ASM gateway supports the creation of HTTPS type listening on SLB side


• An ASM instance has been created. For details, see Creating an ASM Instance.

• An ACK cluster has been created. For details, see Creating a managed Kubernetes cluster.

• Add clusters to ASM instances. For details, see Adding a Cluster to an ASM Instance.

Background Information

How to create an HTTPS type listener for K8s Service
You need to create a certificate on the Alibaba Cloud console and record the cert-id first, and then use the following Annotation to create an HTTPS-type SLB.

Note: The HTTPS request will be decrypted at the SLB layer, and then sent to the backend Pod in the form of an HTTP request.
apiVersion: v1
kind: Service
annotations: "https:443" "${YOUR_CERT_ID}"
name: sample
namespace: default
- port: 443
protocol: TCP
targetPort: 80
app: sample
type: LoadBalancer

Step 1: Prepare the certificate required by SLB

In this example, a certificate and private key are generated for
If you already have a certificate and private key available for, you need to name the key and the certificate If not, the following steps can be performed through openssl to generate a certificate and key.

1. Execute the following command to create a root certificate and private key.
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./' -keyout aliyun.root.key -out aliyun.root.crt

2. Execute the following command to generate a certificate and private key for the server.

openssl req -out -newkey rsa:2048 -nodes -keyout -subj "/ organization"
openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in -out

3. Create a certificate in the SLB console

To configure HTTPS monitoring, you can directly use the certificate in the SSL certificate service or upload the required server certificate and CA certificate issued by a third party to the traditional load balancer.

Step 2: Create a listener of HTTPS type

Alibaba Cloud ASM provides the function of customizing the ingress gateway service, and specific functional parameters can be defined through YAML configuration.

In the following configuration, an HTTPS SLB will be created through serviceAnnotation, and the HTTPS request with port 443 will be decrypted at the SLB layer, and then sent to port 80 of the backend Pod in the form of HTTP request.

kind: Istio Gateway
name: ingressgateway
namespace: istio-system
- name: http-0
port: 80
protocol: HTTP
targetPort: 80
- name: https-1
port: 443
protocol: HTTPS
targetPort: 80
serviceAnnotations: "${YOUR_CERT_ID}" 'https:443'
serviceType: LoadBalancer

Results of the

View through the ASM console, select the corresponding service grid instance in the console, select the ASM gateway in the left navigation bar, and view the corresponding information on the right page.

Run the following command to access the httpbin service through the HTTPS protocol.

curl -k https://{replace with the real IP address of the ingress gateway}:443/headers
"headers": {
"Accept": "*/*",
"Host": "xxxx",
"Remoteip": "xxxx",
"User-Agent": "curl/7.79.1",
"X-Envoy-Attempt-Count": "1",
"X-Envoy-External-Address": "xxxx",

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00

phone Contact Us