To allow Internet access to the applications in an Alibaba Cloud Service Mesh (ASM) instance, you must create an ingress gateway service in the cluster where the applications reside. This topic describes how to create an ingress gateway service in a Container Service for Kubernetes (ACK) cluster that is added to an ASM instance.

Prerequisites

The cluster is added to the ASM instance

Background information

An ingress gateway service provides a unified entrance for routing the inbound traffic at Layer 7. It routes HTTP requests from the same TCP-based port to different Kubernetes services based on the request content.

Procedure

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
  3. On the Ingress Gateway page, click Create. On the Create page, configure parameters of the ingress gateway.
    The following table describes the parameters. You can also click Create from YAML on the Ingress Gateway page to create an ingress gateway service. For more information, see Define a custom ingress gateway service.
    ParameterDescription
    NameThe name of the ingress gateway service.
    ClusterThe cluster in which you want to deploy the ingress gateway service.
    SLB Instance TypeThe access type of the Server Load Balancer (SLB) instance. Valid values: Internet Access and Private Access.
    Create SLB Instance or Use Existing SLB InstanceYou can choose between Create SLB Instance and Use Existing SLB Instance.
    • Use Existing SLB Instance: Select an existing SLB instance from the drop-down list.
    • Create SLB Instance: Select the SLB instance specifications that you need from the drop-down list.
    Note We recommend that you assign an SLB instance to each Kubernetes service in the cluster. If multiple Kubernetes services share the same SLB instance, the following risks and limits exist:
    • If you assign a Kubernetes service with an SLB instance that is used by another Kubernetes service, the existing listeners of the SLB instance are forcibly overwritten. This may interrupt the original Kubernetes service and make your applications unavailable.
    • If you create an SLB instance when you create a Kubernetes service, the SLB instance cannot be shared among Kubernetes services. Only SLB instances that you create in the SLB console or by calling API operations can be shared.
    • Kubernetes services that share the same SLB instance must use different frontend listening ports. Otherwise, port conflicts may occur.
    • If multiple Kubernetes services share the same SLB instance, you must use the listener names and the vServer group names as unique identifiers in Kubernetes. The names of listeners or vServer groups cannot be changed.
    • You cannot share an SLB instance across clusters or regions.
    Port MappingYou can click Add Port and specify the protocol and service port in the row that appears.
    Note
    • By default, two ports that are commonly used by Istio appear on the console. You can keep or remove the default ports or add ports as needed.
    Resources LimitsThe CPU and memory specifications for the pod of the ingress gateway service.
    Gateway instancesThe number of replicas for the ingress gateway service.
  4. Optional:Click Advanced Options and configure the parameters that are described in the following table.
    ParameterDescription
    External Traffic PolicyThe policy to distribute external traffic. Valid values:
    • Local: Traffic is routed only to pods on the node where the ingress gateway service is deployed.
    • Cluster: Traffic can be routed to pods on other nodes in the cluster.
    HPASelect HPA and set the following parameters:
    Note This feature is available only to the Enterprise and Ultimate editions.
    • metrics: Set the Monitoring items and Threshold parameters. If the metric value exceeds the specified threshold, the number of replicas increases for the ingress gateway service. If the metric value is below the specified threshold, the number of replicas decreases for the ingress gateway service.

      If you specify thresholds for the CPU and memory specifications, both thresholds take effect. In this case, if the CPU utilization or memory usage exceeds or is below the specified threshold, the ingress gateway is accordingly resized.

    • Maximum replicas: the maximum number of replicas for the ingress gateway service.
    • Minimum number of replicas: the minimum number of replicas for the ingress gateway service.
    Rolling UpgradeSelect Rolling Upgrade and set the following parameters:
    • Maximum number of unavailable instances: the maximum number of replicas that can be unavailable during a rolling update.
    • Exceeding the desired number of instances: the maximum number of replicas that can be created over the expected number of replicas during a rolling update. For example, if you set this parameter to 25%, the number of replicas during a rolling update cannot exceed 125% of the expected number of replicas.
    Enable MultiBuffer-based TLS encryption and decryption performance optimization
    Specifies whether to enable the Transport Layer Security (TLS) performance optimization feature. This feature speeds up TLS encryption and decryption.
    • supported nodeaffinity: Select the label of the nodes on which the performance optimization feature takes effect.
    • Poll Delay(ms): A specified polling delay reduces the time Multi-Buffer waits before processing requests. For more information, see the parameter description in the Enable Multi-Buffer for TLS acceleration topic.
    Note This feature is available only to the Enterprise and Ultimate editions.
    Deploy ASM Gateway replicas as widely as possibleWhen podAntiAffinity is set for the ingress gateway, gateway pods are preferentially deployed to different nodes.
    SLB graceful offlineAfter you select SLB graceful offline, the ingress gateway service is not affected if the SLB instance becomes unavailable.

    Connection timeout (seconds): After the SLB instance is removed from the pod of the ingress gateway service, the SLB instance is not disconnected from the pod of the ingress gateway service until the specified time ends. During the specified time, the pod of the ingress gateway service can handle the existing connections. The default offline grace period is 30 seconds. We recommend that you set a connection timeout that does not exceed 30 seconds.

    Note This feature is available only to the Enterprise and Ultimate editions.
  5. Click Create.

Result

View the ingress gateway service in the ACK console

  • To view the basic information about the ingress gateway service, perform the following steps:
    1. Log on to the ACK console and click Clusters in the left-side navigation pane.
    2. On the Clusters page, click the name of a cluster and choose Network > Services in the left-side navigation pane.
    3. In the upper part of the Services page, select istio-system from the Namespace drop-down list.
    4. Find the ingress gateway service that you want to view and click Details in the Actions column.

      On the details page of the ingress gateway service, view the details of the ingress gateway service, such as the IP address assigned to the service.

  • To view the pod information about the ingress gateway service, perform the following steps:
    1. Log on to the ACK console and click Clusters in the left-side navigation pane.
    2. On the Clusters page, click the name of a cluster and choose Workloads > Pods in the left-side navigation pane.
    3. In the upper part of the Pods page, select istio-system from the Namespace drop-down list.
    4. Find the pod of the ingress gateway service and click View Details in the Actions column.

Manage the ingress gateway service in the ASM console

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
  3. On the Ingress Gateway page, perform the operations that are described in the following table.
    OperationDescription
    View or edit an ingress gateway service
    • To view an ingress gateway service: find the ingress gateway service and click View Details in the Actions column.
    • To edit an ingress gateway service, find the ingress gateway service and click YAML in the Actions column.
    Delete an ingress gateway serviceFind the ingress gateway service that you want to delete, click Delete in the Actions column. In the message that appears, click OK.