Open rajal-amzn opened 4 years ago
Similarly, customer-reported case of envoy not handling redirects, so http->https upgrades aren't handled for mesh-originated traffic: https://github.com/aws/aws-app-mesh-roadmap/issues/317
This is currently a blocker for adoption of App Mesh for our team because given the following architecture:
There is no way to have the service service.example.com
publicly accessed over port 80 (then redirected to the HTTPS endpoint) without:
To the best of my knowledge (I do not have a ton of experience with App Mesh, so it's entirely possible I'm just missing something).
I think having the Envoy containers used for the Virtual Gateway configurable for enabling HTTP --> HTTPS redirects would allow customers that are currently hosting services using an ALB --> ECS service directly switch over to App Mesh without any loss of functionality or reconfiguration of application code.
I believe we have just encountered this issue and may actually force us to give up App Mesh
Assuming "Awaiting Customer Feedback" means you're looking for information on how we'd expect this to work:
Ideally this should be a configuration option on Virtual Gateway listeners so that Envoy is configured to use https_redirect: true
.
In a standard Envoy config, that config block would look something like this:
routes:
- match:
prefix: "/"
redirect:
https_redirect: true
Would something like the above work inside App Mesh?
I agree with the other comments regarding the http => https converts. For our specific use case we believe a service mesh should be able to handle was a rewrite of header & url parameter payload data to support a 302 redirect issued from an http backend service and referencing an external (of eks) https service.
As a work around we've had to modify application code to specifically watch and modify these requests as they come in. This is not a software pattern that we're interested in continuing. Unfortunately this is a current roadblock and we're looking at alternative solutions that are not AWS AppFlow.
Tell us about your request Currently AppMesh supports terminating TLS at the Envoy. But customers would want to redirect all insecure traffic to the TLS version of their site. This could be done with a separate listener and static routing configuration as mentioned here
Which integration(s) is this request for? Applicable for all integrations: Fargate, ECS, EKS, EC2, Kubernetes.