CLI** 1. Use the following command to delete your gateway route (replace the *red* values with your own): ``` aws appmesh delete-gateway-route \ --mesh-name meshName \ --virtual-gateway-name virtualGatewayName \ --gateway-route-name gatewayRouteName ``` 1. Example output: ``` { "gatewayRoute": { "gatewayRouteName": "gatewayRouteName", "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:210987654321:mesh/meshName/virtualGateway/virtualGatewayName/gatewayRoute/gatewayRouteName", "createdAt": "2022-04-06T11:05:32.100000-05:00", "lastUpdatedAt": "2022-04-07T10:36:33.191000-05:00", "meshOwner": "123456789012", "resourceOwner": "210987654321", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 2 }, "spec": { "httpRoute": { "action": { "target": { "virtualService": { "virtualServiceName": "serviceA.svc.cluster.local" } } }, "match": { "prefix": "/" } } }, "status": { "status": "DELETED" }, "virtualGatewayName": "virtualGatewayName" } } ``` For more information on deleting a gateway route with the AWS CLI for App Mesh, see the [delete-gateway-route](https://docs.aws.amazon.com/cli/latest/reference/appmesh/delete-gateway-route.html) command in the AWS CLI reference. ------ # Virtual nodes **Important** End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect). A virtual node acts as a logical pointer to a particular task group, such as an Amazon ECS service or a Kubernetes deployment. When you create a virtual node, you must specify a service discovery method for your task group. Any inbound traffic that your virtual node expects is specified as a *listener*. Any virtual service that a virtual node sends outbound traffic to is specified as a *backend*. The response metadata for your new virtual node contains the Amazon Resource Name (ARN) that is associated with the virtual node. Set this value as the `APPMESH_RESOURCE_ARN` environment variable for your task group's Envoy proxy container in your Amazon ECS task definition or Kubernetes pod spec. For example, the value could be `arn:aws:appmesh:us-west-2:111122223333:mesh/myMesh/virtualNode/myVirtualNode`. This is then mapped to the `node.id` and `node.cluster` Envoy parameters. You must be using `1.15.0` or later of the Envoy image when setting this variable. For more information about App Mesh Envoy variables, see [Envoy image](envoy.md). **Note** By default, App Mesh uses the name of the resource you specified in `APPMESH_RESOURCE_ARN` when Envoy is referring to itself in metrics and traces. You can override this behavior by setting the `APPMESH_RESOURCE_CLUSTER` environment variable with your own name. ## Creating a virtual node ------ #### [ AWS Management Console ] **To create a virtual node using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh that you want to create the virtual node in. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual nodes** in the left navigation. 1. Choose **Create virtual node** and then specify settings for your virtual node. 1. For **Virtual node name**, enter a name for your virtual node. 1. For **Service discovery method**, choose one of the following options: + **DNS** – Specify the **DNS hostname** of the actual service that the virtual node represents. The Envoy proxy is deployed in an Amazon VPC. The proxy sends name resolution requests to the DNS server that is configured for the VPC. If the hostname resolves, the DNS server returns one or more IP addresses. For more information about VPC DNS settings, see [Using DNS with your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html). For **DNS response type** (optional), specify the types of endpoints returned by the DNS resolver. **Load Balancer** means that the DNS resolver returns a loadbalanced set of endpoints. **Endpoints** means that the DNS resolver is returning all the endpoints. By default, the response type is assumed to be** Load Balancer**. **Note** If you use **Route53**, you'll need to use **Load Balancer**. + **AWS Cloud Map** – Specify an existing **Service name** and HTTP **Namespace**. Optionally, you can also specify attributes that App Mesh can query AWS Cloud Map for by selecting **Add row** and specifying a **Key** and **Value**. Only instances that match all of the specified key/value pairs will be returned. To use AWS Cloud Map, your account must have the `AWSServiceRoleForAppMesh` [service-linked role](using-service-linked-roles.md). For more information about AWS Cloud Map, see the [AWS Cloud Map Developer Guide](https://docs.aws.amazon.com/cloud-map/latest/dg/). + **None** – Select if your virtual node doesn't expect any inbound traffic. 1. **IP version preference** Control which IP version should be used for traffic within the mesh by toggling on **Override default IP version behavior**. By default, App Mesh uses a variety of IP versions. **Note** Setting the IP preference on the virtual node only overrides the IP preference set for the mesh on this specific node. + Default + Envoy's DNS resolver prefers `IPv6` and falls back to `IPv4`. + We use the `IPv4` address returned by AWS Cloud Map if available and falls back to using the `IPv6` address. + The endpoint created for the local app uses an `IPv4` address. + The Envoy listeners bind to all `IPv4` addresses. + IPv6 preferred + Envoy's DNS resolver prefers `IPv6` and falls back to `IPv4`. + The `IPv6` address returned by AWS Cloud Map is used if available and falls back to using the `IPv4` address + The endpoint created for the local app uses an `IPv6` address. + The Envoy listeners bind to all `IPv4` and `IPv6` addresses. + IPv4 preferred + Envoy's DNS resolver prefers `IPv4` and falls back to `IPv6`. + We use the `IPv4` address returned by AWS Cloud Map if available and falls back to using the `IPv6` address. + The endpoint created for the local app uses an `IPv4` address. + The Envoy listeners bind to all `IPv4` and `IPv6` addresses. + IPv6 only + Envoy's DNS resolver only uses `IPv6`. + Only the `IPv6` address returned by AWS Cloud Map is used. If AWS Cloud Map returns an `IPv4` address, no IP addresses are used and empty results are returned to the Envoy. + The endpoint created for the local app uses an `IPv6` address. + The Envoy listeners bind to all `IPv4` and `IPv6` addresses. + IPv4 only + Envoy's DNS resolver only uses `IPv4`. + Only the `IPv4` address returned by AWS Cloud Map is used. If AWS Cloud Map returns an `IPv6` address, no IP addresses are used and empty results are returned to the Envoy. + The endpoint created for the local app uses an `IPv4` address. + The Envoy listeners bind to all `IPv4` and `IPv6` addresses. 1. **(Optional) **Client policy defaults** – Configure default requirements when communicating to backend virtual services.** **Note** If you want to enable Transport Layer Security (TLS) for an existing virtual node, then we recommend that you create a new virtual node, which represents the same service as the existing virtual node, on which to enable TLS. Then gradually shift traffic to the new virtual node using a virtual router and route. For more information about creating a route and adjusting weights for the transition, see [Routes](routes.md). If you update an existing, traffic-serving virtual node with TLS, there is a chance that the downstream client Envoy proxies will receive TLS validation context before the Envoy proxy for the virtual node that you have updated receives the certificate. This can cause TLS negotiation errors on the downstream Envoy proxies. [Proxy authorization](proxy-authorization.md) must be enabled for the Envoy proxy deployed with the application represented by the backend service's virtual nodes. We recommend that when you enable proxy authorization, you restrict access to only the virtual nodes that this virtual node is communicating with. + (Optional) Select **Enforce TLS** if you want to require the virtual node to communicate with all backends using Transport Layer Security (TLS). + (Optional) If you only want to require the use of TLS for one or more specific ports, then enter a number in **Ports**. To add additional ports, select **Add port**. If you don't specify any ports, TLS is enforced for all ports. + For **Validation method**, select one of the following options. The certificate that you specify must already exist and meet specific requirements. For more information, see [Certificate requirements](tls.md#virtual-node-tls-prerequisites). + **AWS Private Certificate Authority** hosting – Select one or more existing **Certificates**. For a complete, end-to-end walk through of deploying a mesh with a sample application using encryption with an ACM certificate, see [Configuring TLS with AWS Certificate Manager](https://github.com/aws/aws-app-mesh-examples/tree/main/walkthroughs/tls-with-acm) on GitHub. + **Envoy Secret Discovery Service (SDS)** hosting – Enter the name of the secret Envoy will fetch using the Secret Discovery Service. + **Local file hosting** – Specify the path to the **Certificate chain** file on the file system where Envoy is deployed. For a complete, end-to-end walk through of deploying a mesh with a sample application using encryption with local files, see [Configuring TLS with File Provided TLS Certificates](https://github.com/aws/aws-app-mesh-examples/tree/main/walkthroughs/howto-tls-file-provided) on GitHub. + (Optional) Enter a **Subject Alternative Name**. To add additional SANs, select **Add SAN**. SANs must be FQDN or URI formatted. + (Optional) Select **Provide client certificate** and one of the options below to provide a client certificate when a server requests it and enable mutual TLS authentication . To learn more about mutual TLS, see the App Mesh [Mutual TLS Authentication](https://docs.aws.amazon.com/app-mesh/latest/userguide/mutual-tls.html) docs. + **Envoy Secret Discovery Service (SDS)** hosting – Enter the name of the secret Envoy will fetch using the Secret Discovery Service. + **Local file hosting** – Specify the path to the **Certificate chain** file, as well as the **Private key**, on the file system where Envoy is deployed. 1. **(Optional) **Service backends** – Specify the App Mesh virtual service that the virtual node will communicate with.** + Enter an App Mesh virtual service name or full Amazon Resource Name (ARN) for the virtual service that your virtual node communicates with. + (Optional) If you want to set unique TLS settings for a backend, select **TLS settings** and then select **Override defaults**. + (Optional) Select **Enforce TLS** if you want to require the virtual node to communicate with all backends using TLS. + (Optional) If you only want to require the use of TLS for one or more specific ports, then enter a number in **Ports**. To add additional ports, select **Add port**. If you don't specify any ports, TLS is enforced for all ports. + For **Validation method**, select one of the following options. The certificate that you specify must already exist and meet specific requirements. For more information, see [Certificate requirements](tls.md#virtual-node-tls-prerequisites). + **AWS Private Certificate Authority** hosting – Select one or more existing **Certificates**. + **Envoy Secret Discovery Service (SDS)** hosting – Enter the name of the secret Envoy will fetch using the Secret Discovery Service. + **Local file hosting** – Specify the path to the **Certificate chain** file on the file system where Envoy is deployed. + (Optional) Enter a **Subject Alternative Name**. To add additional SANs, select **Add SAN**. SANs must be FQDN or URI formatted. + (Optional) Select **Provide client certificate** and one of the options below to provide a client certificate when a server requests it and enable mutual TLS authentication. To learn more about mutual TLS, see the App Mesh [Mutual TLS Authentication](https://docs.aws.amazon.com/app-mesh/latest/userguide/mutual-tls.html) docs. + **Envoy Secret Discovery Service (SDS)** hosting – Enter the name of the secret Envoy will fetch using the Secret Discovery Service. + **Local file hosting** – Specify the path to the **Certificate chain** file, as well as the **Private key**, on the file system where Envoy is deployed. + To add additional backends, select **Add backend**. 1. (Optional) **Logging** To configure logging, enter the HTTP access logs path that you want Envoy to use. We recommend the `/dev/stdout` path so that you can use Docker log drivers to export your Envoy logs to a service such as Amazon CloudWatch Logs. **Note** Logs must still be ingested by an agent in your application and sent to a destination. This file path only instructs Envoy where to send the logs. 1. **Listener configuration** Listeners support `HTTP`,`HTTP/2`, `GRPC`, and `TCP` protocols. `HTTPS` is not supported. 1. If your virtual node expects inbound traffic, specify a **Port** and **Protocol** for the **Listener**. The **http** listener permits connection transition to websockets. You can click **Add Listener** to add multiple listeners. The **Remove** button will remove that listener. 1. **(Optional) **Enable connection pool**** Connection pooling limits the number of connections that an Envoy can concurrently establish with the local application cluster. It is intended to protect your local application from being overwhelmed with connections and lets you adjust traffic shaping for the needs of your applications. You can configure destination-side connection pool settings for a virtual node listener. App Mesh sets the client-side connection pool settings to infinite by default, simplifying mesh configuration. **Note** The connectionPool and portMapping protocols must be the same. If your listener protocol is tcp, specify maxConnections only. If your listener protocol is grpc or http2, specify maxRequests only. If your listener protocol is http, you can specify both maxConnections and maxPendingRequests. + For **Maximum connections**, specify the maximum number of outbound connections. + (Optional) For **Maximum pending requests**, specify the number of overflowing requests after **Maximum connections** that an Envoy will queue. The default value is `2147483647`. 1. **(Optional) **Enable outlier detection**** Outlier detection applied at the client Envoy allows clients to take near-immediate action on connections with observed known bad failures. It is a form of a circuit breaker implementation that tracks the health status of individual hosts in the upstream service. Outlier detection dynamically determines whether endpoints in an upstream cluster are performing unlike the others and removes them from the healthy load balancing set. **Note** To effectively configure outlier detection for a server Virtual Node, the service discovery method of that Virtual Node can be either AWS Cloud Map or DNS with the response type field set to `ENDPOINTS`. If you use DNS service discovery method with response type as `LOADBALANCER`, the Envoy proxy would only elect a single IP address for routing to the upstream service. This nullifies the outlier detection behavior of ejecting an unhealthy host from a set of hosts. Refer to the Service discovery method section for more details on the Envoy proxy's behavior in relation to the service discovery type. + For **Server errors**, specify the number of consecutive 5xx errors required for ejection. + For **Outlier detection interval**, specify the time interval and unit between ejection sweep analysis. + For **Base ejection duration**, specify the base amount of time and unit for which a host is ejected. + For **Ejection percentage**, specify the maximum percentage of hosts in the load balancing pool that can be ejected. 1. **(Optional) **Enable health check** – Configure settings for a health check policy.** A health check policy is optional, but if you specify any values for a health policy, then you must specify values for **Healthy threshold**, **Health check interval**, **Health check protocol**, **Timeout period**, and **Unhealthy threshold**. + For **Health check protocol**, choose a protocol. If you select **grpc**, then your service must conform to the [GRPC Health Checking Protocol](https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + For **Health check port**, specify the port that the health check should run on. + For **Healthy threshold**, specify the number of consecutive successful health checks that must occur before declaring the listener healthy. + For **Health check interval**, specify the time period in milliseconds between each health check execution. + For **Path**, specify the destination path for the health check request. This value is only used if the **Health check protocol** is `http` or `http2`. The value is ignored for other protocols. + For **Timeout period**, specify the amount of time to wait when receiving a response from the health check, in milliseconds. + For **Unhealthy threshold**, specify the number of consecutive failed health checks that must occur before declaring the listener unhealthy. 1. **(Optional) **Enable TLS termination** – Configure how other virtual nodes communicate with this virtual node using TLS.** + For **Mode**, select the mode you want TLS to be configured for on the listener. + For **Certificate method**, select one of the following options. The certificate must meet specific requirements. For more information, see [Certificate requirements](tls.md#virtual-node-tls-prerequisites). + **AWS Certificate Manager hosting** – Select an existing **Certificate**. + **Envoy Secret Discovery Service (SDS)** hosting – Enter the name of the secret Envoy will fetch using the Secret Discovery Service. + **Local file hosting** – Specify the path to the **Certificate chain** file, as well as the **Private key**, on the file system where the Envoy proxy is deployed. + (Optional) Select **Require client certificates** and one of the options below to enable mutual TLS authentication when a client provides a certificate. To learn more about mutual TLS, see the App Mesh [Mutual TLS Authentication](https://docs.aws.amazon.com/app-mesh/latest/userguide/mutual-tls.html) docs. + **Envoy Secret Discovery Service (SDS)** hosting – Enter the name of the secret Envoy will fetch using the Secret Discovery Service. + **Local file hosting** – Specify the path to the **Certificate chain** file on the file system where Envoy is deployed. + (Optional) Enter a **Subject Alternative Name**. To add additional SANs, select **Add SAN**. SANs must be FQDN or URI formatted. 1. **(Optional) **Timeouts**** **Note** If you specify a timeout greater than the default, make sure to set up a virtual router and a route with a timeout greater than the default. However, if you decrease the timeout to a value that is lower than the default, it's optional to update the timeouts at Route. For more information, see [Routes](https://docs.aws.amazon.com/app-mesh/latest/userguide/routes.html). + **Request timeout** – You can specify a request timeout if you selected **grpc**, **http**, or **http2** for the listener's **Protocol**. The default is 15 seconds. A value of `0` disables the timeout. + **Idle duration** – You can specify an idle duration for any listener protocol. The default is 300 seconds. 1. Choose **Create virtual node** to finish. ------ #### [ AWS CLI ] **To create a virtual node using the AWS CLI.** Create a virtual node that uses DNS for service discovery using the following command and an input JSON file (replace the *red* values with your own): 1. ``` aws appmesh create-virtual-node \ --cli-input-json file://create-virtual-node-dns.json ``` 1. Contents of **example** create-virtual-node-dns.json: ``` { "meshName": "meshName", "spec": { "listeners": [ { "portMapping": { "port": 80, "protocol": "http" } } ], "serviceDiscovery": { "dns": { "hostname": "serviceBv1.svc.cluster.local" } } }, "virtualNodeName": "nodeName" } ``` 1. Example output: ``` { "virtualNode": { "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:210987654321:mesh/meshName/virtualNode/nodeName", "createdAt": "2022-04-06T09:12:24.348000-05:00", "lastUpdatedAt": "2022-04-06T09:12:24.348000-05:00", "meshOwner": "123456789012", "resourceOwner": "210987654321", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 1 }, "spec": { "listeners": [ { "portMapping": { "port": 80, "protocol": "http" } } ], "serviceDiscovery": { "dns": { "hostname": "serviceBv1.svc.cluster.local" } } }, "status": { "status": "ACTIVE" }, "virtualNodeName": "nodeName" } } ``` For more information on creating a virtual node with the AWS CLI for App Mesh, see the [create-virtual-node](https://docs.aws.amazon.com/cli/latest/reference/appmesh/create-virtual-node.html) command in the AWS CLI reference. ------ ## Deleting a virtual node **Note** You can't delete a virtual node if it is specified as a target in any [route](routes.md) or as a provider in any [virtual service](virtual_services.md). ------ #### [ AWS Management Console ] **To delete a virtual node using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh that you want to delete a virtual node from. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual nodes** in the left navigation. 1. In the **Virtual Nodes** table, choose the virtual node that you want to delete and select **Delete**. To delete a virtual node, your account ID must be listed in either the **Mesh owner** or the **Resource owner** columns of the virtual node. 1. In the confirmation box, type **delete** and then select **Delete**. ------ #### [ AWS CLI ] **To delete a virtual node using the AWS CLI** 1. Use the following command to delete your virtual node (replace the *red* values with your own): ``` aws appmesh delete-virtual-node \ --mesh-name meshName \ --virtual-node-name nodeName ``` 1. Example output: ``` { "virtualNode": { "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:210987654321:mesh/meshName/virtualNode/nodeName", "createdAt": "2022-04-06T09:12:24.348000-05:00", "lastUpdatedAt": "2022-04-07T11:03:48.120000-05:00", "meshOwner": "123456789012", "resourceOwner": "210987654321", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 2 }, "spec": { "backends": [], "listeners": [ { "portMapping": { "port": 80, "protocol": "http" } } ], "serviceDiscovery": { "dns": { "hostname": "serviceBv1.svc.cluster.local" } } }, "status": { "status": "DELETED" }, "virtualNodeName": "nodeName" } } ``` For more information on deleting a virtual node with the AWS CLI for App Mesh, see the [delete-virtual-node](https://docs.aws.amazon.com/cli/latest/reference/appmesh/delete-virtual-node.html) command in the AWS CLI reference. ------ # Virtual routers **Important** End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect). Virtual routers handle traffic for one or more virtual services within your mesh. After you create a virtual router, you can create and associate routes for your virtual router that direct incoming requests to different virtual nodes. ![\[Virtual router diagram showing HTTP route with prefix and targets B and B' for different service versions.\]](http://docs.aws.amazon.com/app-mesh/latest/userguide/images/virtual_router.png) Any inbound traffic that your virtual router expects should be specified as a *listener*. ## Creating a virtual router ------ #### [ AWS Management Console ] **To create a virtual router using the AWS Management Console** **Note** When creating a Virtual Router, you must add a namespace selector with a label to identify the list of namespaces to associate Routes to the created Virtual Router. 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh that you want to create the virtual router in. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual routers** in the left navigation. 1. Choose **Create virtual router**. 1. For **Virtual router name**, specify a name for your virtual router. Up to 255 letters, numbers, hyphens, and underscores are allowed. 1. (Optional) For **Listener** configuration, specify a **Port** and **Protocol** for your virtual router. The `http` listener permits connection transition to websockets. You can click **Add Listener** to add multiple listeners. The **Remove** button will remove that listener. 1. Choose **Create virtual router** to finish. ------ #### [ AWS CLI ] **To create a virtual router using the AWS CLI.** Create a virtual router using the following command and input JSON (replace the *red* values with your own): 1. ``` aws appmesh create-virtual-router \ --cli-input-json file://create-virtual-router.json ``` 1. Contents of **example** create-virtual-router.json 1. ``` { "meshName": "meshName", "spec": { "listeners": [ { "portMapping": { "port": 80, "protocol": "http" } } ] }, "virtualRouterName": "routerName" } ``` 1. Example output: ``` { "virtualRouter": { "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:210987654321:mesh/meshName/virtualRouter/routerName", "createdAt": "2022-04-06T11:49:47.216000-05:00", "lastUpdatedAt": "2022-04-06T11:49:47.216000-05:00", "meshOwner": "123456789012", "resourceOwner": "210987654321", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 1 }, "spec": { "listeners": [ { "portMapping": { "port": 80, "protocol": "http" } } ] }, "status": { "status": "ACTIVE" }, "virtualRouterName": "routerName" } } ``` For more information on creating a virtual router with the AWS CLI for App Mesh, see the [create-virtual-router](https://docs.aws.amazon.com/cli/latest/reference/appmesh/create-virtual-router.html) command in the AWS CLI reference. ------ ## Deleting a virtual router **Note** You cannot delete a virtual router if it has any [routes](routes.md) or if it is specified as a provider for any [virtual service](virtual_services.md). ------ #### [ AWS Management Console ] **To delete a virtual router using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh that you want to delete a virtual router from. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual routers** in the left navigation. 1. In the **Virtual Routers** table, choose the virtual router that you want to delete and select **Delete** in the top right corner. To delete a virtual router, your account ID must be listed in either the **Mesh owner** or the **Resource owner** columns of the virtual router. 1. In the confirmation box, type **delete** and then click on **Delete**. ------ #### [ AWS CLI ] **To delete a virtual router using the AWS CLI** 1. Use the following command to delete your virtual router (replace the *red* values with your own): ``` aws appmesh delete-virtual-router \ --mesh-name meshName \ --virtual-router-name routerName ``` 1. Example output: ``` { "virtualRouter": { "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:210987654321:mesh/meshName/virtualRouter/routerName", "createdAt": "2022-04-06T11:49:47.216000-05:00", "lastUpdatedAt": "2022-04-07T10:49:53.402000-05:00", "meshOwner": "123456789012", "resourceOwner": "210987654321", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 2 }, "spec": { "listeners": [ { "portMapping": { "port": 80, "protocol": "http" } } ] }, "status": { "status": "DELETED" }, "virtualRouterName": "routerName" } } ``` For more information on deleting a virtual router with the AWS CLI for App Mesh, see the [delete-virtual-router](https://docs.aws.amazon.com/cli/latest/reference/appmesh/delete-virtual-router.html) command in the AWS CLI reference. ------ # Routes **Important** End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect). A route is associated with a virtual router. The route is used to match requests for the virtual router and to distribute traffic to its associated virtual nodes. If a route matches a request, it can distribute traffic to one or more target virtual nodes. You can specify relative weighting for each virtual node. This topic helps you work with routes in a service mesh. ## Creating a route ------ #### [ AWS Management Console ] **To create a route using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh that you want to create the route in. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual routers** in the left navigation. 1. Choose the virtual router that you want to associate a new route with. If none are listed, then you need to [create a virtual router](virtual_routers.md#create-virtual-router) first. 1. In the **Routes** table, choose **Create route**. To create a route, your account ID must be listed as the **Resource owner** of the route. 1. For **Route name**, specify the name to use for your route. 1. For **Route type**, choose the protocol that you want to route. The protocol that you select must match the listener protocol that you selected for your virtual router and the virtual node that you're routing traffic to. 1. (Optional) For **Route priority**, specify a priority from 0-1000 to use for your route. Routes are matched based on the specified value, where 0 is the highest priority. 1. (Optional) Choose **Additional configuration**. From the protocols down below, choose the protocol that you selected for **Route type** and specify settings in the console as desired. 1. For **Target configuration**, select the existing App Mesh virtual node to route traffic to and specify a **Weight**. You can choose **Add target** to add additional targets. The percentage for all targets must add up to 100. If no virtual nodes are listed, then you must [create](virtual_nodes.md#vn-create-virtual-node) one first. If the selected virtual node has multiple listeners, **Target port ** is **required**. 1. For **Match** configuration, specify: ***Match** configuration is not available for `tcp`* + If **http/http2** is the selected type: + (Optional) **Method** ‐ specifies the method header to be matched in the incoming **http**/**http2** requests. + (Optional) **Port match** ‐ Match the port for incoming traffic. Port match is **required** if this virtual router has multiple listeners. + (Optional) **Prefix/Exact/Regex path** ‐ method of matching the path of the URL. + **Prefix match** ‐ a matched request by a gateway route is rewritten to the target virtual service's name and the matched prefix is rewritten to `/`, by default. Depending on how you configure your virtual service, it could use a virtual router to route the request to different virtual nodes, based on specific prefixes or headers. **Note** If you enable **Path**/**Prefix** based matching, App Mesh enables path normalization ([normalize\$1path](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) and [merge\$1slashes](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-merge-slashes)) to minimize the probability of path confusion vulnerabilities. Path confusion vulnerabilities occur when parties participating in the request use different path representations. + **Exact match** ‐ the exact param disables the partial matching for a route and makes sure that it only returns the route if the path is an EXACT match to the current url. + **Regex match** ‐ used to describe patterns where multiple URLs may actually identify a single page on the website. + (Optional) **Query parameters** ‐ this field allows you to match on the query parameters. + (Optional) **Headers** ‐ specifies the headers for **http** and **http2**. It should match the incoming request to route to the target virtual service.. + If **grpc** is the selected type: + **Service name** ‐ the destination service for which to match the request. + **Method name** ‐ the destination method for which to match the request. + (Optional) **Metadata** ‐ specifies the `Match` based on the presence of metadata. All must match for the request to be processed. 1. Select **Create route**. ------ #### [ AWS CLI ] **To create a route using the AWS CLI.** Create a gRPC route using the following command and input JSON (replace the *red* values with your own): 1. ``` aws appmesh create-route \ --cli-input-json file://create-route-grpc.json ``` 1. Contents of **example** create-route-grpc.json ``` { "meshName" : "meshName", "routeName" : "routeName", "spec" : { "grpcRoute" : { "action" : { "weightedTargets" : [ { "virtualNode" : "nodeName", "weight" : 100 } ] }, "match" : { "metadata" : [ { "invert" : false, "match" : { "prefix" : "123" }, "name" : "myMetadata" } ], "methodName" : "nameOfmethod", "serviceName" : "serviceA.svc.cluster.local" }, "retryPolicy" : { "grpcRetryEvents" : [ "deadline-exceeded" ], "httpRetryEvents" : [ "server-error", "gateway-error" ], "maxRetries" : 3, "perRetryTimeout" : { "unit" : "s", "value" : 15 }, "tcpRetryEvents" : [ "connection-error" ] } }, "priority" : 100 }, "virtualRouterName" : "routerName" } ``` 1. Example output: ``` { "route": { "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:210987654321:mesh/meshName/virtualRouter/routerName/route/routeName", "createdAt": "2022-04-06T13:48:20.749000-05:00", "lastUpdatedAt": "2022-04-06T13:48:20.749000-05:00", "meshOwner": "123456789012", "resourceOwner": "210987654321", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 1 }, "routeName": "routeName", "spec": { "grpcRoute": { "action": { "weightedTargets": [ { "virtualNode": "nodeName", "weight": 100 } ] }, "match": { "metadata": [ { "invert": false, "match": { "prefix": "123" }, "name": "myMetadata" } ], "methodName": "nameOfMehod", "serviceName": "serviceA.svc.cluster.local" }, "retryPolicy": { "grpcRetryEvents": [ "deadline-exceeded" ], "httpRetryEvents": [ "server-error", "gateway-error" ], "maxRetries": 3, "perRetryTimeout": { "unit": "s", "value": 15 }, "tcpRetryEvents": [ "connection-error" ] } }, "priority": 100 }, "status": { "status": "ACTIVE" }, "virtualRouterName": "routerName" } } ``` For more information on creating a route with the AWS CLI for App Mesh, see the [create-route](https://docs.aws.amazon.com/cli/latest/reference/appmesh/create-route.html) command in the AWS CLI reference. ------ ### gRPC ### (Optional) **Match** + (Optional) Enter the **Service name** of the destination service to match the request for. If you don't specify a name, requests to any service are matched. + (Optional) Enter the **Method name** of the destination method to match the request for. If you don't specify a name, requests to any method are matched. If you specify a method name, you must specify a service name. ### (Optional) **Metadata** Choose **Add metadata**. + (Optional) Enter the **Metadata name** that you want to route based on, select a **Match type**, and enter a **Match value**. Selecting **Invert** will match the opposite. For example, if you specify a **Metadata name** of `myMetadata`, a **Match type** of **Exact**, a **Match value** of `123`, and select **Invert**, then the route is matched for any request that has a metadata name that starts with anything other than `123`. + (Optional) Select **Add metadata** to add up to ten metadata items. ### (Optional) **Retry policy** A retry policy enables clients to protect themselves from intermittent network failures or intermittent server-side failures. A retry policy is optional, but recommended. The retry timeout values define the timeout per retry attempt (including the initial attempt). If you don't define a retry policy, then App Mesh may automatically create a default policy for each of your routes. For more information, see [Default route retry policy](envoy-defaults.md#default-retry-policy). + For **Retry timeout**, enter the number of units for the timeout duration. A value is required if you select any protocol retry event. + For **Retry timeout unit**, select a unit. A value is required if you select any protocol retry event. + For **Max retries**, enter the maximum number of retry attempts when the request fails. A value is required if you select any protocol retry event. We recommend a value of at least two. + Select one or more **HTTP retry events**. We recommend selecting at least **stream-error** and **gateway-error**. + Select a **TCP retry event**. + Select one or more **gRPC retry events**. We recommend selecting at least **cancelled** and **unavailable**. ### **(Optional) Timeouts** + The default is 15 seconds. If you specified a **Retry policy**, then the duration that you specify here should always be greater than or equal to the retry duration multiplied by the **Max retries** that you defined in the **Retry policy** so that your retry policy can complete. If you specify a duration greater than 15 seconds, then make sure that the timeout specified for the listener of any virtual node **Target** is also greater than 15 seconds. For more information, see [Virtual Nodes](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html). + A value of `0` disables the timeout. + The maximum amount of time that the route can be idle. ### HTTP and HTTP/2 ### (Optional) Match + Specify the **Prefix** that the route should match. For example, if your virtual service name is `service-b.local` and you want the route to match requests to `service-b.local/metrics`, your prefix should be `/metrics`. Specifying `/` routes all traffic. + (Optional) Select a **Method**. + (Optional) Select a **Scheme**. Applicable only for HTTP2 routes. ### (Optional) Headers + (Optional) Select **Add header**. Enter the **Header name** that you want to route based on, select a **Match type**, and enter a **Match value**. Selecting **Invert** will match the opposite. For example, if you specify a header named `clientRequestId` with a **Prefix** of `123`, and select **Invert**, then the route is matched for any request that has a header that starts with anything other than `123`. + (Optional) Select **Add header**. You can add up to ten headers. ### **(Optional) Retry policy** A retry policy enables clients to protect themselves from intermittent network failures or intermittent server-side failures. A retry policy is optional, but recommended. The retry timeout values define the timeout per retry attempt (including the initial attempt). If you don't define a retry policy, then App Mesh may automatically create a default policy for each of your routes. For more information, see [Default route retry policy](envoy-defaults.md#default-retry-policy). + For **Retry timeout**, enter the number of units for the timeout duration. A value is required if you select any protocol retry event. + For **Retry timeout unit**, select a unit. A value is required if you select any protocol retry event. + For **Max retries**, enter the maximum number of retry attempts when the request fails. A value is required if you select any protocol retry event. We recommend a value of at least two. + Select one or more **HTTP retry events**. We recommend selecting at least **stream-error** and **gateway-error**. + Select a **TCP retry event**. ### **(Optional) Timeouts** + **Request timeout** – The default is 15 seconds. If you specified a **Retry policy**, then the duration that you specify here should always be greater than or equal to the retry duration multiplied by the **Max retries** that you defined in the **Retry policy** so that your retry policy can complete. + **Idle duration** – The default is 300 seconds. + A value of `0` disables the timeout. **Note** If you specify a timeout greater than the default, make sure that the timeout specified for the listener for all virtual node participants is also greater than the default. However, if you decrease the timeout to a value that is lower than the default, it's optional to update the timeouts at virtual nodes. For more information, see [Virtual Nodes](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html). ### TCP ### **(Optional) Timeouts** + **Idle duration** – The default is 300 seconds. + A value of `0` disables the timeout. ## Deleting a route ------ #### [ AWS Management Console ] **To delete a route using the AWS Management Console** 1. Open the App Mesh console at [https://console.aws.amazon.com/appmesh/](https://console.aws.amazon.com/appmesh/). 1. Choose the mesh from which you want to delete a route. All of the meshes that you own and that have been [shared](sharing.md) with you are listed. 1. Choose **Virtual routers** in the left navigation. 1. Choose the router from which you want to delete a route. 1. In the **Routes** table, choose the route that you want to delete and select **Delete** in the top right corner. 1. In the confirmation box, type **delete** and then click on **Delete**. ------ #### [ AWS CLI ] **To delete a route using the AWS CLI** 1. Use the following command to delete your route (replace the *red* values with your own): ``` aws appmesh delete-route \ --mesh-name meshName \ --virtual-router-name routerName \ --route-name routeName ``` 1. Example output: ``` { "route": { "meshName": "meshName", "metadata": { "arn": "arn:aws:appmesh:us-west-2:210987654321:mesh/meshName/virtualRouter/routerName/route/routeName", "createdAt": "2022-04-06T13:46:54.750000-05:00", "lastUpdatedAt": "2022-04-07T10:43:57.152000-05:00", "meshOwner": "123456789012", "resourceOwner": "210987654321", "uid": "a1b2c3d4-5678-90ab-cdef-11111EXAMPLE", "version": 2 }, "routeName": "routeName", "spec": { "grpcRoute": { "action": { "weightedTargets": [ { "virtualNode": "nodeName", "weight": 100 } ] }, "match": { "metadata": [ { "invert": false, "match": { "prefix": "123" }, "name": "myMetadata" } ], "methodName": "methodName", "serviceName": "serviceA.svc.cluster.local" }, "retryPolicy": { "grpcRetryEvents": [ "deadline-exceeded" ], "httpRetryEvents": [ "server-error", "gateway-error" ], "maxRetries": 3, "perRetryTimeout": { "unit": "s", "value": 15 }, "tcpRetryEvents": [ "connection-error" ] } }, "priority": 100 }, "status": { "status": "DELETED" }, "virtualRouterName": "routerName" } } ``` For more information on deleting a route with the AWS CLI for App Mesh, see the [delete-route](https://docs.aws.amazon.com/cli/latest/reference/appmesh/delete-route.html) command in the AWS CLI reference. ------