Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Health Checks for App Mesh Virtual Gateways

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon App Mesh virtual gateways are using health check policies to monitor the availability of the virtual nodes associated with the virtual gateways.

Reliability

In Amazon App Mesh, health checks are used to probe whether the App Mesh virtual gateway is able to handle requests. The health check policies configured for the virtual gateway listeners can increase the availability and the reliability of the applications deployed within your App Mesh. A health check policy must include values for the healthy threshold, health check interval, health check protocol, the timeout period, and the unhealthy threshold.

Audit

To determine if your Amazon App Mesh virtual gateways are configured to use health check policies, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon App Mesh console at https://console.aws.amazon.com/appmesh/.

03 In the navigation panel, under AWS App Mesh, choose Meshes.

04 Click on the name of the service mesh that you want to access, available in the Mesh name column.

05 In the left navigation panel, under the name of the selected service mesh, choose Virtual gateways.

06 Click on the name (link) of the App Mesh virtual gateway that you want to examine.

07 Choose the Edit button from the console top menu to access the virtual gateway listener configuration.

08 Check the Enable health check configuration setting status, available in the Listener section. If the Enable health check setting is disabled, the listener associated with the selected Amazon App Mesh virtual gateway is not configured to use a health check policy.

09 Repeat steps no. 6 – 8 for each App Mesh virtual gateway created for the selected service mesh.

10 Repeat steps no. 4 – 9 for each App Mesh service mesh deployed within the current AWS cloud region.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run the list-meshes command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon App Mesh service meshes deployed in the selected AWS cloud region: 

aws appmesh list-meshes
  --region us-east-1
  --query 'meshes[*].meshName'

02 The command output should return an array with the requested mesh name(s): 

[
  "cc-production-app-mesh",
  "cc-staging-app-mesh",
  "cc-development-app-mesh"
]

03 Run the list-virtual-gateways command (OSX/Linux/UNIX) using the name of the App Mesh service mesh that you want to examine as the identifier parameter and custom query filters to describe the name of each virtual gateway created for the selected service mesh: 

aws appmesh list-virtual-gateways
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --query 'virtualGateways[*].virtualGatewayName'

04 The command output should return an array with the requested virtual gateway name(s): 

[
  "cc-prod-mesh-virtual-gateway",
  "cc-main-mesh-virtual-gateway"
]

05 Run the describe-virtual-gateway command (OSX/Linux/UNIX) using the name of the App Mesh virtual gateway that you want to examine as the identifier parameter, to describe the health check policy configured for the listener associated with the selected virtual gateway: 

aws appmesh describe-virtual-gateway
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --virtual-gateway-name cc-prod-mesh-virtual-gateway
  --query 'virtualGateway.spec.listeners[*].healthCheck'

06 The command output should return the requested health check policy information: 

[]

If the describe-virtual-gateway command output returns an empty array (i.e. []), as shown in the output example above, the listener associated with the selected Amazon App Mesh virtual gateway is not using a health check policy.

07 Repeat steps no. 5 and 6 for each App Mesh virtual gateway created for the selected service mesh.

08 Repeat steps no. 3 – 7 for each App Mesh service mesh deployed in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To configure health check policies for your existing Amazon App Mesh virtual gateways, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon App Mesh console at https://console.aws.amazon.com/appmesh/.

03 In the navigation panel, under AWS App Mesh, choose Meshes.

04 Click on the name of the service mesh that you want to access, available in the Mesh name column.

05 In the left navigation panel, under the name of the selected service mesh, choose Virtual gateways.

06 Click on the name (link) of the App Mesh virtual gateway that you want to reconfigure.

07 Click on the Edit button from the console top menu to update the selected virtual gateway configuration.

08 In the Listener section, toggle the Enable health check button, and perform the following actions (you can also use the default health check configuration):

  1. Choose the appropriate protocol from the Health check protocol dropdown list.
  2. For the Health check port, specify the port that the health check should run on. The health check port must be the same as the listener's port.
  3. For the Healthy threshold, specify the number of consecutive successful health checks that must occur before declaring the virtual gateway listener healthy.
  4. For the Health check interval, specify the time period (in milliseconds) between each health check execution. Values between 5000 and 300000 are allowed.
  5. For the Path, specify the destination path for the health check request. This parameter is required only if the Health check protocol is set to http or http2. The value is ignored for other protocols.
  6. For the Timeout period, specify the amount of time to wait when receiving a response from the health check, in milliseconds.
  7. For the Unhealthy threshold, specify the number of consecutive failed health checks that must occur before declaring the virtual gateway listener unhealthy.

09 Choose Save to apply the changes. This will enable health checks for the selected App Mesh virtual gateway.

10 Repeat steps no. 6 – 9 for each App Mesh virtual gateway that you want to reconfigure, created for the selected service mesh.

11 Repeat steps no. 4 – 10 for each App Mesh service mesh deployed within the current AWS cloud region.

12 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run the describe-virtual-gateway command (OSX/Linux/UNIX) using the name of the Amazon App Mesh virtual gateway that you want to examine as the identifier parameter and custom query filters to describe the configuration specifications available for the selected virtual gateway: 

aws appmesh describe-virtual-gateway
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --virtual-gateway-name cc-prod-mesh-virtual-gateway
  --query 'virtualGateway.spec'

02 The command output should return the requested virtual gateway specifications: 

{
  "backendDefaults": {
    "clientPolicy": {}
  },
  "listeners": [
    {
      "portMapping": {
        "port": 80,
        "protocol": "http"
      }
    }
  ],
  "logging": {}
}

03 Modify the virtual gateway specifications returned at the previous step to include the health check policy defined for the virtual gateway listener (highlighted). Save the following configuration document to a JSON file named virtual-gateway-health-check-specs.json: 

{
  "backendDefaults": {
    "clientPolicy": {}
  },
  "listeners": [
    {
      "healthCheck": {
        "healthyThreshold": 5,
        "intervalMillis": 30000,
        "path": "/",
        "port": 80,
        "protocol": "http",
        "timeoutMillis": 5000,
        "unhealthyThreshold": 2
      },
      "portMapping": {
        "port": 80,
        "protocol": "http"
      }
    }
  ],
  "logging": {}
}

04 Run the update-virtual-gateway command (OSX/Linux/UNIX) to enable health checks for the listener associated with the specified Amazon App Mesh virtual gateway, using the configuration specifications defined at the previous step: 

aws appmesh update-virtual-gateway
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --virtual-gateway-name cc-prod-mesh-virtual-gateway
  --spec file://virtual-gateway-health-check-specs.json

05 The command output should return the metadata available for the reconfigured App Mesh virtual gateway: 

{
  "virtualGateway": {
    "meshName": "cc-production-app-mesh",
    "metadata": {
      "arn": "arn:aws:appmesh:us-east-1:123456789012:mesh/cc-production-app-mesh/virtualGateway/cc-prod-mesh-virtual-gateway",
      "createdAt": "2021-01-28T10:00:00.000000+00:00",
      "lastUpdatedAt": "2021-01-29T10:00:00.000000+00:00",
      "meshOwner": "123456789012",
      "resourceOwner": "123456789012",
      "uid": "1234abcd-1234-abcd-1234-abcd1234abcd",
      "version": 7
    },
    "spec": {
      "backendDefaults": {
        "clientPolicy": {}
      },
      "listeners": [
        {
          "healthCheck": {
            "healthyThreshold": 5,
            "intervalMillis": 30000,
            "path": "/",
            "port": 80,
            "protocol": "http",
            "timeoutMillis": 5000,
            "unhealthyThreshold": 2
          },
          "portMapping": {
            "port": 80,
            "protocol": "http"
          }
        }
      ],
      "logging": {}
    },
    "status": {
      "status": "ACTIVE"
    },
    "virtualGatewayName": "cc-prod-mesh-virtual-gateway"
  }
}

06 Repeat steps no. 1 – 5 for each App Mesh virtual gateway that you want to reconfigure, created for the specified service mesh.

07 Repeat steps no. 1 – 6 for each App Mesh service mesh deployed in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire remediation process for other regions.

References

Publication date Feb 6, 2021

Related AppMesh rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Health Checks for App Mesh Virtual Gateways

Risk Level: Medium