Overview - Container Service for Kubernetes - Alibaba Cloud Documentation Center

Alibaba Cloud Service Mesh (ASM) is a fully managed service mesh platform and is compatible with open source Istio. ASM can help simplify service governance. For example, you can use ASM to route and split inter-service traffic, authenticate inter-service communication, and observe the behavior of services in meshes. This greatly reduces your workload in development and O&M. This topic describes the network architecture of Alibaba Cloud Distributed Cloud Container Platform (ACK One) that has ASM enabled and the network requirements.

For more information about ASM, see What is ASM?.

Network architecture

The following figure shows the network architecture of ACK One that has ASM enabled. ACK Cluster 1 and ACK Cluster 2 are deployed in VPC 1 in Region 1. ACK Cluster 3 is deployed in VPC 2 in Region 2. The administrator can access the endpoint of the API server of the master instance to manage the clusters associated with the master instance and control network traffic. This allows the administrator to use only one kubeconfig file to manage the applications and traffic in multiple clusters instead of frequently switching between the kubeconfig files of the master instance and ASM instance.

The connections marked by Circled Number 1 in the following figure indicate that the VPC of the master instance can access the endpoints of the API servers of the associated clusters.
The connections marked by Circled Number 2 in the following figure indicate that the VPCs of the associated clusters can access the endpoint of the API server of the master instance.
The connections marked by Circled Number 3 in the following figure indicate that the VPC of the ASM instance can access the endpoints of the API servers of the associated clusters.
The connection marked by Circled Number 4 in the following figure indicates that you can modify the kubeconfig file of the master instance to access the ASM instance and then control traffic from the ASM instance.

Network requirements

If the master instance and the associated clusters are deployed in different regions or different virtual private clouds (VPCs), you must create a Cloud Enterprise Network (CEN) instance to connect the VPCs. This way, the API servers of the master instance and associated clusters can access each other. You can also enable the public endpoints of the master instance and associated clusters to allow them to access each other over the Internet. For more information, see CEN.

To use ASM to manage applications and network traffic in the associated clusters, make sure that the networks of the associated clusters meet the following requirements:

The pod CIDR blocks of the associated clusters in the same VPC must not overlap with each other or overlap with the VPC CIDR block if the clusters are deployed in the same VPC.
The vSwitch CIDR blocks of the associated clusters must not overlap with each other. In addition, the vSwitch CIDR blocks of the associated clusters must not overlap with the pod CIDR blocks or the Service CIDR blocks.
If the associated clusters are deployed in different VPCs, the VPC CIDR blocks must not overlap with each other and the first network requirement must also be met.
The Service CIDR blocks of the associated clusters must not overlap with each other or overlap with the VPC CIDR block.