To allow Internet access to an application in an Alibaba Cloud Service Mesh (ASM) instance, you must deploy an ingress gateway service in the cluster in which the application resides. This topic describes how to deploy an ingress gateway service in a Container Service for Kubernetes (ACK) cluster that is added to an ASM instance.

Prerequisites

An ASM instance is created, and an ACK cluster is added to the ASM instance.

Background information

An ingress gateway service provides a unified entrance for throttling the inbound traffic at Layer 7. It routes HTTP requests from the same TCP-based port to different Kubernetes services based on the request content.

Procedure

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the details page of the ASM instance, click ASM Gateways in the left-side navigation pane.
  5. On the ASM Gateways page, click Deploy Default Ingress Gateway.
    Note Alternatively, you can click Deploy Custom Ingress/Egress Gateway to define a custom ingress gateway service. For more information, see Define a custom ingress gateway service.
  6. In the Deploy Ingress Gateway panel, deploy an ingress gateway service in a cluster.
    1. Select a cluster in which you want to deploy an ingress gateway service from the Cluster drop-down list.
    2. Select the access type of the Server Load Balancer (SLB) instance that you want to use. Set the SLB Instance Type parameter to Internet Access or Internal Access.
    3. Configure an SLB instance.
      • Use Existing SLB Instance: Select an existing SLB instance from the drop-down list.
      • Create SLB Instance: Click Create SLB Instance. Then, select an instance specification type from the drop-down list.
      Note We recommend that you assign a dedicated SLB instance to each Kubernetes service in the cluster. If multiple Kubernetes services share the same SLB instance, the following risks and limits may occur:
      • If you assign a Kubernetes service with an SLB instance that is used by another Kubernetes service, the existing listeners of the SLB instance are forcibly overwritten. This may interrupt the original Kubernetes service and make your application unavailable.
      • If you create an SLB instance when you create a Kubernetes service, the SLB instance cannot be shared among Kubernetes services. Only SLB instances that you create in the SLB console or by calling API operations can be shared.
      • Kubernetes services that share the same SLB instance must use different frontend listening ports. Otherwise, port conflicts may occur.
      • If multiple Kubernetes services share the same SLB instance, you must use the listener names and the vServer group names as unique identifiers in Kubernetes. Do not modify the names of listeners or vServer groups.
      • You cannot share an SLB instance across clusters or regions.
  7. Configure port mappings.
    1. Click Add Port.
    2. In the row that appears, enter a name for the mapping and specify a service port and container port.
      Note
      • We recommend that you use the same port for the container and the service in each mapping, and enable the port on the Istio gateway.
      • ASM provides four default ports that are commonly used by Istio. You can keep or delete the default ports, or add new ports as needed.
  8. Click OK.

Result

After you deploy the ingress gateway service, you can view the details of the ingress gateway service in the Container Service console.
  • To view the basic information about the ingress gateway service, perform the following steps:
    1. Log on to the Container Service console.
    2. In the left-side navigation pane, click Clusters.
    3. On the Clusters page, click the name of the cluster in which the ingress gateway service is deployed. Alternatively, click Details in the Actions column of the cluster in which the ingress gateway service is deployed.
    4. In the left-side navigation pane of the details page, choose Network > Services.
    5. At the top of the Services page, select istio-system from the Namespace drop-down list.
    6. Click Details in the Actions column of the ingress gateway service that you want to view.
  • To view the pod information about the ingress gateway service, perform the following steps:
    1. Log on to the Container Service console.
    2. In the left-side navigation pane, click Clusters.
    3. On the Clusters page, click the name of the cluster in which the ingress gateway service is deployed. Alternatively, click Details in the Actions column of the cluster in which the ingress gateway service is deployed.
    4. In the left-side navigation pane, choose Workloads > Pods.
    5. At the top of the Pods page, select istio-system from the Namespace drop-down list.
    6. Click View Details in the Actions column of the pod of the ingress gateway service.