Feature Request: Support of egress filter at virtual node level to override default behavior for specific virtual node

[duttab49]

If you want to see App Mesh implement this idea, please upvote with a 👍.

Currently, the egress filer is a property of app mesh. If we set that default setting to allow all from denying all, then that would be applicable for all virtual nodes in the same mesh. But there is no way to set the egress filer for each of v-node so that would override the default setting of mesh.

Tell us about your request
Support of egress filer at the virtual node level

Which integration(s) is this request for?
This would be applicable for each of the virtual nodes where this property is set. It can be for EC2, EKS where envoy proxy runs

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Since there is no support for the egress filter for the virtual node, any setting for mesh property would be applicable for all virtual nodes inside the mesh. But we want to control egress filer at virtual node level.

Are you currently working around this issue?
There is no way that we can work around this problem at this moment.

Additional context
Anything else we should know?

Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

[bcelenza]

Hey @duttab49, thanks for opening this issue. Can you tell me a little more about your use case?

1. What sort of services would you want to specify ALLOW_ALL for (i.e. certain types of services)?
2. Do you need the ability to scope down which destinations are allowed?
3. Does the owner of the mesh require the ability to scope down what is allowed on the egress filter at a Virtual Node?

[duttab49]

Hi @bcelenza , thanks for the follow-up
We have some of the utilities in the EC2 that needs to access the RDS v-service. But these utilities are outside appmesh.
For EC2 process, we have created the v-node and v-service.
Then deployed envoy docker container and updates the IP tables.
With the above configuration, our utilities in the same EC2 box, no longer able to access the RDS v-service outside of EC2.
Then when we updates the mesh egress filer to allow all from deny all, then the utilities in EC2 can access the RDS.
With this approach, all v-node in the mesh can access any thing outside and you may not need to define the backends.
Hence providing the egress filter to virtual node would be helpfull to selectively allow specific v-node to provide access to outside world.
Now with respect to your questions:

1. What sort of services would you want to specify ALLOW_ALL for (i.e. certain types of services)?

Ans: In the above use case, we want to provide access to only RDS from some executables exists in the EC2 v-node but they are not part of the app mesh.

2. Do you need the ability to scope down which destinations are allowed?

Ans: It would be really helpfull to allow egress to specific destination instead of all.
For our case we want to egress to RDS only from utilities which are outside EC2 v-node.

3. Does the owner of the mesh require the ability to scope down what is allowed on the egress filter at a Virtual Node?

Ans: I think that mesh owner should be able to selectively allow egress from specific v-nodes to specific target destination, so that the envoy running in the EC2 can route traffic to external selected service from any application/process ( the list of utilities, exe's in our case) which lies outside mesh but exists in same EC2 where envoy runs.

Let me know if any further queries.

[duttab49]

Hi @bcelenza @shubharao

Please let me know if you require any further details.

[bcelenza]

Thanks for the feedback @duttab49. We'd like to hear from other folks as well on this to make sure we're building it with the right approach.