This topic describes the release notes for Service Mesh (ASM) and provides links to the relevant references.
March 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Support for outputting access logs in plain text strings and JSON strings | Access logs can be output to the corresponding container as plain text strings. The plain text form is more information-dense and space-saving than the JSON form. | All regions | 1.20 and later | All | |
Support for maintenance windows | You can configure a maintenance window of an ASM instance to specify the automatic maintenance time of the managed control plane of the ASM instance. | All regions | All | All | |
Support for the development of WebAssembly (Wasm) extensions for an Envoy proxy in Go | You can develop a Wasm extension in Go and insert it into the filter chain of an Envoy proxy. This helps you meet requirements in specific scenarios. For example, Wasm extensions allow you to dynamically add or modify HTTP headers based on specific rules, adjust route destinations, and access external custom authorization services. | All regions | 1.18 and later | All | |
Support for managed security groups | When you create an ASM instance, you can create a security group to provide a higher level of security protection for the ASM control plane. | All regions | 1.20 and later | All |
February 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Istio 1.20 | The latest features of the open source Istio 1.20 series are supported. | All regions | 1.20 and later | All | |
Support for canary upgrades of ASM gateways | To ensure business continuity after an upgrade of an ASM gateway, you can perform a canary upgrade of the ASM gateway. You can start a new version of a gateway pod to verify that traffic can be properly forwarded. Then, you can fully upgrade the ASM gateway. If an issue is found during the verification, you can delete the new version of the pod at any time. After the issue is resolved, you can proceed with the upgrade. | All regions | 1.20 and later | All | |
Support for configuring a Prometheus instance to collect metrics of applications in ASM over mutual Transport Layer Security (mTLS) | For critical services, it is essential to have encryption mechanisms in place not only for the communication among services but also for the collection of metrics. ASM allows you to configure a Prometheus instance to collect metrics of applications in an ASM instance over mTLS. | All regions | All | All | Configure a Prometheus instance to collect metrics of applications in an ASM instance over mTLS |
Optimization of the plug-in center and Envoy filters |
| All regions | 1.18 and later | All | |
Support for managing Envoy filter templates and traffic lanes in a declarative manner |
| All regions | 1.20 and later | All |
January 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Intelligent diagnostics added to the mesh diagnostics feature of ASM | AI assistant is integrated for intelligent diagnostics. After disgnosis results are generated, the Large Language Model (LLM) technology is used to explain the causes of the results of the diagnostics items and provide solutions. | All regions | All | All | |
Enhanced features of Mesh Topology | Mesh Topology provides more powerful observability features and improved ease of use.
| All regions | All | All | |
Support for custom request headers and response headers | ASM allows you to use the VirtualService and EnvoyFilter CRDs to customize request headers and response headers. | All regions | All | All | |
Support for scenario-based throttling | Best practices are provided for using the throttling feature in the following scenarios:
| All regions | 1.11.5 and later | Enterprise and Ultimate |
December 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Istio 1.19 and 1.18 patch versions |
| All regions | All | All | None |
Pay-as-you-go billing method for the CLB instances that are created for a new ASM instance | When you create an ASM instance, internal-facing CLB instances that use the pay-as-you-go billing method are created by default to access the API server and the Istio control plane. | All regions | All | All | |
Support for use of Common Expression Language (CEL) to configure rules for filtering access logs | ASM allows you to use CEL to configure rules for filtering logs. In business scenarios with a large number of access requests, you can filter logs based on specific conditions to reduce the resource overhead of sidecar proxies and focus on key log content. | All regions | 1.18 and later | All | |
Simplified management of local throttling | The local throttling feature is enhanced to meet requirements in common throttling scenarios. In addition, a graphical user interface (GUI) is provided to simplify the configuration process and reduce operation errors. This improves the overall ease of use. | All regions | 1.18 and later | All |
November 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Model Service Mesh | Model Service Mesh is used to deploy and manage machine learning model services. In addition, Model Service Mesh provides some features, such as traffic splitting, A/B testing, and canary release, to help you better control and manage the traffic destined for model services. You can use these features to easily switch traffic among different model versions and roll back to specific model versions. Model Service Mesh also supports the dynamic routing feature. This feature allows you to route requests to appropriate model services based on their attributes, such as model type, data format, or other metadata. Model Service Mesh allows developers to deploy, manage, and scale machine learning models more easily while providing high availability, resiliency, and flexibility to meet different business needs. | All regions | 1.18 and later | All | |
Support for the deployment of ASM serverless gateways | ASM serverless gateways can be deployed on virtual nodes and elastic container instances. ASM serverless gateways are applicable to service scenarios that require elastic resources and do not require node maintenance. | All regions | 1.18 and later | All | Use ASM serverless gateways to improve your system availability and elasticity |
Support for accessing applications in an ASM instance by using a CLB instance | Mesh Topology in managed mode allows you to access applications deployed in an ASM instance by using a CLB instance. This simplifies the access configurations of Mesh Topology. | All regions | 1.18 and later | All | |
Support for KServe 0.11 | KServe 0.11 can be integrated with ASM to facilitate your management of model services. You can use InferenceService to deploy a transformer and select an appropriate KServe version based on your business requirements. | All regions | 1.18 and later | All | |
Support for integration with OpenTelemetry Collector | Tracing data can be exported to Managed Service for OpenTelemetry or a self-managed system that is compatible with Zipkin. | All regions | 1.18 and later | All |
October 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for using the ASMCompressor CRD fields to define compression configurations for calls between application services | You can use CRD fields to define the compression configurations for calls between application services. In addition, you can add compression filters that use consistent compression configurations to your applications. The parameters of the Gzip and Brotli compression algorithms are configurable. | All regions | 1.18 and later | All | |
Support for using the ASMGrpcJsonTranscoder CRD fields to define the configurations for transcoding between HTTP/JSON and gRPC/Protobuf | You can use CRD fields to define the configurations for transcoding between HTTP/JSON and gRPC/Protobuf, which are used for calls between application services. In addition, you can add transcoding filters that use consistent transcoding configurations to your applications. | All regions | 1.18 and later | All | |
Support for custom Wasm plug-ins on the ASM data plane | You can configure custom Wasm plug-ins for ASM sidecar proxies or ASM gateways to improve the extensibility of the ASM data plane. Wasm plug-ins support multiple programming languages (such as C++ and Golang) and can be loaded in multiple ways: HTTP, OCI image hub, and ConfigMap. | All regions | 1.18 and later | All | Use the Coraza Wasm plug-in to implement WAF capabilities on an ASM gateway |
Support for using the ASMGlobalRateLimiter CRD fields to configure global throttling for ingress gateways and inbound traffic directed to services | You can use CRD fields to configure global throttling for ingress gateways and inbound traffic directed to services. | All regions | 1.18 and later | All |
September 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for dynamic subnet load balancing | The dynamic subnet load balancing feature dynamically selects a subset of destination services based on | All regions | 1.18 and later | Enterprise and Ultimate | |
Support for traffic lane in strict and permissive modes | Traffic lanes support both strict and permissive modes. In permissive mode, the mechanism of fallback to the baseline lane can simplify end-to-end (E2E) traffic management in scenarios where request routing headers are the same as E2E pass-through request headers. | All regions | 1.18 and later | Enterprise and Ultimate | |
Support for Mesh Topology in managed mode | Compared with Mesh Topology in in-Kubernetes-cluster mode, Mesh Topology in managed mode has greater advantages in unified observation of multiple clusters, easy configuration, and service reliability. | All regions | 1.18 and later | Enterprise and Ultimate |
August 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Ambient Mesh | A sidecarless data plane mode that is compatible with Istio Ambient Mesh is provided. You can adopt the service mesh technology incrementally depending on the features that you require. The features include Layer 4 and Layer 7 routing and authorization. | All regions | 1.18 and later | Enterprise and Ultimate | |
Support for Istio 1.18.x versions | The latest features of the open source Istio 1.18 series are supported. | All regions | 1.18 and later | All | None |
Container Network Interface (CNI) mode enabled by default during ASM instance creation | By default, the CNI mode is enabled when you create an ASM instance. However, in the case of ACK Serverless and ACK on Elastic Container Instance clusters, CNI DaemonSet is not deployed even if the CNI mode is enabled. | All regions | 1.18 and later | All | |
Support for Knative 1.8 | Knative 1.8 is used by default when you use Knative on ASM to deploy serverless workloads in an ASM instance of version 1.18. | All regions | 1.18 and later | All | |
Support for Network Load Balancer (NLB) by ingress gateways | NLB offers ultra-high performance and can automatically scale on demand. NLB supports higher availability and further improves the stability of gateway traffic. | All regions | 1.18 and later | All |
July 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Canary release of a control plane | ASM supports revision- and label-based canary updates of a control plane in a more stable and secure manner. | All regions | 1.16 and later | Enterprise and Ultimate | |
Simplified label synchronization of global namespaces | If multiple Kubernetes clusters on the data plane are added to the ASM instance, you can modify the clusters to which a global namespace belongs. This way, you can synchronize varied namespace labels to different clusters based on your business requirements. The ASM console provides the | All regions | 1.16 and later | All | |
Audit alerts for operations on ASM resources | After you enable the audit feature for ASM, you can configure alerts in Simple Log Service to enable audit alerts for changes of ASM resources. This way, alerts are sent to alert contacts in a timely manner for changes of important resources. | All regions | 1.15 and later | All | |
Adaptive xDS optimization for an egress gateway | After you enable the adaptive xDS optimization feature, an egress gateway named istio-axds-egressgateway is deployed in the corresponding Kubernetes cluster, and you can modify the configuration of the egress gateway. | All regions | 1.15 and later | All | Use adaptive xDS optimization to improve the configuration push efficiency of the control plane |
Integration with an external Open Policy Agent (OPA) engine | Compared with OPA deployed in sidecar mode, an OPA engine outside pods boasts the following advantages: The resource usage is lower. The pod does not need to be restarted for OPA container deployment and access to applications. You can use an OPA policy for specific requests to an application. | All regions | 1.15 and later | All | |
Log and metric collection of a gateway | ASM allows you to configure the features of generating and collecting the access logs and metrics of a gateway. You can view the raw logs and log dashboard of a specific gateway. | All regions | 1.17 and later | All |
June 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Observability Management Center 2.0 | Observability settings, including log settings, metric settings, and trace analysis settings, can be configured in the same module. | All regions | 1.17.2.35 and later | All | |
On-demand configuration of the feature of merging Istio metrics with application metrics | For an application integrated with Prometheus, you can use sidecar proxies to expose application metrics by merging Istio metrics with the application metrics. | All regions | 1.17 and later | All | |
Namespace blacklist mode of service discovery selectors | You can use service discovery selectors to configure a namespace whitelist and allow the control plane of an ASM instance to discover and process applications in namespaces that are not in blacklists. This makes it more efficient for the control plane to push service configurations to sidecar proxies on the data plane. | All regions | 1.17 and later | Enterprise and Ultimate | Use service discovery selectors to improve the efficiency of pushing ASM configurations |
ASM fallback mechanism for traffic management | A fallback mechanism provides an alternative call path when a service call fails. ASM allows you to define fallback parameters in a virtual service so that a fallback can be performed when a requested service fails. | All regions | 1.17 and later | Enterprise and Ultimate | |
Logon to Mesh Topology as a RAM user or by using custom access modes | You can log on to the Mesh Topology console as a Resource Access Management (RAM) user by default. Alternatively, you can configure the domain name, port, service root path, and protocol used to access Mesh Topology. | All regions | 1.17 and later | All | |
Alerts of ASM certificate management in Simple Log Service | You can configure certificate management alerts on the control plane. Certificate expiration and about-to-expiration alerts are supported. | All regions | 1.17 and later | All |
May 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Istio 1.17.x versions | The latest features of the open source Istio 1.17 series are supported. | All regions | 1.17 and later | All | None |
Support for the Machine Learning Operations (MLOps) management of models by KServe on ASM | KServe can be integrated with ASM to facilitate your management of AI model services. | All regions | 1.17 and later | Enterprise and Ultimate | Integrate KServe with ASM to implement inference services based on cloud-native AI models |
Support for serverless ASM gateways | A serverless ASM gateway is provided based on virtual nodes and elastic container instances. It is applicable to service scenarios that require elastic resources and do not require node maintenance. | All regions | 1.16 and later | Enterprise and Ultimate | |
Support for global certificate management | ASM supports the following certificate management features in a global manner:
| All regions | 1.17 and later | All | |
Support for a GUI that allows you to view Istio resources in Mesh Topology | The Virtual Services option is added so that you can check whether virtual service resources are configured in Mesh Topology. | All regions | 1.15 and later | Enterprise and Ultimate | |
Support for namespace exclusion during ASM instance diagnostics | During ASM instance diagnostics, you can choose to exclude a specified namespace. Diagnosis results will not be generated for the excluded namespace. | All regions | 1.17 and later | All |
April 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Istio 1.16.x versions | Open source Istio 1.16 series are supported. | All regions | 1.16 and later | All | None |
Simplified management of sidecar proxy injection | The management of injection policies and sidecar injector settings is simplified. | All regions | 1.16 and later | All | |
Support for the Google Remote Procedure Call (gRPC)-JSON transcoder plug-in | You can access gRPC services by using RESTful APIs or HTTP/JSON requests, which simplifies the integration of gRPC services so that you can use gRPC services easily. | All regions | 1.16 and later | Enterprise and Ultimate | Use ASMGrpcJsonTranscoder to allow HTTP/JSON requests to access gRPC services in an ASM instance |
Logon to Mesh Topology as a RAM user | Single Sign On (SSO) is implemented for the Mesh Topology console. You can log on to ASM Mesh Topology as a RAM user. | All regions | 1.16 and later | Enterprise and Ultimate | Log on to ASM Mesh Topology with an Alibaba Cloud account or as a RAM user |
March 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Connection of an ingress gateway to a Web Application Firewall (WAF) instance |
| All regions | All | Enterprise and Ultimate | |
Configuration of Ingress resources | You can use Ingress resources in a cluster on the data plane and specify an ASM gateway as the Ingress controller to expose services in the cluster. | All regions | 1.16 and later | Enterprise and Ultimate | Use an ASM gateway as an Ingress controller to expose services in a cluster |
Management of Knative Services | ASM integrates the capabilities of the Knative Serving component that is deployed in either a Container Service for Kubernetes (ACK) cluster or an ACK Serverless cluster. This helps you manage serverless workloads. | All regions | 1.16 and later | Enterprise and Ultimate | |
Logon to Mesh Topology by using OpenID Connect (OIDC) | You can connect to an identity provider (IdP) over the OIDC protocol to log on to Mesh Topology and configure SSO to Mesh Topology in the ASM console. | All regions | 1.15.3.120 and later | Enterprise and Ultimate | |
Overcommitment mode for sidecar proxies | You can enable the dynamic resource overcommitment feature and configure resources that can be dynamically overcommitted in a sidecar proxy. | All regions | 1.16 and later | Enterprise and Ultimate | Configure ACK resources that can be dynamically overcommitted in a sidecar proxy |
Configuration of egress traffic policies | An egress traffic policy defines how an egress gateway manages egress traffic. An egress traffic policy can work with sidecar proxies and authorization policies to provide more comprehensive control over egress traffic. | All regions | 1.16 and later | Enterprise and Ultimate | |
Configuration of a global default HTTP request retry policy | ASM allows you to configure a global default HTTP request retry policy that can define the number of retries, retry timeout period, and retry conditions. | All regions | 1.15 and later | All | None |
February 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for the Istio 1.15.3.105 version | Open source Istio 1.15 series and Kubernetes 1.21 to 1.25 versions are supported. | All regions | v1.15.3.105 | All | None |
Enhanced observability |
| All regions | All | All | |
Optimized performance of the mesh topology |
| All regions | 1.14 and later | All | |
Enhanced traffic management in the multi-cluster environment | The feature of keeping traffic in-cluster is supported in the multi-cluster environment. When you deploy a service across multiple clusters, this feature ensures that traffic is only routed to workloads within the specified cluster. | All regions | 1.15.3.101 and later | All | Enable the feature of keeping traffic in-cluster in multi-cluster scenarios |
More flexible sidecar proxy configuration |
| All regions | 1.15.3.101 and later | All | |
Custom ASM gateway configurations and enhanced observability |
| All regions | All | Enterprise and Ultimate |
January 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Topology query in a range of time within 90 days | The topology in a range of time within 90 days can be queried by using the Mesh Topology tool. | All regions | 1.14 and later | All | |
New environment variable for the configuration of sidecar proxies on the data plane | A new environment variable is added to the configuration of sidecar proxies. You can configure the environment variable to load the bootstrap configuration before sidecar proxies are started. | All regions | 1.15.3.63 and later | All | |
Enhanced security capabilities of ingress gateways | OIDC-based SSO and JSON Web Token (JWT)-based authentication can be configured by using ASM ingress gateways in a few steps. | All regions | 1.15.3.25 and later | Enterprise and Ultimate |
Historical release notes
For more information about release notes for Service Mesh before 2023, see Historical release notes (before 2023).