Create an egress gateway to serve as a centralized egress for a Kubernetes cluster - Alibaba Cloud Service Mesh

An egress gateway provides a centralized exit point for outbound traffic from your Kubernetes cluster. When your in-mesh services need to access external endpoints -- whether on the Internet or in other internal networks -- an egress gateway lets you route all outbound traffic through dedicated gateway nodes. This enables centralized security enforcement, network isolation, and traffic observability for external calls.

Use cases

Centralized security enforcement: Route all outbound traffic through dedicated gateway nodes to apply authorization policies and audit external access from a single point.
Network isolation: Use the egress gateway as a centralized exit point so that in-mesh services can reach external networks in a controlled way.
Traffic observability: Funnel outbound traffic through one exit point to collect metrics, logs, and traces for all external calls.

Limitations

Horizontal Pod Autoscaler (HPA) for egress gateways requires ASM Enterprise Edition or Ultimate Edition.
When mutual TLS (mTLS) is enabled, pods without sidecar proxies cannot route traffic through the egress gateway.

Prerequisites

Before you begin, make sure that you have:

A Container Service for Kubernetes (ACK) cluster added to your ASM instance. For more information, see The cluster is added to the ASM instance.

Create an egress gateway in the ASM console

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Egress Gateway.
On the Egress Gateway page, click Create.

Configure the basic parameters described in the following table.

Note

To define the egress gateway in YAML instead, click Create from YAML on the Egress Gateway page. For field descriptions, see CRD fields for an ASM gateway.

Parameter	Description
Name	The name of the egress gateway.
Cluster	The cluster in which to deploy the egress gateway.
Port Mapping	The ports to expose. Set Protocol and Service Port for each entry. Two commonly used ports appear by default. Keep, remove, or add ports as needed.
Resources Limits	The CPU and memory limits for the egress gateway pod.
Gateway instances	The number of pod replicas for the egress gateway.

(Optional) Click Advanced Options and configure the parameters described in the following table.

Important

When mutual TLS is enabled, pods without sidecar proxies cannot access external services through the egress gateway.

Parameter	Description
HPA	Enable Horizontal Pod Autoscaler (HPA) to scale pod replicas automatically based on resource usage. Configure the following sub-parameters: Monitoring items and Threshold -- replicas scale up when the metric exceeds the threshold and scale down when it drops below. If you set thresholds for both CPU utilization and memory usage, either metric exceeding its threshold triggers scaling. Maximum replicas -- the upper limit of pod replicas. Minimum number of replicas -- the lower limit of pod replicas. Requires ASM Enterprise Edition or Ultimate Edition.
Rolling Upgrade	Enable rolling updates for the egress gateway. Configure the following sub-parameters: Maximum number of unavailable instances -- the maximum number of pods that can be unavailable during an update, which maintains service continuity. Exceeding the desired number of instances -- the maximum number of extra pods allowed during an update. For example, 25% means the pod count cannot exceed 125% of the desired replica count.
Deploy ASM Gateway replicas as widely as possible	Set `podAntiAffinity` so that gateway pods are preferentially scheduled to different nodes, which improves availability.
Custom Deployment Policy	Configure `nodeSelector`, `tolerations`, and `affinity` fields for the egress gateway. For field descriptions, see CRD fields for an ASM gateway.
Support two-way TLS authentication	Enable mutual TLS (mTLS) between sidecar proxies and the egress gateway. mTLS allows you to enforce authorization policies on outbound traffic based on verified service identities.

Click Create. When the gateway status changes to Running, the egress gateway is ready. The Service address field displays the IP address of the egress gateway.

Manage an egress gateway

After you create an egress gateway, manage it from the ASM console.

View or edit an egress gateway

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Egress Gateway.
On the Egress Gateway page, use either method:
- Console UI: Click View Details next to the egress gateway. On the Gateway Details page, click the edit icon next to the parameter to modify, update the value, and click Submit.
- YAML: Click YAML next to the egress gateway. In the Edit dialog box, modify the YAML configuration and click OK.

Delete an egress gateway

Important

After you delete an egress gateway, the internal services of the ASM instance can no longer access external services through the egress gateway. Exercise caution when you perform this operation.

On the Egress Gateway page, find the egress gateway and click Delete.
In the confirmation dialog box, click OK.

View an egress gateway in the ACK console

Egress gateway details are also available in the ACK console.

View service information

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster. In the left-side navigation pane, choose Network > Services.
On the Services page, select istio-system from the Namespace drop-down list.
Find the egress gateway service. Click the service name to view detailed information.

View pod information

In the left-side navigation pane, choose Workloads > Pods.
On the Pods page, select istio-system from the Namespace drop-down list.
Click the egress gateway pod to view its details.

What's next

Configure an egress gateway to route all outbound traffic in ASM -- Set up routing rules to direct outbound traffic through the egress gateway.
Use an egress traffic policy to manage egress traffic -- Customize outbound traffic management with the ASMEgressTrafficPolicy CustomResourceDefinition (CRD).
Observability -- Monitor traffic flowing through the egress gateway.
Traffic security and dynamic certificate loading -- Secure outbound traffic with TLS certificates.
Overview of ASM gateways -- Learn about all ASM gateway types and capabilities.

References

CreateASMGateway API -- Create an egress gateway programmatically.
CRD fields for an ASM gateway -- Full reference for ASM gateway CRD fields.