AWSGlossary

AWS App Mesh: What It Is and When to Use It

⚠️ End-of-Life Notice: AWS will discontinue support for AWS App Mesh on September 30, 2026. As of September 24, 2024, new customers cannot onboard to the service. Existing users should plan their migration to alternatives like Amazon ECS Service Connect or Amazon VPC Lattice.

Definition

AWS App Mesh is a managed service mesh that provides application-level networking, making it easy to monitor and control microservices. It standardizes how services communicate, giving you end-to-end visibility and helping to ensure high availability for your applications, regardless of the underlying compute infrastructure.

How It Works

App Mesh works by inserting a proxy in front of your application containers. It uses the open-source Envoy proxy, which is deployed as a sidecar container alongside each service. This creates a data plane that intercepts all incoming and outgoing network traffic, while AWS manages the control plane.

Architecture & Components:

The architecture consists of a managed control plane provided by AWS and a data plane that you run within your infrastructure.

  • Control Plane: This is the core of App Mesh, managed entirely by AWS. You interact with the control plane via the AWS API or console to define the rules and configuration for your service mesh.
  • Data Plane: This consists of Envoy proxies running as sidecars next to your application containers. These proxies receive their configuration from the App Mesh control plane and handle the actual traffic routing, policy enforcement, and telemetry collection.

Key Components:

  • Service Mesh: A logical boundary for network traffic between the services that reside within it. It acts as a container for all other App Mesh components.
  • Virtual Nodes: A logical pointer to a discoverable backend service, such as an Amazon Elastic Container Service (ECS) service or a Kubernetes deployment. Each virtual node configuration includes details for service discovery, logging, and backend defaults.
  • Virtual Services: An abstraction of an actual service. A virtual service's name is the address that other services use to communicate. It can route traffic to different virtual nodes, enabling use cases like canary deployments.
  • Virtual Routers: These handle traffic for one or more virtual services within your mesh. They listen for traffic on a specific port and use routes to direct that traffic to the appropriate virtual nodes.
  • Routes: A route is associated with a virtual router and is used to match requests based on criteria like HTTP headers or URL paths, and then distribute traffic to weighted target virtual nodes.

Request Flow:

  1. A request from Service A to Service B is initiated within the application code, typically to a logical DNS name (e.g., service-b.local).
  2. The request is intercepted by the Envoy sidecar proxy running alongside Service A.
  3. The Envoy proxy, configured by the App Mesh control plane, knows how to route traffic for service-b.local. It applies any configured routing rules, such as splitting traffic between two versions of Service B.
  4. The proxy forwards the request to the Envoy proxy of the appropriate Service B instance.
  5. The Service B proxy receives the request and forwards it to the actual Service B application container on localhost.
  6. Both proxies collect metrics, logs, and traces about the request, which are exported to services like Amazon CloudWatch and AWS X-Ray.

Key Features and Limits

  • Traffic Management: Configure sophisticated routing rules for A/B testing, blue/green deployments, and canary releases. You can control traffic based on weights, HTTP headers, and URL paths.
  • Observability: Gain deep insights into your application's health and performance. App Mesh integrates with Amazon CloudWatch, AWS X-Ray, and third-party monitoring tools (via Envoy extensions) to provide metrics, logs, and distributed traces.
  • Security: Enforce traffic encryption between services using mutual TLS (mTLS). App Mesh can integrate with AWS Certificate Manager (ACM) Private Certificate Authority or your own certificate authority to manage and distribute certificates.
  • Cross-Platform Compatibility: App Mesh supports services running on Amazon ECS, Amazon EKS, AWS Fargate, and Amazon EC2 instances.

Service Limits (Quotas):

AWS App Mesh quotas are managed through the AWS Service Quotas console. These limits define the maximum number of resources (like meshes, virtual nodes, and routes) you can create per account per region. For the most up-to-date information, refer to the official AWS documentation on service quotas.

Common Use Cases

  • Standardizing Microservice Communications: Enforce consistent communication policies, including retry logic, timeouts, and mTLS, across a fleet of microservices written in different languages.
  • Safe Deployments (Canary/Blue-Green): Gradually shift traffic to a new version of a service to test it in production with a small percentage of users before a full rollout, minimizing the impact of potential bugs.
  • Improving Application Resiliency: Implement client-side load balancing and configure sophisticated retry policies and circuit breakers to protect services from downstream failures without changing application code.
  • Centralized Observability: Consolidate metrics, logs, and traces from all services in a central location, providing a unified view of application health and making it easier to troubleshoot issues in a distributed system.

Pricing Model

There is no additional charge for using AWS App Mesh itself. You only pay for the AWS resources consumed by the Envoy proxies that are deployed alongside your application containers. This includes charges for:

  • Amazon EC2 instance hours if you are running your workloads on EC2.
  • vCPU and memory resources requested if you are using AWS Fargate.

You can estimate your costs using the AWS Pricing Calculator.

Pros and Cons

Pros:

  • Managed Control Plane: AWS manages the availability and scalability of the control plane, reducing operational overhead.
  • Deep AWS Integration: Seamlessly integrates with other AWS services like IAM, CloudWatch, X-Ray, ACM, and AWS Cloud Map for service discovery.
  • Platform Agnostic: Supports various AWS compute services, allowing you to build a mesh across different environments (e.g., ECS and EKS).

Cons:

  • End-of-Life: The service is being discontinued on September 30, 2026, making it unsuitable for new projects.
  • Operational Complexity: While the control plane is managed, you are still responsible for injecting and managing the Envoy sidecar proxies in your tasks and pods.
  • Feature Lag: Compared to open-source alternatives like Istio, App Mesh has historically been slower to adopt advanced features like fault injection and traffic mirroring.

Comparison with Alternatives

  • Amazon ECS Service Connect: This is the recommended migration path for ECS users. It provides service discovery, connectivity, and observability without requiring you to manually manage Envoy sidecars. It's a simpler, more integrated experience but is limited to Amazon ECS.
  • Amazon VPC Lattice: Recommended for EKS users and for service-to-service communication across VPCs and accounts. It operates at a higher level of abstraction than a traditional service mesh, focusing on connecting services without managing individual proxies or sidecars.
  • Istio: A powerful, feature-rich open-source service mesh. It offers more advanced capabilities (e.g., fault injection, complex routing, multi-cluster meshes) but requires you to manage the control plane yourself, increasing operational complexity. Istio is cloud-agnostic.

Exam Relevance

Due to its announced deprecation, the relevance of AWS App Mesh on AWS certification exams is expected to decline significantly. While questions might appear on older exam versions, future updates are likely to remove App Mesh in favor of its successors, Amazon ECS Service Connect and Amazon VPC Lattice. Candidates should be aware of what App Mesh was and know that ECS Service Connect and VPC Lattice are the modern AWS-native solutions for service-to-service networking.

Frequently Asked Questions

Q: Is AWS App Mesh still recommended for new applications?

A: No. AWS has announced the end-of-life for App Mesh, effective September 30, 2026. New customers cannot start using the service after September 24, 2024. For new applications, you should consider Amazon ECS Service Connect (for ECS workloads) or Amazon VPC Lattice.

Q: What is the main difference between AWS App Mesh and Istio?

A: The primary difference is the control plane management and feature set. App Mesh offers a fully managed control plane integrated with AWS services, while Istio is an open-source solution that you must manage yourself but provides a more extensive set of advanced features and is platform-agnostic.

Q: Do I need to change my application code to use App Mesh?

A: No, one of the core benefits of a service mesh like App Mesh is that it handles traffic management, security, and observability at the infrastructure layer. This is done by intercepting network traffic via the Envoy sidecar proxy, which does not require changes to the application's source code.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/16/2026 / Updated: 5/25/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

ELB vs CloudFront: How It Works & When to Use It

ELB distributes traffic regionally to EC2 instances, while CloudFront is a global CDN. Learn the key differences and when to use each service.

Route 53 Resolver: How It Works & When to Use It

Amazon Route 53 Resolver is a recursive DNS service in every VPC. It enables DNS resolution between on-premises and AWS. Learn its use cases.

AWS Network Firewall: Protect Your VPC Traffic

AWS Network Firewall is a managed firewall & IDS/IPS for VPCs. Filter traffic from L3-L7 to defend against threats. Learn when to use it.

AWS Cloud Map: Resource Discovery for Microservices

AWS Cloud Map is a managed service for discovering cloud resources. Learn how it tracks dynamic microservice locations to improve availability. See use cases.

API Gateway Throttling: How It Works & When to Use It

Amazon API Gateway throttling limits API request rates to protect backend services. Learn how it works with the token bucket algorithm and when to implement it. See examples.

View all Networking terms →