CreateServiceMesh - Alibaba Cloud Service Mesh - Alibaba Cloud Documentation Center

Creates a Service Mesh instance.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

servicemesh:CreateServiceMesh

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
RegionId	string	Yes	The ID of the region where the Service Mesh instance resides.	cn-hangzhou
IstioVersion	string	No	The Istio version.	v1.5.4.1-g5960ec40-aliyun
VpcId	string	Yes	The virtual private cloud (VPC) ID.	vpc-xzelac2tw4ic7wz31****
ApiServerPublicEip	boolean	No	Specifies whether to expose the API server to the Internet. Valid values: `true`: Exposes the API server to the Internet. `false`: Does not expose the API server to the Internet. Default value: `false`. Note If this parameter is set to false, you cannot access the API server of the cluster from the Internet.	false
Tracing	boolean	No	Specifies whether to enable Tracing Analysis. Valid values: `true`: Enables Tracing Analysis. `false`: Disables Tracing Analysis. Default value: `false`.	false
Name	string	No	The name of the Service Mesh instance.	mesh1
VSwitches	string	Yes	The virtual switch ID.	["vsw-xzegf5dndkbf4m6eg****"]
TraceSampling	number	No	The tracing sampling percentage.	100
CustomizedZipkin	boolean	No	Specifies whether to use a self-managed Zipkin system. Valid values: `true`: Uses a self-managed Zipkin system. `false`: Uses Alibaba Cloud Tracing Analysis. Default value: `false`.	false
LocalityLoadBalancing	boolean	No	Specifies whether to enable locality load balancing. Valid values: `true`: Enables locality load balancing. `false`: Disables locality load balancing. Default value: `false`.	false
LocalityLBConf	string	No	The configurations of locality load balancing.	{"failover":[{"from":"cn-hangzhou","to":"cn-shanghai"}]}
Telemetry	boolean	No	Specifies whether to enable Prometheus monitoring. We recommend that you use Managed Service for Prometheus. Valid values: `true`: Enables Prometheus monitoring. `false`: Disables Prometheus monitoring. Default value: `false`.	false
OpenAgentPolicy	boolean	No	Specifies whether to integrate with the Open Policy Agent (OPA) plug-in. Valid values: `true`: Integrates with the OPA plug-in. `false`: Does not integrate with the OPA plug-in. Default value: `false`.	false
OPALogLevel	string	No	The log level of the OPA proxy container.	info
OPARequestCPU	string	No	The CPU resource request of the OPA proxy container. You can use the standard Kubernetes CPU format. For example, 1 indicates one vCPU.	1
OPARequestMemory	string	No	The memory resource request of the OPA proxy container. You can use the standard Kubernetes memory format. For example, 1 Mi indicates 1024 KB.	512Mi
OPALimitCPU	string	No	The CPU resource limit of the OPA proxy container.	2
OPALimitMemory	string	No	The memory resource limit of the OPA proxy container. You can use the standard Kubernetes memory format. For example, 1 Mi indicates 1024 KB.	1024Mi
EnableAudit	boolean	No	Specifies whether to enable mesh audit. To enable this feature, you must first activate Simple Log Service. Valid values: `true`: Enables mesh audit. `false`: Disables mesh audit. Default value: `false`.	false
AuditProject	string	No	The name of the Simple Log Service project that is used for mesh audit. Default value: mesh-log-{meshId}.	mesh-log-xxxx
ClusterDomain	string	No	The cluster domain.	cluster.local
ProxyRequestCPU	string	No	The CPU resource request of the proxy container.	100m
ProxyRequestMemory	string	No	The memory resource request of the proxy container.	128Mi
ProxyLimitCPU	string	No	The CPU resource limit of the proxy container.	2000m
ProxyLimitMemory	string	No	The memory resource limit of the proxy container.	1024Mi
IncludeIPRanges	string	No	The IP address ranges that are allowed to access the proxy.	*
ExcludeIPRanges	string	No	The IP address ranges that are not allowed to access the proxy.	100.100.10.**
ExcludeOutboundPorts	string	No	A comma-separated list of outbound ports to be excluded.	80,81
ExcludeInboundPorts	string	No	A comma-separated list of inbound ports to be excluded.	80,81
OpaEnabled	boolean	No	Specifies whether to enable OPA. Valid values: `true`: Enables OPA. `false`: Disables OPA. Default value: `false`.	false
KialiEnabled	boolean	No	Specifies whether to enable the mesh topology feature. To enable this feature, you must first enable Prometheus monitoring. If Prometheus monitoring is disabled, this feature is forcibly disabled. Valid values: `true`: Enables the mesh topology feature. `false`: Disables the mesh topology feature. Default value: `false`.	false
AccessLogEnabled	boolean	No	Specifies whether to enable access log. Valid values: `true`: Enables access log. `false`: Disables access log. Default value: `false`.	false
CustomizedPrometheus	boolean	No	Specifies whether to use a self-managed Prometheus system. Valid values: `true`: Uses a self-managed Prometheus system. `false`: Does not use a self-managed Prometheus system. Default value: `false`.	false
PrometheusUrl	string	No	The endpoint of the self-managed Prometheus system.	http://prometheus:9090
RedisFilterEnabled	boolean	No	Specifies whether to enable the Redis filter. Valid values: `true`: Enables the Redis filter. `false`: Disables the Redis filter. Default value: `false`.	true
MysqlFilterEnabled	boolean	No	Specifies whether to enable the MySQL filter. Valid values: `true`: Enables the MySQL filter. `false`: Disables the MySQL filter. Default value: `false`.	false
ThriftFilterEnabled	boolean	No	Specifies whether to enable the Thrift filter. Valid values: `true`: Enables the Thrift filter. `false`: Disables the Thrift filter. Default value: `false`.	false
WebAssemblyFilterEnabled	boolean	No	Specifies whether to enable the WebAssembly filter. Valid values: `true`: Enables the WebAssembly filter. `false`: Disables the WebAssembly filter. Default value: `false`.	false
MSEEnabled	boolean	No	Specifies whether to enable Microservices Engine (MSE). Valid values: `true`: Enables MSE. `false`: Disables MSE. Default value: `false`.	false
DNSProxyingEnabled	boolean	No	Specifies whether to enable DNS proxy. Valid values: `true`: Enables DNS proxy. `false`: Disables DNS proxy. Default value: `false`.	false
Edition	string	No	The edition of the ASM instance.	Pro
ConfigSourceEnabled	boolean	No	Specifies whether to enable an external service registry. Valid values: `true`: Enables an external service registry. `false`: Disables an external service registry. Default value: `false`.	false
ConfigSourceNacosID	string	No	The ID of the Nacos instance.	mse-cn-tl326******
DubboFilterEnabled	boolean	No	Specifies whether to enable the Dubbo filter. Valid values: `true`: Enables the Dubbo filter. `false`: Disables the Dubbo filter. Default value: `false`.	false
FilterGatewayClusterConfig	boolean	No	Specifies whether to enable gateway configuration filtering. Valid values: `true`: Enables gateway configuration filtering. `false`: Disables gateway configuration filtering. Default value: `false`.	false
EnableSDSServer	boolean	No	Specifies whether to enable the Secret Discovery Service (SDS). Valid values: `true`: Enables SDS. `false`: Disables SDS. Default value: `false`.	false
AccessLogServiceEnabled	boolean	No	Specifies whether to enable the gRPC Access Log Service (ALS) for Envoy. Valid values: `true`: Enables the gRPC ALS for Envoy. `false`: Disables the gRPC ALS for Envoy. Default value: `false`.	false
AccessLogServiceHost	string	No	The endpoint of the gRPC ALS for Envoy.	0.0.0.0
AccessLogServicePort	integer	No	The port of the gRPC ALS for Envoy.	9999
GatewayAPIEnabled	boolean	No	Specifies whether to enable the Gateway API. Valid values: `true`: Enables the Gateway API. `false`: Disables the Gateway API. Default value: `false`.	false
ControlPlaneLogEnabled	boolean	No	Specifies whether to enable control plane log collection. Valid values: `true`: Enables control plane log collection. `false`: Disables control plane log collection. Default value: `false`.	false
ControlPlaneLogProject	string	No	The Simple Log Service project for control plane log collection.	mesh-log-cf245a429b6ff4b6e97f20797758*****
AccessLogFormat	string	No	The custom format of access logs. This parameter is available only if you enable access log. The value must be a JSON string that contains the following keys: authority_for, bytes_received, bytes_sent, downstream_local_address, downstream_remote_address, duration, istio_policy_status, method, path, protocol, requested_server_name, response_code, response_flags, route_name, start_time, trace_id, upstream_cluster, upstream_host, upstream_local_address, upstream_service_time, upstream_transport_failure_reason, user_agent, and x_forwarded_for.	{"authority_for":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
AccessLogFile	string	No	Specifies whether to enable or disable access log. Valid values: "": Disables access log. `/dev/stdout`: Enables access log.	/dev/stdout
AccessLogProject	string	No	The Simple Log Service project for access log collection.	mesh-log-cf245a429b6ff4b6e97f20797758*****
EnableCRHistory	boolean	No	Specifies whether to enable the history version management feature for Istio resources in ASM. Valid values: `true`: Enables the history version management feature. `false`: Disables the history version management feature. Default value: `false`.	false
CRAggregationEnabled	boolean	No	Specifies whether to enable data plane clusters to access Istio resources using the Kubernetes API. This feature is available only for ASM instances of v1.9.7.93 or later. Valid values: `true`: Enables data plane clusters to access Istio resources. `false`: Disables data plane clusters to access Istio resources. Default value: `false`.	false
ApiServerLoadBalancerSpec	string	No	The specification of the Server Load Balancer (SLB) instance that is bound to the API server. Valid values: `slb.s1.small`, `slb.s2.small`, `slb.s2.medium`, `slb.s3.small`, `slb.s3.medium`, and `slb.s3.large`.	slb.s1.small
PilotLoadBalancerSpec	string	No	The specification of the SLB instance that is bound to Istio Pilot of the control plane. Valid values: `slb.s1.small`, `slb.s2.small`, `slb.s2.medium`, `slb.s3.small`, `slb.s3.medium`, and `slb.s3.large`.	slb.s1.small
ChargeType	string	No	The billing method of the SLB instance. Valid values: `PayOnDemand`: Pay-as-you-go. `PrePay`: Subscription.	PrePay
Period	integer	No	This parameter is valid only if you set `ChargeType` to `PrePay`. The subscription duration of the SLB instance. Unit: months. If you want to purchase the instance for one year, enter 12.	3
AutoRenew	boolean	No	Specifies whether to enable auto-renewal for the subscription SLB instance. Valid values: `true`: Enables auto-renewal. `false`: Disables auto-renewal.	true
AutoRenewPeriod	integer	No	This parameter is valid only if you set `ChargeType` to `PrePay`. The auto-renewal period. If the subscription duration is less than one year, the value of this parameter indicates the number of months for which you want to renew the instance. If the subscription duration is more than one year, the value of this parameter indicates the number of years for which you want to renew the instance.	3
ClusterSpec	string	No	The specification of the Service Mesh instance. Valid values: `standard`: Standard Edition. `enterprise`: Enterprise Edition. `ultimate`: Ultimate Edition.	standard
MultiBufferEnabled	boolean	No	Specifies whether to enable TLS performance optimization that is based on MultiBuffer. Valid values: `true`: Enables the feature. `false`: Disables the feature. Default value: `true`.	true
MultiBufferPollDelay	string	No	The synchronization period of the MultiBuffer enabling status. Default value: `30s`.	30s
UseExistingCA	boolean	No	Specifies whether to use an existing certificate authority (CA) certificate and private key.	false
ExistingCaCert	string	No	The CA certificate in Base64-encoded format. This parameter is typically used to migrate a self-managed Istio cluster to ASM. The value corresponds to the content of the ca-cert.pem file in the istio-ca-secret secret, which is in the istio-system namespace of the self-managed Istio cluster.	CA cert content, base64 encoded format.
ExistingCaKey	string	No	The CA private key in Base64-encoded format. This parameter is typically used to migrate a self-managed Istio cluster to ASM. The value corresponds to the content of the ca-key.pem file in the istio-ca-secret secret, which is in the istio-system namespace of the self-managed Istio cluster.	CA key content, base64 encoded format.
ExistingCaType `deprecated`	string	No	The type of the existing certificate: 1: A self-signed certificate of Istiod. This corresponds to the istio-ca-secret secret in the istio-system namespace. If you use this type, you must also provide the `ExistingCaCert` and `ExsitingCaKey` parameters. 2: An external certificate of Istiod. For more information, see plugin ca cert. This generally corresponds to the cacerts secret in the istio-system namespace. If you use this type, you must also provide the `ExisingRootCaCert` and `ExisingRootCaKey` parameters.	1
ExistingRootCaCert	string	No	The existing root certificate.	Existing CA cert content, base64 encoded format.
ExistingRootCaKey `deprecated`	string	No	The private key that corresponds to the existing root certificate.	Existing CA key content, base64 encoded format.
CertChain	string	No	The certificate chain from the CA certificate to the root certificate. The chain must contain at least two certificates.	Base64 encoded PEM certificate chain.
GuestCluster	string	No	When you create a Service Mesh instance, you can add a cluster to the instance. If you do not specify this parameter, no cluster is added. The cluster must be in the same VPC and vSwitch as the Service Mesh instance, and must have the same domain name.	ACK cluster id
Tag	array<object>	No	The tags to add to the Service Mesh instance. The following information is included: key: The tag key. value: The tag value.
	object	No	The list of tags.
Key	string	No	The tag key.	env
Value	string	No	The tag value.	prod
EnableAmbient	boolean	No	Specifies whether to enable the Ambient Mesh mode for the Service Mesh instance.	false
PlaygroundScene	string	No	The playground scenario. If you specify this parameter, an ASM playground instance is created. Valid value: ewmaLb: the exponentially weighted moving average (EWMA) load balancing scenario	ewmaLb
EnableACMG	boolean	No	Specifies whether to enable the ACMG mode.	false

Response elements

Element	Type	Description	Example
	object
RequestId	string	The request ID.	BD65C0AD-D3C6-48D3-8D93-38D2015C****
ServiceMeshId	string	The Service Mesh instance ID.	c08ba3fd1e6484b0f8cc1ad8fe10d****

Examples

Success response

JSON format

{
  "RequestId": "BD65C0AD-D3C6-48D3-8D93-38D2015C****",
  "ServiceMeshId": "c08ba3fd1e6484b0f8cc1ad8fe10d****"
}

Error codes

HTTP status code	Error code	Error message	Description
404	ERR404	Not found

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.