Announcing AWS-Tetrate partnership to bring enterprise grade Envoy to App Mesh users

Today we announced an exciting partnership with AWS AppMesh. Tetrate GetEnvoy, which provides certified builds of Envoy, can now be used by customers of AWS App Mesh with EC2, ECS and EKS. This enables customers to have one set of verified and approved builds of Envoy across their data center and AWS.

“Today, many customers are running applications on the cloud,” said Varun Talwar, our CEO. “We are very excited about our support for the launch of AWS App Mesh because it enables consistency of experience for customers as it relates to understanding performance of applications and configuring their availability. We will continue to work with AWS to promote enterprise adoption of Envoy and service mesh.”

“AWS App Mesh brings end-to-end visibility and controls for high availability to microservices running on AWS,” said Deepak Singh, Director, Compute Services in AWS. ““​Customers using AWS App Mesh can use Tetrate for a consistent experience of connectivity, as well as easier traffic shifting for migration or disaster recovery to run microservices in data centers and AWS.”

The partnership will lead to continuous improvements for hybrid cloud customers who can use service mesh infrastructure to control, manage, observe and secure hundreds of services at a time.

How to use

Before starting, set up the Colorteller example in the ECS environment: https://github.com/awslabs/aws-app-mesh-examples

All example files are on the gist: https://gist.github.com/taiki45/0a4d6245528665105134161e1f8ffe1d

Step 1: Sign up to get access to Tetrate GetEnvoy here.

Step 2:  Set up GetEnvoy and download the latest Envoy binary:

>curl -sSL https://getenvoy.io/install | sh

>~/.getenvoy/bin/getenvoy fetch

(Need an id/password here.)

>sudo install -m 0755 ~/.getenvoy/latest/bin/envoy /usr/bin/envoy # the wrapper script assumes this path

Step 3: Set up App Mesh to connect to Colorteller gateway app from the “Legacy app”. For example,

>create-vnode-legacy-app.json

Step 4: Download the necessary files:

  • `envoy-wapper`: generates Envoy bootstrap config then exec the`/usr/bin/envoy` with that configuration.
  • `sidecar-proxy-route-manager.sh`: setup iptables to capture and forward outgoing requests to running Envoy instance.
  • `cert.pem`: a CA certificate file to connect to App Mesh’s ADS (Aggregated Discovery Services) endpoint.

Step 5: Create a Linux user to run Envoy processes under the user.

Step 6: Attach arbitrary IAM role to the instance.

Step 7: Run the `sidecar-proxy-route-manager.sh` with necessary environment variables. The example is:

     APPMESH_START_ENABLED=1

     APPMESH_APP_PORTS=80 # this will be the application’s listen ports

     APPMESH_EGRESS_IGNORED_IP=169.254.169.254,169.254.170.2

     APPMESH_ENVOY_EGRESS_PORT=15001

     APPMESH_ENVOY_INGRESS_PORT=15000

     APPMESH_IGNORE_UID=1337 # this will be the user id of step 5

Step 8: Run the `envoy-wrapper` script under the user created in step 5 with necessary environment variable: e.g.      `APPMESH_VIRTUAL_NODE_NAME=mesh/default/virtualNode/legacy-app`

Step 9: Test calling colorteller gateway app (e.g. DNS name `colorgateway.default.svc.cluster.local`) and check the Envoy stats like:

>curl -s localhost:9901/stats |grep upstream_rq_200 |grep -v external

App Mesh – GetEnvoy Integration Architecture

Figure 1: AWS App Mesh – GetEnvoy Integration

Looking forward

Looking ahead, Tetrate will work closely with AWS to provide additional value to customers, such as enabling observability across all monolithic applications and microservices running in data centers and AWS. Tetrate’s enterprise mesh offerings will simplify and improve the experience of users managing Envoys everywhere and controlling their behavior.

Back to Blog