Feature Request: Configuring egress services

[shubharao]

We are trying to get to the right configuration for egress and need help. We use security groups extensively and want to strong control over permitted egress ports and services. We have a list of "permitted" egress services that are outside AWS and some AWS managed services. Our plan was to proxy all egress connections from services through an egress proxy (not Envoy based) but not sure if Envoy natively supports that. Is there a way to use the mesh gateway (that is on the roadmap) for this use case? If I create App Mesh virtual nodes for each of these permitted services and use it as an explicit backend in all my mesh services, I could accomplish the same end goal. Do you guarantee that no other connections, except for the explicitly permitted mesh backends, will be allowed? Or are there any assumptions like services running on a specific UUID / port are just allowed?

[rajal-amzn]

If I create App Mesh virtual nodes for each of these permitted services and use it as an explicit backend in all my mesh services, I could accomplish the same end goal.

Yes, this is correct. If you create a Virtual Service & Virtual Node to represent each of the permitted service and add it as a backend, you would be able to call those external services from those services which have them defined as backend.

Do you guarantee that no other connections, except for the explicitly permitted mesh backends, will be allowed? Or are there any assumptions like services running on a specific UUID / port are just allowed?

We always allow any AWS service with the domain *.amazonaws.com to be called from within the mesh without you having to define them as backends. Other than that, no other connection should be allowed apart from those defined as backends.

But I see a similar usecase listed in here where you are looking for specific set of allowed services to be called from within the mesh. Currently, Virtual Service and Virtual Node is the way to do it.