Service Mesh (ASM) provides ingress and egress gateways to control inbound and outbound traffic and implement end-to-end encryption. This topic describes the features of ASM ingress and egress gateways.
Ingress gateway
An ingress gateway provides a unified entrance for routing the inbound traffic at Layer 7. It routes HTTP requests from the same TCP port to different Kubernetes services based on the request content. An ingress gateway provides various features, which include lifecycle management, support for multiple protocols, traffic management, security features, and observability capabilities.
| Feature | Description | References |
|---|---|---|
| Lifecycle management | You can create and manage an ingress gateway in the ASM console. | Create an ingress gateway service |
| Support for multiple protocols | You can create destination rules and virtual services on a graphical user interface (GUI) without the need to write YAML files. This simplifies traffic management. | Configure traffic routing for an ASM gateway |
| You can use an ingress gateway to transfer TCP traffic between an online version and a canary release version of an application. | Use ASM to transfer TCP traffic | |
| You can use an ingress gateway to enable HTTPS and dynamic certificate loading. This ensures traffic security. | Use an ingress gateway to enable HTTPS | |
| You can use an ingress gateway to access a Google Remote Procedure Call (gRPC) service in an ASM instance and switch traffic between two versions of the gRPC service. | Use an ingress gateway to access a gRPC service in an ASM instance | |
| An ingress gateway supports protocol transcoding. You can send HTTP requests with JSON bodies from your browser or client to access gRPC services in an ASM instance. | Use an ingress gateway to enable access to a gRPC service in an ASM instance over HTTP | |
| You can use an ingress gateway to access a WebSocket service in an ASM instance. | Use an ingress gateway to access a WebSocket service in an ASM instance | |
| Common traffic management features | ASM allows you to configure resources such as virtual services and destination rules to implement non-intrusive traffic governance for microservices. For example, you can use features such as traffic routing, throttling, circuit breaking, and traffic mirroring. | Use the API-based circuit breaking feature of ASM |
| In scenarios such as flash sales, the traffic may instantaneously reach a peak that exceeds the maximum load supported by your system. As a result, a large number of calls are waiting to be processed, and the system stops responding. ASM provides the local throttling feature that you can use to throttle traffic for gateways and services. In this way, you can protect your system from being overloaded. | Use the local throttling feature of ASM | |
| You can use Gateway API to define routing rules for accessing an application in a cluster. | Use Gateway API to define a routing rule | |
| You can use Ingress resources in a managed cluster and specify a specific ASM gateway as the Ingress controller. | Use an ASM gateway as an Ingress controller to expose services in a cluster | |
| You can use the traffic mirroring feature to mirror production traffic to a test cluster or test service version. Testing that uses the mirrored production traffic mitigates risks involved in version changes without affecting the production environment. | Use traffic mirroring across clusters at the service mesh layer | |
| Traffic security and dynamic certificate loading | You can use an ingress gateway to enable HTTPS and dynamic certificate loading. This ensures traffic security. | Use an ingress gateway to enable HTTPS |
| You can use an ingress gateway to enable Transport Layer Security (TLS) pass-through. This ensures secure access to HTTPS services in a cluster. | Use an ingress gateway to enable TLS pass-through | |
| You can configure TLS versions on an ingress gateway to enhance gateway security. | Configure TLS versions on an ingress gateway to enhance security | |
| You can use an ingress gateway to configure a gRPC service that is based on the mutual TLS (mTLS) protocol. This ensures data security. | Use an ingress gateway to configure a mTLS-based gRPC service | |
| You can bind a certificate to a domain name in a visual manner. After you bind a certificate to a domain name, you can use an ingress gateway to access the domain name over a protocol such as HTTPS. This improves the security of the ingress gateway. | Bind a certificate to a domain name | |
| You can connect an ingress gateway to a Web Application Firewall (WAF) instance, and customize the fields of access logs to view the headers that are added by the WAF instance to back-to-origin requests. This facilitates online O&M. | Connect an ingress gateway to a WAF instance | |
| You can use an ingress gateway to enable HTTPS and dynamic certificate loading. This ensures gateway security. You can also create an HTTPS listener by binding a certificate to the Server Load Balancer (SLB) instance of an ingress gateway. The HTTPS listener decrypts HTTPS requests into HTTP requests and forwards the HTTP requests to the ingress gateway pod. | Create an HTTPS listener for the SLB instance of an ingress gateway | |
| You can use cert-manager to issue certificates for ingress gateways. This way, you can use the ingress gateways to access services over HTTPS. This ensures data transmission security. | Use cert-manager to manage certificates for ASM gateways | |
| Authorization management | You can configure a blacklist or whitelist for an ingress gateway to reject or allow requests from a specific IP address, HTTP domain, or port. This ensures the security of applications in the mesh. | Configure a blacklist or whitelist for an ingress gateway |
| ASM provides custom authorization. You can add an authentication process to an ingress gateway to ensure that only authenticated services can access key services. | Implement custom authorization by using an ingress gateway | |
| OpenID Connect (OIDC) is a protocol for identity authentication and authorization. It is commonly used to implement single sign-on (SSO). You can configure OIDC-based SSO on an ingress gateway. | Configure OIDC-based SSO by using an ingress gateway | |
| JSON Web Tokens (JWTs) are commonly used to authenticate users. A JWT carries user information and a field that stores encrypted user information. When you implement JWT-based authentication, the encrypted user information is decrypted and compared with the input user information. This verifies the user identity. You can configure JWT-based authentication on an ingress gateway. | Configure JWT authentication by using an ingress gateway | |
| You can implement SSO to all the applications in an ASM instance by using the custom authorization service with zero code modification. This reduces the costs of application transformation and O&M. | Integrate Alibaba Cloud IDaaS with ASM to implement single sign-on | |
| You can implement SSO to all the applications in an ASM instance by using self-managed Keycloak as the identity provider (IdP). | Integrate Keycloak with ASM to implement SSO | |
| You can configure JWT-based authentication for an ingress gateway to authenticate the source of requests. This method is also called end-user authentication. After you configure JWT-based authentication for an ingress gateway in an ASM instance, ASM checks whether the requests to access services by using the ingress gateway contain a valid JWT in a request header. Only requests that contain a valid JWT are allowed. | Configure JWT authentication for an ingress gateway in ASM | |
| When a client from one domain accesses a service in a different domain or a service that resides in the same domain but uses a different port from the client, the client initiates a cross-origin request. If the service does not allow cross-origin resource access, the client cannot access the service. In this case, you can configure a cross-origin resource sharing (CORS) policy in a virtual service of the ASM instance to implement CORS. | Implement CORS in ASM | |
| Custom features | You can configure an Istio gateway for multiple ingress gateways. This simplifies your configuration process. | Configure an Istio gateway for multiple ingress gateway services |
| You can associate multiple SLB instances with an ingress gateway so that multiple SLB instances can be used to access the ingress gateway. | Access an ASM gateway by using multiple SLB instances | |
| ASM provides a special Kubernetes CustomResourceDefinition (CRD) and a controller for this Kubernetes CRD. The controller monitors the changes in the Kubernetes CRD, and updates the service, deployment, and service account of the Kubernetes cluster in which the controller runs. You can use the Kubernetes API to manage the CRD. | Create and manage an ingress gateway by using the Kubernetes API | |
| You can obtain the originating IP address of a client from the corresponding HTTP request header to enforce IP-based access control on an ingress gateway. For example, you can create an authorization policy to deny or allow requests to the ingress gateway by configuring an IP address blacklist or whitelist. | Obtain the originating IP address of a client from the HTTP request header | |
| You can create an ingress gateway that uses an IPv6 address. IPv6 provides higher security compared with IPv4. | Create an ingress gateway that uses an IPv6 address | |
| If the pods of a Kubernetes cluster on the data plane cannot access the IP address of the SLB instance that is configured in an ingress gateway, you can use the IP address of the Kubernetes cluster or the name of the ingress gateway to access the IP address of the SLB instance within the Kubernetes cluster. | What can I do if the pods of a Kubernetes cluster on the data plane cannot access the IP address of the SLB instance that is configured in an ingress gateway? |
Egress gateway
ASM provides the egress gateway service to route all outbound traffic in the mesh. You can create and manage egress gateways in the ASM console or by using the Kubernetes API.
| Feature | Description | References |
|---|---|---|
| Lifecycle management | You can create and manage egress gateways in the ASM console. | Create an egress gateway |
| Custom features | You can create and manage egress gateways by using the Kubernetes API. | Create and manage an egress gateway by using the Kubernetes API |
| You can configure an egress gateway through which all the applications in an ASM instance access specific external services. This feature helps you improve O&M efficiency by using the observability and security capabilities provided by ASM. | Configure an egress gateway to route all outbound traffic in ASM |
Istio gateway
An Istio gateway defines a load balancer that runs at the edge of an ASM instance to receive inbound or outbound HTTP/TCP traffic.
| Feature | Description | References |
|---|---|---|
| Lifecycle management | You can create, modify, and delete an Istio gateway in the ASM console. | Manage Istio gateways |
Advanced features of gateways
ASM allows you to configure high-availability gateways that provide graceful shutdown for an SLB instance and observability capabilities. This reduces traffic loss and lowers your O&M costs.
| Feature | Description | References |
|---|---|---|
| High availability | You can configure a high-performance and high-availability ASM gateway to ensures business continuity. | Configure a high-performance and high-availability ASM gateway |
| You can configure a pod anti-affinity policy in the YAML file of an ASM gateway to assign the pods of the gateway to different nodes or zones. This improves the availability of the gateway. | Improve availability for the ingress gateway service of an ASM instance | |
| If you perform a scale-in or rolling restart operation on an ASM gateway, a small amount of traffic is lost because the number of gateway pods is reduced. To resolve this issue, you can enable graceful shutdown for the SLB instance of the ASM gateway. This way, traffic can continue to be transferred by using the SLB instance within the specified period of time even if the number of gateway pods is reduced. This ensures that no traffic is lost. | Enable graceful shutdown for the SLB instance of an ingress gateway to prevent traffic loss | |
| You can deploy an ASM gateway in multiple clusters to improve service availability. You can deploy services in multiple clusters and then configure a unified ingress gateway for these clusters to manage the ingress traffic to these clusters. | Configure a unified ingress gateway for multiple clusters | |
| Observability | Container Service for Kubernetes (ACK) integrates with Log Service. After you enable Log Service for the Kubernetes cluster in which the ingress gateway resides when you create the cluster, you can collect access logs of the ingress gateway on the data plane. | Use Log Service to collect logs of ingress gateways on the data plane |
| You can customize log headers for ASM gateways based on your business requirements. | Customize log headers for the ingress gateway service of an ASM instance | |
| Request payload processing | You can add HTTP response headers for web applications to improve application security. | Use an Envoy filter to add HTTP response headers in ASM |
| You can enable data compression for an ASM gateway to compress the response content for HTTP requests. This reduces response time and traffic consumption. | Enable data compression for the ingress gateway service of an ASM instance |
Integration with existing systems
You can migrate traffic from your self-managed Istio ingress gateway or NGINX Ingress Controller to an ASM gateway for centralized management. This reduces maintenance costs and improves O&M efficiency.
| Tool | Description | References |
|---|---|---|
| Migration of traffic from self-managed gateways to ASM ingress gateways | You can migrate traffic from a self-managed Istio ingress gateway to an ASM ingress gateway. | Migrate traffic from a self-managed Istio ingress gateway to an ASM ingress gateway |
| You can migrate traffic from NGINX Ingress Controller to an ASM ingress gateway. | Migrate traffic from Nginx Ingress Controller to the ASM ingress gateway |