Open duttab49 opened 4 years ago
bcelenza
commented
4 years ago Hey @duttab49, thanks for opening this issue. Can you tell me a little more about your use case?
duttab49
commented
4 years ago Hi @bcelenza , thanks for the follow-up We have some of the utilities in the EC2 that needs to access the RDS v-service. But these utilities are outside appmesh. For EC2 process, we have created the v-node and v-service. Then deployed envoy docker container and updates the IP tables. With the above configuration, our utilities in the same EC2 box, no longer able to access the RDS v-service outside of EC2. Then when we updates the mesh egress filer to allow all from deny all, then the utilities in EC2 can access the RDS. With this approach, all v-node in the mesh can access any thing outside and you may not need to define the backends. Hence providing the egress filter to virtual node would be helpfull to selectively allow specific v-node to provide access to outside world. Now with respect to your questions:
Ans: In the above use case, we want to provide access to only RDS from some executables exists in the EC2 v-node but they are not part of the app mesh.
Ans: It would be really helpfull to allow egress to specific destination instead of all. For our case we want to egress to RDS only from utilities which are outside EC2 v-node.
Ans: I think that mesh owner should be able to selectively allow egress from specific v-nodes to specific target destination, so that the envoy running in the EC2 can route traffic to external selected service from any application/process ( the list of utilities, exe's in our case) which lies outside mesh but exists in same EC2 where envoy runs.
Let me know if any further queries.
duttab49
commented
4 years ago Hi @bcelenza @shubharao
Please let me know if you require any further details.
bcelenza
commented
4 years ago Thanks for the feedback @duttab49. We'd like to hear from other folks as well on this to make sure we're building it with the right approach.
If you want to see App Mesh implement this idea, please upvote with a :+1:.
Currently, the egress filer is a property of app mesh. If we set that default setting to allow all from denying all, then that would be applicable for all virtual nodes in the same mesh. But there is no way to set the egress filer for each of v-node so that would override the default setting of mesh.
Tell us about your request Support of egress filer at the virtual node level
Which integration(s) is this request for? This would be applicable for each of the virtual nodes where this property is set. It can be for EC2, EKS where envoy proxy runs
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Since there is no support for the egress filter for the virtual node, any setting for mesh property would be applicable for all virtual nodes inside the mesh. But we want to control egress filer at virtual node level.
Are you currently working around this issue? There is no way that we can work around this problem at this moment.
Additional context Anything else we should know?
Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)