API Gateway as ingress to App Mesh

[shubharao]

Tell us about your request
What do you want us to build?
I want to use Amazon API Gateway to manage APIs for services in AWS App Mesh.

Which integration(s) is this request for?
This could be Fargate, ECS, EKS, EC2, Kubernetes, something else.
Any/All

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.
I am using API gateway currently for my frontend service. This frontend service connects to several backend services, with discovery through AWS CloudMap. I want to use App Mesh to manage communication between my frontend and multiple backend services. Need guidance on how to configure my ingress in this case

Are you currently working around this issue?
How are you currently solving this problem?
Not yet using App Mesh

Additional context
Anything else we should know?

Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

[sukrit007]

Has anyone come up with a workaround with end-to-end TLS involving API Gateway and App Mesh?

I have been trying to set up Public API Gateway ---> Private Link --> NLB (Private) ---> App Mesh Virtual Gateway(K8s) . But API Gateway does not like certificates for the internal domain. I could not find a way to turn off SSL Validation similar to ALB.

Next, I served ACM Certificates on NLB using K8s load balancer annotations. But this time, it started sending traffic as unencrypted to App Mesh Virtual Gateway.

My 3rd option is to terminate SSL at App Mesh (Virtual Gateway) and obtain public certs using cert-manageusingroute53 for DNS validation for certs. Not sure if there is a better option.

[JayntiRaj]

Hi,
The approach we recommend for this is to use a VirtualGateway with an NLB in front. K8s service of type ‘LoadBalancer’, for VirtualGateway will provision an NLB automatically during the creation of the VirtualGateway resource. If you prefer the NLB to be private, you can add “service.beta.kubernetes.io/aws-load-balancer-internal: "true" to the Service spec annotations. API Gateway can reach the VirtualGateway as the entry point to the mesh.

[Stevef-aa]

Yes please!

We use API Gateway -> ECS (micro services) -> SNS -> Lambdas -> Systems of Record.

It would be nice to hear when it would be possible to add App Mesh for all the AWS components and use monitoring tools such as Kiali for cost-effective end-to-end visualisation.

[jessie00chen]

I was wondering if someone could let me know is using API gateway a better choice than Virtual Gateway as ingress proxy for App Mesh. To be honest, I would consider API Gateway because feature completeness and currently decided to use it as ingress proxy into App Mesh. However, with API Gateway, it seems require more network hops into App Mesh via private integration vs Virtual Gateway running on top of Envoy(configuration heavy) which require less network hops into App Mesh.

Is API gateway the recommended Ingress proxy or Virtual Gateway for App Mesh?

[tomaszdudek7]

@jessie00chen Um, it would be a valid(not necessarily better - a matter of taste/usecase dependent) choice if it was possible. If I understand correctly this is just a feature request. You can't have API Gateway serving as ingress to your Mesh yet. You need to mix a NLB in between as well as Virtual Gateway(which could run on EC2 or ECS or K8S).

[jessie00chen]

@jessie00chen Um, it would be a valid(not necessarily better - a matter of taste/usecase dependent) choice if it was possible. If I understand correctly this is just a feature request. You can't have API Gateway serving as ingress to your Mesh yet. You need to mix a NLB in between as well as Virtual Gateway(which could run on EC2 or ECS or K8S).

I was able to use API Gateway and private integration to virtual node in App Mesh. If I understand Ingress proxy correctly, API gateway seems working with App Mesh, but I maybe missing something here.

[tomaszdudek7]

Oh! I wasn't aware of that. Waiting for somebody to join our discussion to correct me and answer you then. :P

[JamesYobota]

Has AWS API Gateway been proved to be working with AWS App Mesh after all?

[JamesYobota]

@herrhound Are you able to share why this isn't accepted anymore? We are evaluating API Gateway and AppMesh and see this combination as the way forward for all the benefits of API Gateway, with secure and trackable connections all the way through the estate.

[alepinzon]

We have been using the app mesh virtual gateway as an API gateway, but we found the Gateway routes per virtual gateway quota is too short. Also, it would be nice to have similar features in App Mesh, like OIDC integration. Not Entirely sure if we are misusing app mesh gateway routes, but as the concept says, "A virtual gateway allows resources that are outside of your mesh to communicate to resources that are inside of your mesh. The virtual gateway represents an Envoy proxy..." for me is describing an API gateway behavior.