A VirtualGateway allows resources that are outside of your mesh to communicate to resources that are inside of your mesh. The VirtualGateway represents an Envoy proxy running in an Amazon EC2 instance, Amazon ECS Service, Amazon Kubernetes Service. Unlike a VirtualNode, which represents Envoy running with an application, a VirtualGateway represents Envoy deployed by itself.
External resources must be able to resolve a DNS name to an IP address assigned to the service or instance that runs Envoy. Envoy can then access all of the App Mesh configuration for resources that are inside of the mesh.
The configuration for handling the incoming requests at the VirtualGateway are specified using Gateway Routes. VirtualGateways are affiliated with a load balancer and allow you to configure ingress traffic rules using Routes, similar to VirtualRouter configuration.
Image source:aws.amazon.com/blogs/containers/introducing-ingress-support-in-aws-app-mesh