# Envoy image
**Important**
End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect).
AWS App Mesh is a service mesh based on the [Envoy](https://www.envoyproxy.io/) proxy.
![\[ECS Task/Kubernetes Pod with Proxy and Microservice Container communicating via ports 8080 and 8081.\]](http://docs.aws.amazon.com/app-mesh/latest/userguide/images/proxy.png)
You must add an Envoy proxy to the Amazon ECS task, Kubernetes pod, or Amazon EC2 instance represented by your App Mesh endpoint, such as a virtual node or virtual gateway. App Mesh vends an Envoy proxy container image that is patched with the latest vulnerability and performance updates. App Mesh tests each new Envoy proxy release against the App Mesh feature set before making a new image available to you.
## Envoy image variants
App Mesh provides two variants of the Envoy proxy container image. The differences between the two is how the Envoy proxy communicates to the App Mesh data plane and how the Envoy proxies communicate with each other. One is a standard image, which communicates with the standard App Mesh service endpoints. The other variant is FIPS-compliant, which communicates with the App Mesh FIPS service endpoints and enforces FIPS cryptography in TLS communication between App Mesh services.
You can choose either a Regional image from the list below or an image from our [public repository](https://gallery.ecr.aws/appmesh/aws-appmesh-envoy) named `aws-appmesh-envoy`.
**Important**
Starting from June 30, 2023, only Envoy image `v1.17.2.0-prod` or later is compatible for use with App Mesh. For current customers using an Envoy image before `v1.17.2.0`, although existing envoys will continue to be compatible, we strongly recommend migrating to the latest version.
As a best practice, upgrading the Envoy version to the latest version on a regular basis is highly recommended. Only the latest Envoy version is validated with the most recent security patches, feature releases, and performance improvements.
Version `1.17` was a significant update to Envoy. See [Updating/migrating to Envoy 1.17](https://docs.aws.amazon.com/app-mesh/latest/userguide/1.17-migration.html) for more details.
Version `1.20.0.1` or later is `ARM64` compatible.
For `IPv6` support, Envoy version `1.20` or later is required.
**Note**
FIPS is only available in Regions found in the US and Canada.
All [supported](https://docs.aws.amazon.com/general/latest/gr/appmesh.html) Regions can replace *Region-code* with any Region other than `me-south-1`, `ap-east-1`, `ap-southeast-3`, `eu-south-1`, `il-central-1`, and `af-south-1`.
Standard
```
840364872350.dkr.ecr.region-code.amazonaws.com/aws-appmesh-envoy:v1.34.13.0-prod
```
FIPS-compliant
```
840364872350.dkr.ecr.region-code.amazonaws.com/aws-appmesh-envoy:v1.34.13.0-prod-fips
```
`me-south-1`
Standard
```
772975370895.dkr.ecr.me-south-1.amazonaws.com/aws-appmesh-envoy:v1.34.13.0-prod
```
`ap-east-1`
Standard
```
856666278305.dkr.ecr.ap-east-1.amazonaws.com/aws-appmesh-envoy:v1.34.13.0-prod
```
`ap-southeast-3`
Standard
```
909464085924.dkr.ecr.ap-southeast-3.amazonaws.com/aws-appmesh-envoy:v1.34.13.0-prod
```
`eu-south-1`
Standard
```
422531588944.dkr.ecr.eu-south-1.amazonaws.com/aws-appmesh-envoy:v1.34.13.0-prod
```
`il-central-1`
Standard
```
564877687649.dkr.ecr.il-central-1.amazonaws.com/aws-appmesh-envoy:v1.34.13.0-prod
```
`af-south-1`
Standard
```
924023996002.dkr.ecr.af-south-1.amazonaws.com/aws-appmesh-envoy:v1.34.13.0-prod
```
`Public repository`
Standard
```
public.ecr.aws/appmesh/aws-appmesh-envoy:v1.34.13.0-prod
```
FIPS-compliant
```
public.ecr.aws/appmesh/aws-appmesh-envoy:v1.34.13.0-prod-fips
```
**Note**
We recommend allocating 512 CPU units and at least 64 MiB of memory to the Envoy container. On Fargate the lowest amount of memory that you can set is 1024 MiB of memory. Resource allocation to the Envoy container can be increased if container insights or other metrics indicate insufficient resources due to higher load.
**Note**
All `aws-appmesh-envoy` image release versions starting from `v1.22.0.0` are built as a distroless Docker image. We made this change so that we could reduce the image size and reduce our vulnerability exposure in unused packages present in the image. If you are building on top of aws-appmesh-envoy image and are relying on some of the AL2 base packages (e.g. yum) and functionalities, then we suggest you copy the binaries from inside an `aws-appmesh-envoy` image to build a new Docker image with AL2 base.
Run this script to generate a custom docker image with the tag `aws-appmesh-envoy:v1.22.0.0-prod-al2:`
```
cat << EOF > Dockerfile
FROM public.ecr.aws/appmesh/aws-appmesh-envoy:v1.22.0.0-prod as envoy
FROM public.ecr.aws/amazonlinux/amazonlinux:2
RUN yum -y update && \
yum clean all && \
rm -rf /var/cache/yum
COPY --from=envoy /usr/bin/envoy /usr/bin/envoy
COPY --from=envoy /usr/bin/agent /usr/bin/agent
COPY --from=envoy /aws_appmesh_aggregate_stats.wasm /aws_appmesh_aggregate_stats.wasm
CMD [ "/usr/bin/agent" ]
EOF
docker build -f Dockerfile -t aws-appmesh-envoy:v1.22.0.0-prod-al2 .
```
Access to this container image in Amazon ECR is controlled by AWS Identity and Access Management (IAM). As a result, you must use IAM to verify that you have read access to Amazon ECR. For example, when using Amazon ECS, you can assign an appropriate task execution role to an Amazon ECS task. If you use IAM policies that limit access to specific Amazon ECR resources, make sure to verify that you allow access to the Region specific Amazon Resource Name (ARN) that identifies the `aws-appmesh-envoy` repository. For example, in the `us-west-2` Region, you allow access to the following resource: `arn:aws:ecr:us-west-2:840364872350:repository/aws-appmesh-envoy`. For more information, see [Amazon ECR Managed Policies](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html). If you're using Docker on an Amazon EC2 instance, then authenticate Docker to the repository. For more information, see [Registry authentication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth).
We occasionally release new App Mesh features that depend on Envoy changes that have not been merged to the upstream Envoy images yet. To use these new App Mesh features before the Envoy changes are merged upstream, you must use the App Mesh-vended Envoy container image. For a list of changes, see the [App Mesh GitHub roadmap issues](https://github.com/aws/aws-app-mesh-roadmap/labels/Envoy%20Upstream) with the `Envoy Upstream` label. We recommend that you use the App Mesh Envoy container image as the best supported option.
# Envoy configuration variables
**Important**
End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect).
Use the following environment variables to configure the Envoy containers for your App Mesh virtual node task groups.
**Note**
App Mesh Envoy 1.17 doesn't supports Envoy’s **v2 xDS** API. If you're using [Envoy configuration variables](https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy-config.html) that accept Envoy config files, they must be updated to the latest** v3 xDS** API.
## Required variables
The following environment variable is required for all App Mesh Envoy containers. This variable can only be used with version `1.15.0` or later of the Envoy image. If you're using an earlier version of the image, then you must set the `APPMESH_VIRTUAL_NODE_NAME` variable instead.
`APPMESH_RESOURCE_ARN`
When you add the Envoy container to a task group, set this environment variable to the ARN of the virtual node or the virtual gateway that the task group represents. The following list contains example ARNs:
+ **Virtual node** – arn:aws:appmesh:*Region-code*:*111122223333*:mesh/*meshName*/virtualNode/*virtualNodeName*
+ **Virtual gateway** – arn:aws:appmesh:*Region-code*:*111122223333*:mesh/*meshName*/virtualGateway/*virtualGatewayName*
## Optional variables
The following environment variable is optional for App Mesh Envoy containers.
`ENVOY_LOG_LEVEL`
Specifies the log level for the Envoy container.
Valid values: `trace`, `debug`, `info`, `warn`, `error`, `critical`, `off`
Default: `info`
`ENVOY_INITIAL_FETCH_TIMEOUT`
Specifies the amount of time Envoy waits for the first configuration response from the management server during the initialization process.
For more information, see [Configuration sources](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/config_source.proto#envoy-v3-api-field-config-core-v3-configsource-initial-fetch-timeout) in Envoy Documentation. When set to `0`, there is no timeout.
Default: `0`
`ENVOY_CONCURRENCY`
Sets the `--concurrency` command line option while starting the Envoy. This is not set by default. This option is available from Envoy version `v1.24.0.0-prod` or above.
For more information, see [Command line options](https://www.envoyproxy.io/docs/envoy/latest/operations/cli#cmdoption-concurrency) in Envoy Documentation.
### Admin variables
Use these environment variables to configure Envoy's administrative interface.
`ENVOY_ADMIN_ACCESS_PORT`
Specify a custom admin port for Envoy to listen on. Default: `9901`.
The Envoy admin port should be different from any listener port on the virtual gateway or virtual node
`ENVOY_ADMIN_ACCESS_LOG_FILE`
Specify a custom path to write Envoy access logs to. Default: `/tmp/envoy_admin_access.log`.
`ENVOY_ADMIN_ACCESS_ENABLE_IPV6`
Toggles Envoy’s administration interface to accept `IPv6` traffic, which allows this interface to accept both `IPv4` and `IPv6` traffic. By default this flag is set to false, and Envoy only listens to `IPv4` traffic. This variable can only be used with Envoy image version 1.22.0 or later.
### Agent variables
Use these environment variables to configure the AWS App Mesh Agent for Envoy. For more information, see App Mesh [Agent for Envoy](https://docs.aws.amazon.com//app-mesh/latest/userguide/appnet-agent.html).
`APPNET_ENVOY_RESTART_COUNT`
Specifies the number of times that the Agent restarts the Envoy proxy process within a running task or pod if it exits. The Agent also logs the exit status every time Envoy exits to ease troubleshooting. The default value of this variable is `0`. When the default value is set, the Agent doesn't attempt to restart the process.
Default: `0`
Maximum: `10`
`PID_POLL_INTERVAL_MS`
Specifies the interval in milliseconds at which the Envoy proxy’s process state is checked by the Agent. The default value is `100`.
Default: `100`
Minimum: `100`
Maximum: `1000`
`LISTENER_DRAIN_WAIT_TIME_S`
Specifies the amount of time in seconds the Envoy proxy waits for active connections to close before the process exits.
Default: `20`
Minimum: `5`
Maximum: `110`
`APPNET_AGENT_ADMIN_MODE`
Starts Agent's management interface server and binds it to either a tcp address or a unix socket.
Valid values: `tcp`, `uds`
`APPNET_AGENT_HTTP_PORT`
Specify a port to be used for binding Agent's management interface in `tcp` mode. Ensure port value is > `1024` if `uid` \$1= `0`. Ensure port is less than `65535`.
Default: `9902`
`APPNET_AGENT_ADMIN_UDS_PATH`
Specify unix domain socket path for Agent's management interface in `uds` mode.
Default: `/var/run/ecs/appnet_admin.sock`
### Tracing variables
You can configure none or one of the following tracing drivers.
#### AWS X-Ray variables
Use the following environment variables to configure App Mesh with AWS X-Ray. For more information, see the [AWS X-Ray Developer Guide](https://docs.aws.amazon.com/xray/latest/devguide/).
`ENABLE_ENVOY_XRAY_TRACING`
Enables X-Ray tracing using `127.0.0.1:2000` as the default daemon endpoint. To enable, set the value to `1`. The default value is `0`.
`XRAY_DAEMON_PORT`
Specify a port value to override the default X-Ray daemon port: `2000`.
`XRAY_SAMPLING_RATE`
Specify a sampling rate to override the X-Ray tracer's default sampling rate of `0.05` (5%). Specify the value as a decimal between `0` and `1.00` (100%). This value is overridden if `XRAY_SAMPLING_RULE_MANIFEST` is specified. This variable is supported with Envoy images of version `v1.19.1.1-prod` and later.
`XRAY_SAMPLING_RULE_MANIFEST`
Specify a file path in the Envoy container file system to configure the localized custom sampling rules for the X-Ray tracer. For more information, see [Sampling rules](https://docs.aws.amazon.com/xray/latest/devguide/xray-sdk-go-configuration.html#xray-sdk-go-configuration-sampling) in the *AWS X-Ray Developer Guide*. This variable is supported with Envoy images of version `v1.19.1.0-prod` and later.
`XRAY_SEGMENT_NAME`
Specify a segment name for traces to override the default X-Ray segment name. By default this value will be set as `mesh/resourceName`. This variable is supported with Envoy image version `v1.23.1.0-prod` or later.
#### Datadog tracing variables
The following environment variables help you configure App Mesh with the Datadog agent tracer. For more information, see [Agent Configuration](https://docs.datadoghq.com/tracing/send_traces/) in the Datadog documentation.
`ENABLE_ENVOY_DATADOG_TRACING`
Enables Datadog trace collection using `127.0.0.1:8126` as the default Datadog agent endpoint. To enable, set the value to `1` (default value is `0`).
`DATADOG_TRACER_PORT`
Specify a port value to override the default Datadog agent port: `8126`.
`DATADOG_TRACER_ADDRESS`
Specify an IP address to override the default Datadog agent address: `127.0.0.1`.
`DD_SERVICE`
Specify a service name for traces to override the default Datadog service name: `envoy-meshName`/`virtualNodeName`. This variable is supported with Envoy images of version `v1.18.3.0-prod` and later.
#### Jaeger tracing variables
Use the following environment variables to configure App Mesh with Jaeger tracing. For more information, see [Getting Started](https://www.jaegertracing.io/docs/1.21/getting-started/) in the Jaeger documentation. These variables are supported with Envoy images of version `1.16.1.0-prod` and later.
`ENABLE_ENVOY_JAEGER_TRACING`
Enables Jaeger trace collection using `127.0.0.1:9411` as the default Jaeger endpoint. To enable, set the value to `1` (default value is `0`).
`JAEGER_TRACER_PORT`
Specify a port value to override the default Jaeger port: `9411`.
`JAEGER_TRACER_ADDRESS`
Specify an IP address to override the default Jaeger address: `127.0.0.1`.
`JAEGER_TRACER_VERSION`
Specify whether the collector needs traces in `JSON` or `PROTO` encoded format. By default this value will be set to `PROTO`. This variable is supported with Envoy image version `v1.23.1.0-prod` or later.
#### Envoy tracing variable
Set the following environment variable to use your own tracing configuration.
`ENVOY_TRACING_CFG_FILE`
Specify a file path in the Envoy container file system. For more information, see [https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/http_tracer.proto#envoy-v3-api-msg-config-trace-v3-tracing](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/http_tracer.proto#envoy-v3-api-msg-config-trace-v3-tracing) in the Envoy documentation.
If the tracing configuration requires specifying a tracing cluster, make sure to configure the associated cluster configuration under `static_resources` in the same tracing config file. For example, Zipkin has a [https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/zipkin.proto#config-trace-v3-zipkinconfig](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/zipkin.proto#config-trace-v3-zipkinconfig) field for the cluster name that hosts the trace collectors, and that cluster needs to be statically defined.
### DogStatsD variables
Use the following environment variables to configure App Mesh with DogStatsD. For more information, see the [DogStatsD](https://docs.datadoghq.com/developers/dogstatsd/) documentation.
`ENABLE_ENVOY_DOG_STATSD`
Enables DogStatsD stats using `127.0.0.1:8125` as the default daemon endpoint. To enable, set the value to `1`.
`STATSD_PORT`
Specify a port value to override the default DogStatsD daemon port.
`STATSD_ADDRESS`
Specify an IP address value to override the default DogStatsD daemon IP address. Default: `127.0.0.1`. This variable can only be used with version `1.15.0` or later of the Envoy image.
`STATSD_SOCKET_PATH`
Specify a unix domain socket for the DogStatsD daemon. If this variable isn't specified and DogStatsD is enabled, then this value defaults to the DogStatsD daemon IP address port of `127.0.0.1:8125`. If the `ENVOY_STATS_SINKS_CFG_FILE` variable is specified containing a stats sinks configuration, it overrides all of the DogStatsD variables. This variable is supported with Envoy image version `v1.19.1.0-prod` or later.
### App Mesh variables
The following variables help you configure App Mesh.
`APPMESH_RESOURCE_CLUSTER`
By default, App Mesh uses the name of the resource that you specified in `APPMESH_RESOURCE_ARN` when Envoy is referring to itself in metrics and traces. You can override this behavior by setting the `APPMESH_RESOURCE_CLUSTER` environment variable with your own name. This variable can only be used with version `1.15.0` or later of the Envoy image.
`APPMESH_METRIC_EXTENSION_VERSION`
Set the value to `1` to enable the App Mesh metrics extension. For more information about using the App Mesh metrics extension, see [Metrics extension for App Mesh](metrics.md).
`APPMESH_DUALSTACK_ENDPOINT`
Set the value to `1` to connect to App Mesh Dual Stack endpoint. When this flag is set, Envoy uses our dual stack capable domain. By default this flag is set to false and only connects to our `IPv4` domain. This variable can only be used with Envoy image version 1.22.0 or later.
### Envoy stats variables
Use the following environment variables to configure App Mesh with Envoy Stats. For more information, see the [Envoy Stats](https://www.envoyproxy.io/docs/envoy/v1.6.0/api-v2/config/metrics/v2/stats.proto) documentation.
`ENABLE_ENVOY_STATS_TAGS`
Enables the use of App Mesh defined tags `appmesh.mesh` and `appmesh.virtual_node`. For more information, see [config.metrics.v3.TagSpecifier](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-tagspecifier) in the Envoy documentation. To enable, set the value to `1`.
`ENVOY_STATS_CONFIG_FILE`
Specify a file path in the Envoy container file system to override the default Stats tags configuration file with your own. For more information, see [config.metrics.v3.StatsConfig](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statsconfig).
Setting a customized stats configuration that includes stats filters might lead Envoy to enter a state where it will no longer properly synchronize with the App Mesh state of the world. This is a [bug](https://github.com/envoyproxy/envoy/issues/9856) in Envoy. Our recommendation is to not perform any filtering of statistics in Envoy. If filtering is absolutely necessary, we have a listed a couple of workarounds in this [issue](https://github.com/aws/aws-app-mesh-roadmap/issues/283) on our roadmap.
`ENVOY_STATS_SINKS_CFG_FILE`
Specify a file path in the Envoy container file system to override the default configuration with your own. For more information, see [config.metrics.v3.StatsSink](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statssink) in the Envoy documentation.
### Deprecated variables
The environment variables `APPMESH_VIRTUAL_NODE_NAME` and `APPMESH_RESOURCE_NAME` are no longer supported in Envoy version `1.15.0` or later. However, they're still supported for existing meshes. Instead of using these variables with Envoy version `1.15.0` or later, use `APPMESH_RESOURCE_ARN` for all App Mesh endpoints.
# Envoy defaults set by App Mesh
**Important**
End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect).
The following sections provide information about the Envoy defaults for the route retry policy and circuit breaker that are set by App Mesh.
## Default route retry policy
If you had no meshes in your account before July 29, 2020, App Mesh automatically creates a default Envoy route retry policy for all HTTP, HTTP/2, and gRPC requests in any mesh in your account on or after July 29, 2020. If you had any meshes in your account before July 29, 2020, then no default policy was created for any Envoy routes that existed before, on, or after July 29, 2020. This is unless you [open a ticket with AWS support](https://console.aws.amazon.com/support/home#/case/create). After support processes the ticket, the default policy is created for any future Envoy routes that App Mesh creates on or after the date that the ticket was processed. For more information about Envoy route retry policies, see [config.route.v3.RetryPolicy](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-retrypolicy) in the Envoy documentation.
App Mesh creates an Envoy route when you either create an App Mesh [route](routes.md) or define a virtual node provider for an App Mesh [virtual service](virtual_services.md). Though you can create an App Mesh route retry policy, you can't create an App Mesh retry policy for a virtual node provider.
The default policy isn't visible through the App Mesh API. The default policy is only visible through Envoy. To view the configuration, [enable the administration interface](troubleshooting-best-practices.md#ts-bp-enable-proxy-admin-interface) and send a request to Envoy for a `config_dump`. The default policy includes the following settings:
+ **Max retries** – `2`
+ **gRPC retry events** – `UNAVAILABLE`
+ **HTTP retry events** – `503`
**Note**
It's not possible to create an App Mesh route retry policy that looks for a specific HTTP error code. However, an App Mesh route retry policy can look for `server-error` or `gateway-error`. Both of these include `503` errors. For more information, see [Routes](routes.md).
+ **TCP retry event** – `connect-failure` and `refused-stream`
**Note**
It's not possible to create an App Mesh route retry policy that looks for either of these events. However, an App Mesh route retry policy can look for `connection-error`, which is equivalent to `connect-failure`. For more information, see [Routes](routes.md).
+ **Reset** – Envoy attempts a retry if the upstream server doesn't respond at all (disconnect/reset/read timeout).
## Default circuit breaker
When you deploy an Envoy in App Mesh, Envoy default values are set for some of the circuit breaker settings. For more information, see [cluster.CircuitBreakers.Thresholds](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/circuit_breaker.proto.html#envoy-v3-api-msg-config-cluster-v3-circuitbreakers-thresholds) in the Envoy documentation. These settings aren't visible through the App Mesh API. The settings are only visible through Envoy. To view the configuration, [enable the administration interface](troubleshooting-best-practices.md#ts-bp-enable-proxy-admin-interface) and send a request to Envoy for a `config_dump`.
If you had no meshes in your account before July 29, 2020, then for each Envoy that you deploy in a mesh created on or after July 29, 2020, App Mesh effectively disables circuit breakers by changing the Envoy default values for the settings that follow. If you had any meshes in your account before July 29, 2020, the Envoy default values are set for any Envoy that you deploy in App Mesh on, or after July 29, 2020, unless you [open a ticket with AWS support](https://console.aws.amazon.com/support/home#/case/create). Once support processes the ticket, then the App Mesh default values for the following Envoy settings are set by App Mesh on all Envoys that you deploy after the date that the ticket is processed:
+ `max_requests` – `2147483647`
+ `max_pending_requests` – `2147483647`
+ `max_connections` – `2147483647`
+ `max_retries` – `2147483647`
**Note**
No matter if your Envoys have the Envoy or App Mesh default circuit breaker values, you cannot modify the values.
# Updating/migrating to Envoy 1.17
**Important**
End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect).
## Secret Discovery Service with SPIRE
If you're using SPIRE (SPIFFE Runtime Environment) with App Mesh to distribute trust certificates to your services, verify that you're using at least version `0.12.0` of the [SPIRE agent](https://github.com/spiffe/spire/releases/tag/v0.12.0) (released December 2020). This is the first version that can support Envoy versions after `1.16`.
## Regular expression changes
Starting from Envoy `1.17`, App Mesh configures Envoy to use the [RE2](https://github.com/google/re2) regular expression engine by default. This change is apparent to most users, but matches in Routes or Gateway Routes no longer allows look-ahead or back-references in regular expressions.
### Positive and Negative look-ahead
**Positive -** A positive look-ahead is a parenthesized expression that starts with `?=`:
```
(?=example)
```
These have the most utility when doing string replacement because they allow matching a string without consuming the characters as part of the match. Because App Mesh doesn't support regex string replacement, we recommend that you replace these with regular matches.
```
(example)
```
**Negative -** A negative look-ahead is a parenthesized expression that starts with `?!`.
```
ex(?!amp)le
```
The parenthesized expressions are used to assert that part of the expression doesn't match a given input. In most cases, you can replace these with a zero quantifier.
```
ex(amp){0}le
```
If the expression itself is a character class, you can negate the whole class and mark it optional using `?`.
```
prefix(?![0-9])suffix => prefix[^0-9]?suffix
```
Depending on your use-case, you might also be able to change your routes to handle this.
```
{
"routeSpec": {
"priority": 0,
"httpRoute": {
"match": {
"headers": [
{
"name": "x-my-example-header",
"match": {
"regex": "^prefix(?!suffix)"
}
}
]
}
}
}
}
{
"routeSpec": {
"priority": 1,
"httpRoute": {
"match": {
"headers": [
{
"name": "x-my-example-header",
"match": {
"regex": "^prefix"
}
}
]
}
}
}
}
```
The first route match looks for a header that starts with “prefix” but not followed by “suffix.” The second route acts to match all other headers that begin with “prefix,” including those that end in “suffix.” Instead, these can also be reversed as a way to remove the negative look-ahead.
```
{
"routeSpec": {
"priority": 0,
"httpRoute": {
"match": {
"headers": [
{
"name": "x-my-example-header",
"match": {
"regex": "^prefix.*?suffix"
}
}
]
}
}
}
}
{
"routeSpec": {
"priority": 1,
"httpRoute": {
"match": {
"headers": [
{
"name": "x-my-example-header",
"match": {
"regex": "^prefix"
}
}
]
}
}
}
}
```
This example reverses the routes to provide higher priority to headers that end in “suffix,” and all other headers that start with “prefix” are matched in the lower-priority route.
## Back references
A back-reference is a way to write shorter expressions by repeating to a previous parenthesized group. They have this form.
```
(group1)(group2)\1
```
A backslash `\` followed by a number acts as a placeholder for the n-th parenthesized group in the expression. In this example, `\1` is used as an alternative way to write `(group1)` a second time.
```
(group1)(group2)(group1)
```
These can be removed by simply replacing the back-reference with the group being referenced as in the example.
# Agent for Envoy
**Important**
End of support notice: On September 30, 2026, AWS will discontinue support for AWS App Mesh. After September 30, 2026, you will no longer be able to access the AWS App Mesh console or AWS App Mesh resources. For more information, visit this blog post [Migrating from AWS App Mesh to Amazon ECS Service Connect](https://aws.amazon.com/blogs/containers/migrating-from-aws-app-mesh-to-amazon-ecs-service-connect).
The Agent is a process manager within the Envoy image that's vended for App Mesh. The Agent ensures Envoy remains running, stays healthy, and reduces downtime. It filters Envoy statistics and ancillary data to provide a distilled view of the Envoy proxy’s operation in App Mesh. This can help you troubleshooting related errors quicker.
You can use the Agent to configure the number of times that you want to restart the Envoy proxy in the event that the proxy becomes unhealthy. If a failure occurs, the Agent logs the conclusive exit status when Envoy exits. You can use this when troubleshooting the failure. The Agent also facilitates Envoy connection draining, which helps make your applications more resilient to failures.
Configure the Agent for Envoy using these variables:
+ `APPNET_ENVOY_RESTART_COUNT` – When this variable is set to a non-zero value, the Agent attempts to restart the Envoy proxy process up to the number that you set when it deems the proxy process status unhealthy on polling. This helps reduce downtime by providing faster restart compared to a task or pod replacement by the container orchestrator in the case of proxy health check failures.
+ `PID_POLL_INTERVAL_MS` – When configuring this variable, the default is kept to `100`. When set to this value, you allow for faster detection and restart of the Envoy process when it exits compared to task or pod replacement through container orchestrator health checks.
+ `LISTENER_DRAIN_WAIT_TIME_S` – When configuring this variable, consider the container orchestrator timeout that's set for stopping the task or pod. For example, if this value is greater than the orchestrator timeout, the Envoy proxy can only drain for the duration until the orchestrator forcefully stops the task or pod.
+ `APPNET_AGENT_ADMIN_MODE` – When this variable is set to `tcp` or `uds`, the Agent provides a local management interface. This management interface serves as a safe endpoint to interact with the Envoy proxy and provides the following APIs for health checks, telemetry data and summarizes the operating condition of the proxy.
+ `GET /status` – Queries Envoy stats and returns server information.
+ `POST /drain_listeners` – Drains all inbound listeners.
+ `POST /enableLogging?level=` – Change Envoy logging level across all loggers.
+ `GET /stats/prometheus` – Show Envoy statistics in Prometheus format.
+ `GET /stats/prometheus?usedonly` – Only show statistics that Envoy has updated.
For more information about Agent configuration variables, see [Envoy configuration variables](https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy-config.html).
The new AWS App Mesh Agent is included in App Mesh-optimized Envoy images starting from version `1.21.0.0` and requires no additional resource allocation in customer tasks or pods.