Using and Securing App Mesh

using and securing app mesh

What is App Mesh?

Over the course of the last few years, new applications have been built and designed to leverage microservices and microscaling to improve efficiency, reduce costs, and increase performance. As the benefits of a robust and efficient ecosystem are realized, applications that were originally architected in a monolithic design are more frequently being replatformed or migrated to these new microservice environments.

Microservice infrastructure creates a “serverless” workload that focuses on using ephemeral compute through different means, whether it be virtual servers (EC2), Kubernetes (EKS, EC2, Fargate) or containers (ECS and Fargate). With microservices, the code is not dependent on the functionality of the individual servers. Instead, it is processed through a load balanced set of autoscaling compute resources that are loosely coupled and independently deployable. Think of the difference of Iron Man’s armor from the first Avengers to Avengers: Endgame. In the first Avengers, if his ARC reactor fails, his entire suit becomes inoperable. However, in Avengers: Endgame, each piece of his suit acts independently and can still function if other pieces are destroyed. No single piece is vital or even dependent on another piece.

The question then becomes: “how do we translate networking functionality which was once set for server-based IP and DNS load balancing and routing, to a ‘serverless’ compute-based network with an ever-changing set of endpoints and autoscaling workloads?”

Amazon App Mesh creates a networking sidecar on to the microservice resource used within the workload making it easy for your application to communicate across various compute mediums. The sidecar works as an independent function within Kubernetes and/or the container to process API calls for both network routing and load balancing. These sidecars can push metrics, logs, flows, and traces to a centralized controller. The logs can then be pulled via 3rd parties like FortiSIEM for SIEM, Alcide for Kubernetes security and governance, or Palo Alto Networks for security automation within the full enterprise stack.

If organizations are looking to extend the fabric of App Mesh beyond their AWS environment, they can use HashiCorp Consul to connect it to any runtime platform within a private or public cloud. This can allow for dynamic load balancing when partnered with F5 Networks/NGINX technology, which can help organizations painlessly replatform their modern-day workloads into AWS Microservices. These changes enable an organization to become much more resilient and nimble while also often providing substantial cost saving benefits from the sheer efficiency of running microscaling microsservices.

Vandis, an Advanced AWS Partner, can assist clients with their App Mesh questions as well as support the secure transition to microservices. Whether you need a Kubernetes Security Audit, more information about Secure Migration with F5 , Integration with your current Palo Alto Enterprise Security stack, connection into your full runtime platform, cost optimization, or even just to get started, please reach out to Vandis at 516-281-2200 or cloud@vandis.com.