You can integrate with Amazon Web Services (AWS) to add domain name system (DNS) and global server load balancing (GSLB) functions in AWS to Tanzu Service Mesh.

This procedure describes how to create an integration account with AWS to add DNS and GSLB capabilities to Tanzu Service Mesh. After you create an AWS integration account, to make your organization's domains managed by AWS available in Tanzu Service Mesh, you must reference the account in an appropriate DNS account.

Prerequisites

  • Know the access key ID and the associated secret access key of your AWS account.

  • Make sure that your AWS account has the following permissions:

    • List access for hosted zones associated with the AWS account

    • Write and list access for records within a hosted zone

    • Read, write, and list access for health checks

    • Tagging and list access for tags for health checks and hosted zones

    • Note:

      The AWS Identity & Access Management (IAM) policy example contains least permissions required for your AWS account. The resource, "arn:aws:route53:::hostedzone/*", can be further restricted by hosted zone ID as required: "arn:aws:route53:::hostedzone/${Id}".

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "route53:GetHealthCheckStatus",
                      "route53:ChangeResourceRecordSets",
                      "route53:ChangeTagsForResource",
                      "route53:ListResourceRecordSets",
                      "route53:DeleteHealthCheck",
                      "route53:ListTagsForResource"
                  ],
                  "Resource": [
                      "arn:aws:route53:::hostedzone/*",
                      "arn:aws:route53:::healthcheck/*"
                  ]
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "route53:ListHealthChecks",
                      "route53:CreateHealthCheck",
                      "route53:ListHostedZones",
                      "route53:ListHostedZonesByName"
                  ],
                  "Resource": "*"
              }
          ]
      }
  • Access the Tanzu Service Mesh Console. For information about accessing the Tanzu Service Mesh Console, see Access the Tanzu Service Mesh Console.

Procedure

  1. In the navigation pane on the left, click Admin > Integrations.
  2. On the Integrations page, under All Integrations, find the AWS card with a DNS label toward the bottom of the card.
    Note:

    To filter the external services on the page to only those services that provide DNS functionality, click the DNS label to the right of All Integrations.

    If one or more AWS integration accounts exist in Tanzu Service Mesh, the number of accounts is displayed in the lower-left corner of the card.

    The following image shows the AWS integration card. The card indicates that three AWS integration accounts exist in Tanzu Service Mesh.

  3. Select one of the following options.
    • If you are creating the first AWS integration account, at the bottom of the card, click Configure.

    • If one or more AWS integration accounts exist and you are creating another account, at the bottom of the card, click Add Account.

  4. In the New AWS Integration dialog box, provide the following information.
    • Name. The name for the account to help distinguish it from other accounts.

    • (Optional) Description. An optional description or details about the account.

    • Access Key ID. Your AWS access key ID.

    • Secret Access Key. The secret access key associated with your access key ID.

    Note:
    • For information about how to obtain an AWS access key ID and a secret access key, see the AWS documentation.

    • The credentials, such an access key ID and a secret access key, that you provide in the New AWS Integration dialog box are encrypted and securely stored in Tanzu Service Mesh.

  5. Click Save.

Results

The new account is added to the AWS integration card on the Integrations page.

Warning:

If you use Route 53 as a DNS service, do not edit the health check configuration created by Tanzu Service Mesh in AWS and do not edit or delete the records and tags in the hosted zones that Tanzu Service Mesh created for your domains. Editing or deleting these Tanzu Service Mesh-created data can break DNS resolution and global load balancing for your application.

What to do next

To edit or delete the account, click Edit or Delete in the AWS card. If you have more than one AWS account, in the lower-left corner of the card, click number Accounts, click the name of the account, and then click Edit or Delete.

To make your organization's domains managed by AWS available in Tanzu Service Mesh, create a DNS account selecting the name of the AWS integration account as the domain provider in the DNS account. For Route 53 health checks to function properly, the Ingress Gateway IP address should be public.