To use Alibaba Cloud Service Mesh (ASM), you must create an ASM instance. This topic describes how to create an ASM instance in the ASM console.

Prerequisites

Background information

Note When you create an ASM instance, ASM may perform the following operations based on your settings:
  • Create a security group to allow inbound access to all Internet Control Message Protocol (ICMP) ports in a virtual private cloud (VPC).
  • Create VPC routing rules.
  • Create an elastic IP address (EIP).
  • Create a RAM role and attach policies to the role so that the role has all permissions on Server Load Balancer (SLB), Cloud Monitor, VPC, and Log Service. ASM dynamically creates SLB instances and VPC routing rules based on your settings.
  • Create an SLB instance in the VPC and expose port 6443.
  • Create an SLB instance in the VPC and expose port 15011.
  • Collect logs of the managed components on the control plane to ensure stability.

Procedure

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, click Create ASM Instance.
  4. In the Create ASM Instance panel, set the parameters as required.
    1. The following table describes the basic settings for an ASM instance.
      Parameter Description
      Name The name of the ASM instance.
      Region The region where the ASM instance resides.
      VPC The VPC of the ASM instance. You can click Create VPC to create a VPC. For more information, see Create a VPC.
      vSwitch The vSwitch of the ASM instance. You can click Create vSwitch to create a vSwitch. For more information, see Create a vSwitch.
      Istio Version The Istio version.
      Internet Access Specifies whether to allow Internet access to the API server. An ASM instance runs on Kubernetes runtime. You can use the API server to define various mesh resources, such as virtual services, destination rules, and gateways.
      • If you allow Internet access to the API server, an EIP is created and bound to an SLB instance in the VPC. Port 6443 of the API server is exposed. You can use kubeconfig of the cluster to connect to and manage the registered cluster to define mesh resources over the Internet.
      • If you do not allow Internet access to the API server, no EIP is created. You can use kubeconfig to connect to and manage the registered cluster to define mesh resource only through the VPC where the cluster resides.
      Specifies whether to allow Internet access to Istio Pilot.
      • If you allow Internet access to Istio Pilot, an EIP is created and bound to an SLB instance in the VPC. Port 15011 of Istio Pilot is exposed. Envoy proxies that are deployed in the clusters on the data plane can connect to Istio Pilot over the Internet through this port.
      • If you do not allow Internet access to Istio Pilot, no EIP is created. Only clusters in the selected VPC or connected to the selected VPC through Cloud Enterprise Network can be added to the data plane.
      Note By default, Istio Pilot is not exposed to the Internet. The data plane and control plane are preferentially connected over the selected VPC.
      Observability Specifies whether to use Tracing Analysis for the ASM instance.
      ASM integrates with Tracing Analysis. Tracing Analysis provides a wide range of tools to help you identify performance bottlenecks of distributed applications. You can use the tools to map traces, display trace topologies, analyze application dependencies, and calculate the number of requests. This helps you improve the efficiency of developing and troubleshooting applications that use the microservices model.
      Note Before you use Tracing Analysis, make sure that you have activated Tracing Analysis in the Tracing Analysis console.
      Specifies whether to enable Prometheus for the ASM instance.
      Traffic Shaping Specifies whether to route traffic to the nearest instances of application services.

      ASM uses Envoy proxies to ensure global load balancing among application services. You can deploy multiple instances for application services in Container Service for Kubernetes (ACK) clusters across different regions. ASM collects and sends the information about the status, routes, and backend servers of application services to Envoy proxies. This way, the Envoy proxies can route traffic to the optimal instances of application services. When an Envoy proxy sends a request to an application service, ASM prioritizes the workload instances of the application service based on the location of the Envoy proxy. If you select Enable Nearby Access and all instances of the application service are normal, requests from Envoy proxies are preferentially sent to the nearest instances.

      Policy Control Specifies whether to enable the Open Policy Agent (OPA) plug-in.

      ASM integrates with OPA to help you implement fine-grained access control on your applications. If you select this check box, OPA containers, together with Envoy proxy containers, are injected into the pods of applications. Then, you can use OPA to define access control policies. This out-of-the-box feature improves your development efficiency.

      Mesh Audit Specifies whether to enable the mesh audit feature.

      You can enable the mesh audit feature to record and trace operations of users. This is an important feature that ensures secure cluster O&M.

    2. The following table describes the advanced settings for an ASM instance.
      Parameter Description
      Blocked Addresses for External Access The Classless Inter-Domain Routing (CIDR) blocks in the ASM instance that are not allowed to access external services. Separate multiple CIDR blocks with commas (,). If you do not set this parameter, all CIDR blocks in the ASM instance are not allowed to access external services.
      Resource Settings for Injected Proxies The resources that are required by a sidecar.
      Note
      • Resource limits: By default, each sidecar can be allocated up to 2 CPU cores and 1,024 MiB of memory.
      • Resource requirements: By default, each sidecar is allocated 0.1 CPU cores and 128 MiB of memory.
      Cluster Domain Specifies the cluster domain for the ASM instance. The default cluster domain is cluster.local. You can add only Kubernetes clusters that share a cluster domain with the ASM instance to the ASM instance.
      Note You can set this parameter only if the Istio version of the ASM instance is 1.6.4.5 or later. Otherwise, this parameter is hidden.
      External Access Policy The policy that is used to control access to external services.
      • ALLOW_ANY: allows applications in the ASM instance to access all external services.
      • REGISTRY_ONLY: allows applications in the ASM instance to access only the external services that are registered in the ASM instance.
  5. Select I have read and agree to the ASM Service Level Agreement and ASM Service Terms.
  6. Click OK to create the ASM instance.
    Note About 2 to 3 minutes are required to create an ASM instance.

Result

After an ASM instance is created, you can view the following information about the instance:
  • On the Mesh Management page, you can view the basic information about the ASM instance.

    To view the latest information about the ASM instance, click刷新 on the right.

  • On the Mesh Management page, find the ASM instance that you want to view and click Log in the Actions column. In the ASM Instance Logs panel, you can view the logs of the ASM instance.
  • On the Mesh Management page, find the ASM instance that you want to view and click Manage in the Actions column. On the page that appears, you can view the basic information, connection configuration, clusters and ingress gateway services on the data plane, and namespaces, virtual services, destination rules, and Istio resources on the control plane. By default, the following Istio resources are created for a new ASM instance:
    • A namespace: default.
      Note By default, ASM creates five namespaces for a new ASM instance, but only the namespace that is named default appears in the console. You can use the kubectl client to query and manage the other four namespaces, including istio-system, kube-node-lease, kube-public, and kube-system.
    • Two destination rules: api-server and default. For more information about the api-server rule, visit the official website of Istio. The destination rule that is named default defines the permissive mTLS policy for a service mesh.