Alibaba Cloud Service Mesh (ASM) Commercial Edition (Professional Edition) combines with Intel Multi-Buffer to accelerate Transport Layer Security (TLS) processing in Envoy. This topic describes how to enable Multi-Buffer for TLS acceleration.

Prerequisites

  • An ASM Commercial Edition (Professional Edition) instance of version 1.10 or later is created. For more information, see Create an ASM instance.
  • A Container Service for Kubernetes (ACK) cluster is created, and the instance families of nodes in the cluster support the Multi-Buffer CPU model, Intel Ice Lake. For more information, see Create an ACK managed cluster.
    The following table describes the instance families that support Intel Ice Lake.
    Note For more information about instance types, see Instance family.
    Instance family Description
    g7 g7se, storage-enhanced general-purpose instance family
    g7, general-purpose instance family
    g7t, security-enhanced general-purpose instance family
    c7 c7, compute-optimized instance family
    c7re, RDMA-enhanced instance family
    c7se, storage-enhanced compute-optimized instance family
    c7t, security-enhanced compute-optimized instance family
    r7 r7p, memory-optimized instance family
    r7se, storage-enhanced memory-optimized instance family
    r7, memory-optimized instance family
    r7t, security-enhanced memory-optimized instance family
    Others re7p, high-memory instance family
    vgn7i-vws, vGPU-accelerated instance family
    gn7i, GPU-accelerated compute-optimized instance family
    ebmgn7i, GPU-accelerated compute optimized ECS Bare Metal Instance family
    sccc7, compute-optimized SCC instance family
    sccg7, general-purpose SCC instance family
  • The ACK cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.

Background information

With the development of network security technologies, TLS has become the cornerstone of network communication. A TLS session is generally divided into the handshake phase and the data transmission phase. The most important task in the handshake phase is to use asymmetric encryption to negotiate a session key. In the data transmission phase, the session key is used to perform symmetric encryption on the data before data transmission.

In microservice scenarios, Envoy needs to process a large number of TLS requests, whether Envoy serves as an ingress gateway or as a proxy for microservices. Especially during the handshake phase, asymmetric encryption and decryption consume a large amount of CPU resources. This may become a bottleneck in large-scale microservice scenarios. ASM combines with Intel Multi-Buffer to accelerate TLS processing in Envoy to alleviate the bottleneck.

Multi-Buffer uses Intel CPU AVX-512 to process multiple independent buffers at the same time. In other words, multiple encryption and decryption operations can be simultaneously executed in one execution cycle, which accelerates encryption and decryption. Multi-Buffer does not need additional hardware. The CPU package must contain the AVX-512 instruction set. Alibaba Cloud has included the latest AVX-512 instruction set in the Ice Lake processor.

Procedure

You can use one of the following methods to enable the Multi-Buffer feature:
  • If no ASM instances exist, select Enable MultiBuffer-based TLS encryption and decryption performance optimization when you create an ASM instance. For more information, see Create an ASM instance.
  • If an ASM instance exists, select Enable MultiBuffer-based TLS encryption and decryption performance optimization on the Basic Information page of the ASM instance. The following procedure describes how to enable Multi-Buffer if you already have an ASM instance.
  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
  4. On the details page of the ASM instance, choose ASM Instance > Base Information in the left-side navigation pane. On the Basic Information page, click Settings.
  5. In the Settings Update panel, select Enable MultiBuffer-based TLS encryption and decryption performance optimization, and then click OK.
    If you use the general-purpose instance family g7 as the instance family of the Kubernetes nodes, the query per second (QPS) performance improves by 75% after Multi-Buffer is enabled. If you use the ECS Bare Metal Instance, a more significant performance improvement can be obtained.

FAQ

What happens if Multi-Buffer is enabled on the control plane, but the nodes in the data-plane Kubernetes cluster do not support Intel Ice Lake?

Alert logs are generated from Envoy, and Multi-Buffer does not take effect. Alert logs

ASM Commercial Edition (Professional Edition) 1.10 and later can automatically determine whether TLS acceleration takes effect when TLS acceleration is enabled. If the node to which the business or gateway pod is scheduled does not support Intel Ice Lake, ASM does not deliver the corresponding acceleration configuration to the node. In this case, TLS acceleration does not take effect.

If a Kubernetes cluster does not support Multi-Buffer, how can the cluster use Multi-Buffer?

  1. Add a node that supports Intel Ice Lake to the Kubernetes cluster. For more information, see Add existing ECS instances to an ACK cluster.
  2. Add the multibuffer-support:true label to the newly added node. For more information, see Manage node labels.
  3. Add the following content to the YAML configuration of the ASM gateway. For more information, see Modify an ingress gateway service.

    You can increase node affinity to ensure that gateway instances are scheduled to the newly added node that supports Multi-Buffer.

    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: multibuffer-support
                    operator: In
                    values:
                      - true
  4. Enable Multi-Buffer by following the preceding procedure.

    After you enable Multi-Buffer, the new node can use Multi-Buffer to accelerate TLS processing.