Alibaba Cloud Service Mesh (ASM) is a fully managed Service Mesh platform and is compatible with open source Istio. Service Mesh can help simplify service governance. For example, you can use ASM to route and split inter-service traffic, authenticate inter-service communication, and observe the behavior of services in meshes. This greatly reduces your workload in development and O&M. This topic describes the network architecture of Alibaba Cloud Distributed Cloud Container Platform (ACK One) that has Service Mesh enabled and the network requirements.
For more information about Service Mesh, see What is ASM?
Networking architecture
The following figure shows the network architecture of ACK One that has Service Mesh enabled. ACK Cluster 1 and ACK Cluster 2 are deployed in VPC 1 in Region 1. ACK Cluster 3 is deployed in VPC 2 in Region 2. The administrator can access the endpoint of the API server of the Fleet instance to manage the clusters associated with the Fleet instance and control network traffic. This allows the administrator to use only one kubeconfig file to manage the applications and traffic in multiple clusters instead of frequently switching between the kubeconfig files of the ACK One Fleet instance and Service Mesh instance.
The connections marked by Circled Number 1 in the following figure indicate that the VPC of the Fleet instance can access the endpoints of the API servers of the associated clusters.
The connections marked by Circled Number 2 in the following figure indicate that the VPCs of the associated clusters can access the endpoint of the API server of the Fleet instance.
The connections marked by Circled Number 3 in the following figure indicate that the VPC of the Service Mesh instance can access the endpoints of the API servers of the associated clusters.
The connection marked by Circled Number 4 in the following figure indicates that you can modify the kubeconfig file of the ACK One Fleet instance to access the Service Mesh instance and then control traffic from the ASM instance.
Network requirements
If the Fleet instance and the associated clusters are deployed in different regions or different virtual private clouds (VPCs), you must create a Cloud Enterprise Network (CEN) instance to connect the VPCs. This way, the API servers of the Fleet instance and associated clusters can access each other. You can also enable the public endpoints of the Fleet instance and associated clusters to allow them to access each other over the Internet. For more information, see CEN.
To use ASM to manage applications and network traffic in the associated clusters, make sure that the networks of the associated clusters meet the following requirements:
The pod CIDR blocks of the associated clusters in the same VPC must not overlap with each other or overlap with the VPC CIDR block if the clusters are deployed in the same VPC.
The vSwitch CIDR blocks of the associated clusters must not overlap with each other. In addition, the vSwitch CIDR blocks of the associated clusters must not overlap with the pod CIDR blocks or the Service CIDR blocks.
If the associated clusters are deployed in different VPCs, the VPC CIDR blocks must not overlap with each other and the first network requirement must also be met.
The Service CIDR blocks of the associated clusters must not overlap with each other or overlap with the VPC CIDR block.