Posted On: Feb 4, 2021
AWS App Mesh now supports mutual TLS (Transport Layer Security) authentication that offers two-way peer authentication. AWS App Mesh is a service mesh that provides application-level networking to standardize how your services communicate, giving you end-to-end visibility and options to tune for high-availability of your applications.
Mutual TLS authentication adds a layer of security over TLS and allows your services to identify and authenticate the client that is making a connection. Now you can configure AWS App Mesh to automatically verify if the X.509 certificate presented by a client is issued by a trusted certificate authority (CA) and if the certificate is a valid certificate. You can also use the Subject Alternative Name (SAN) on the certificate to identify the client.
You can distribute X.509 certificates for enabling mutual TLS via Envoy proxy file system. Customers running Kubernetes workloads can also bring a sidecar that implements Envoy’s Secret Discovery Service API, such as SPIFFE Runtime Environment (SPIRE).
To get started, see the Amazon ECS mutual TLS authentication walkthrough and Amazon EKS mutual TLS walkthrough with SPIRE.
To learn more about AWS App Mesh, see the product page or documentation.