The following table describes the features of Alibaba Cloud Service Mesh (ASM), such as security policies and load balancing.

Category Feature Whether to support
Installation, upgrade, and rollback Installation of the console Supported.
Automatic upgrade of the console Supported.
Enabling of optional features in the console Supported.
Installation by using Alibaba Cloud Command Line Interface (CLI) Supported.
Migration from the Istio add-on Not supported.
Istioctl commands Partially supported. We recommend that you use kubectl commands.
Rollback Not supported.
Traffic interception and redirection iptables Supported.
Istio Container Network Interfaces (CNIs) Not supported.
Protocols IPv4 Supported.
HTTP/1.1 Supported.
HTTP/2 Supported.
TCP Supported.
gRPC Supported.
IPv6 Not supported.
Other protocols such as WebSocket, MongoDB, Redis, Kafka, Cassandra, and RabbitMQ Layer 7 features are not supported.
Deployment of sidecar proxies Sidecar proxies Supported.
Ingress gateways Supported.
Egress directly from sidecar proxies Supported.
Egress gateways Needs to be built by yourself.
Custom resource definition (CRD) VirtualService Supported.
DestinationRule Supported.
Gateway Supported.
Sidecar Supported.
ServiceEntry Supported.
EnvoyFilter Supported.
Load balancing of ingress gateways Internet-facing Server Load Balancer (SLB) instances Supported.
Internal-facing SLB instances Supported.
Load balancing policies Round-robin scheduling Supported.
Least connections Supported.
Random Supported.
Pass-through Supported.
Locality-weighted Supported.
Security policies Workload certificate management by using the secret discovery service (SDS) of Envoy Supported.
External certificate management on ingress gateways by using the SDS of Envoy Not supported.
ASM certification authority (CA) Supported.
Integration with custom CAs Not supported.
Authorization policy v1beta1 of Istio Supported.
PERMISSIVE mode of mutual Transport Layer Security (mTLS) for ASM instances Supported by default.
STRICT mode of mTLS Needs to be enabled by yourself.
Automatic mTLS Supported.
JSON Web Token (JWT) authentication Supported.
Observability HTTP metrics of cloud monitoring Supported.
TCP metrics of cloud monitoring Not supported.
Mesh telemetry based on monitoring data of proxies Supported.
Exporting of Prometheus metrics to Grafana Supported.
Custom adapters Not supported.
Arbitrary data collection and log entry backends Not supported.
Log Service Supported.
stdout Supported.
Tracing Analysis Optional. Supported.
Jaeger tracing (You can deploy and manage Jaeger by yourself.) Optional. Supported.
Zipkin tracing (You can deploy and manage Zipkin by yourself.) Optional. Supported.
Multi-cluster deployment Clusters that are deployed in the same virtual private cloud (VPC) Supported.
Clusters that are deployed in multiple VPCs based on Cloud Enterprise Network (CEN) Supported.
Container Service for Kubernetes (ACK) clusters Supported.
Serverless Kubernetes clusters Supported.
Registered clusters that are created in data centers or third-party cloud services Supported.
Non-containerized applications Supported.
User interface (UI) ASM console Supported.
Diagnosis center Supported.
Access log reports Supported.
Grafana dashboards Supported.
Kiali Not supported. To use Kiali, you must deploy and manage it by yourself.
Features of Istio Mixer in addition to the preceding ones Not supported. You can use alternative features, such as traffic throttling and Open Policy Agent (OPA) policies.