Community

Blog Events Webinars Tutorials Forum
  1. Blog
  2. Events
  3. Webinars
  4. Tutorials
  5. Forum
Create Account
×
Community Blog How ASM Ambient Mode Innovates Kubernetes Egress Traffic Management

How ASM Ambient Mode Innovates Kubernetes Egress Traffic Management

ASM Ambient mode simplifies Kubernetes egress traffic management through Waypoint proxies, significantly reducing configuration complexity.

By Yuanyuan Ma

In Kubernetes clusters, efficiently managing the egress traffic of applications is an unavoidable topic. Basic security controls can be implemented through cloud platform security groups or Kubernetes native network policies, but these methods mostly operate at the network Layer 3 or 4, meaning they enforce access control based on IP addresses and ports. However, these traditional methods fall short when more granular management is required. For example, they are inadequate when we need to restrict an application to access only specific paths of an external API, or when we need to monitor the performance of access to external services, such as QPS and latency.

To achieve fine-grained Layer 7 (L7) traffic control, a growing number of enterprises are turning to service meshes for egress traffic management. However, while the traditional Sidecar mode is powerful, its configuration for egress traffic management is relatively complex. In the Sidecar mode, to enable services within the cluster to securely access an external domain through an egress gateway, it is typically necessary to manually configure multiple resources, such as ServiceEntry, Gateway, VirtualService, and DestinationRule, while ensuring their correct association. This process not only requires a certain level of Istio knowledge from users but also is prone to errors due to configuration oversights. To streamline this process, ASM has specially introduced ASMEgressTrafficPolicy, a policy resource designed to package complex configurations. However, it still involves a certain understanding cost for users.

Ambient Mode: A New Approach to Egress Traffic Management

Now, the Ambient mode introduced by ASM provides a more straightforward solution. Leveraging the Waypoint component, Ambient mode fundamentally transforms the current situation and significantly simplifies the egress traffic management process.

In Ambient mode, the core steps of managing egress traffic are greatly simplified:

• Define ServiceEntry: Similar to the Sidecar mode, you first need to create a ServiceEntry resource and register the external service (such as api.externalservice.com) to be accessed in the service mesh. The purpose of this step is to enable the mesh to recognize this external target.

• Enable Waypoint proxy: Next, you can simply add a tag to the ServiceEntry that represents an external service to have its traffic handled by the Waypoint proxy.

With these two simple steps, the control chain for L7 egress traffic is established. Instead of manually configuring a specialized egress gateway or complex routing rules, Waypoint proxies automatically take on the tasks that used to require a combination of multiple resources.

Configuration Comparison: A Clear View of "Simplicity in Essence"

Here, we take managing a common HTTP egress service as an example to compare the configuration complexity between the Sidecar and Ambient modes.

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-http
spec:
  hosts:
  - aliyun.com
  location: MESH_EXTERNAL
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: egress-gateway
  namespace: default
spec:
  selector:
    istio: egressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP
    tls:
      mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: egressgateway-vs
spec:
  hosts:
  - aliyun.com
  gateways:
  - egress-gw
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 80
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        port:
          number: 80
      weight: 100
  - match:
    - gateways:
      - egress-gw
      port: 80
    route:
    - destination:
        host: aliyun.com
        port:
          number: 80
      weight: 100

The Gateway and VirtualService configurations here are relatively advanced, posing considerable challenges for beginners in terms of understanding and troubleshooting.

In Ambient mode, the configuration of external traffic becomes extremely straightforward:

# Deploy a Waypoint
# Shared Waypoint is supported. If the Waypoint already exists, you can skip this step.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: waypoint
spec:
  gatewayClassName: istio-waypoint
  listeners:
  - name: mesh
    port: 15008
    protocol: HBONE
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-http
  labels:
    istio.io/use-waypoint: waypoint
spec:
  hosts:
  - aliyun.com
  location: MESH_EXTERNAL
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS

Yes, that's all the configuration needed. With a simple label, the complex egress routing logic is delegated to Waypoint, achieving the ultimate simplification of configuration.

Practical Benefits of Ambient Mode

This streamlined workflow brings tangible benefits to egress traffic management:

Significant simplification of configuration: Complex tasks that previously required configuring multiple associated resources have been simplified to "one". This significantly lowers the barrier to using the service mesh and reduces operational overhead.

No compromise on functionality: Despite simplified configuration, the robust L7 control capabilities remain intact. You can use policies, such as AuthorizationPolicy, DestinationRule, and VirtualService, to precisely control which internal services can access which paths of external APIs, or to perform retries and timeouts for egress traffic. Previous TLS upgrades are still supported.

Comprehensive observability: All egress traffic routed through the Waypoint proxy is automatically recorded. You can easily obtain key metrics, such as QPS, P99 latency, and request success rate for access to external services without modifying any application code.

In summary, the ASM Ambient mode offers a smoother path for managing complex L7 egress traffic. It offloads cumbersome configuration details through Waypoint proxy, allowing developers and operations teams to focus more on implementing the security and observability policies required by the business rather than building the underlying infrastructure.

ASM has officially supported Ambient mode in version 1.25. Users are welcome to upgrade their experience and jointly enter the minimalist era of service mesh. For more information, see the Official ASM Documentation.

Developers Container Service Kubernetes Tutorials Observability Alibaba Cloud Service Mesh Alibaba Cloud ASM ASM Ambient mode
0 1 0
Share on

Read previous post:

Best Practices for Ray on ACK: Secure Deployment of AI Data Processing/Training/Inference Environments

Alibaba Container Service

222 posts | 33 followers

You may also like

Comments

Alibaba Container Service

222 posts | 33 followers

Related Products

More Posts by Alibaba Container Service

See All