To allow Internet access to an application in an Alibaba Cloud Service Mesh (ASM) instance, you must deploy an ingress gateway service in the cluster in which the application resides. This topic describes how to deploy an ingress gateway service in a Container Service for Kubernetes (ACK) cluster that is added to an ASM instance.

Prerequisites

An ASM instance is created, and an ACK cluster is added to the ASM instance.

Background information

An ingress gateway service provides a unified entrance for routing the inbound traffic at Layer 7. It routes HTTP requests from the same TCP-based port to different Kubernetes Services based on the request content.

Procedure

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
  4. On the details page of the ASM instance, click ASM Gateways in the left-side navigation pane. On the ASM Gateways page, click Create.
  5. On the Create page, configure the basic information about the ingress gateway service.
    Note You can also click Create from YAML and define a custom ingress gateway service. For more information, see Define a custom ingress gateway service.
    Parameter Description
    Name The name of the ingress gateway service.
    Cluster The cluster in which you want to deploy the ingress gateway service.
    Gateway types The type of the ingress gateway service. Valid values: North-South IngressGateway and North-South EgressGateway.
    SLB Instance Type The access type of the Server Load Balancer (SLB) instance. Valid values: Internet Access and Private Access.
    Create SLB Instance or Use Existing SLB Instance The SLB instance that you want to use. You can select an SLB instance by using one of the following methods:
    • Use Existing SLB Instance: Select an existing SLB instance from the drop-down list.
    • Create SLB Instance: Click Create SLB Instance and select an SLB instance type from the drop-down list.
    Note We recommend that you assign a dedicated SLB instance to each Kubernetes Service in the cluster. If multiple Kubernetes Services share the same SLB instance, the following risks and limits exist:
    • If you assign a Kubernetes Service with an SLB instance that is used by another Kubernetes Service, the existing listeners of the SLB instance are forcibly overwritten. This may interrupt the original Kubernetes Service and make your application unavailable.
    • If you create an SLB instance when you create a Kubernetes Service, the SLB instance cannot be shared among Kubernetes Services. Only SLB instances that you create in the SLB console or by calling API operations can be shared.
    • Kubernetes Services that share the same SLB instance must use different frontend listening ports. Otherwise, port conflicts may occur.
    • If multiple Kubernetes Services share the same SLB instance, you must use the listener names and the vServer group names as unique identifiers in Kubernetes. Do not modify the names of listeners or vServer groups.
    • You cannot share an SLB instance across clusters or regions.
    Port Mapping The port mappings. Click Add Port. In the row that appears, specify a service port.
    Note ASM provides four default ports that are commonly used by Istio. You can keep or remove the default ports or add ports as needed.
    Resources Limits The CPU and memory specifications for the pod of the ingress gateway service.
    Gateway instances The number of replicas for the ingress gateway service.
    Automatic create gateway rules Specifies whether to automatically create a gateway that has the same name as the ingress gateway service.
  6. Optional: Click Advanced Options and set the parameters that are described in the following table as needed.
    Parameter Description
    External Traffic Policy The policy to distribute external traffic. Valid values:
    • Local: This policy routes traffic only to pods on the node where the ingress gateway service is deployed.
    • Cluster: This policy can route traffic to pods on other nodes in the cluster.
    HPA Select HPA and set the following parameters:
    Note Only ASM Commercial Edition (Professional Edition) supports this feature.
    • metrics: Set the Monitoring items and Threshold parameters. If the metric value exceeds the specified threshold, the number of replicas increases for the ingress gateway service. If the metric value is below the specified threshold, the number of replicas decreases for the ingress gateway service.

      If you specify thresholds for the CPU and memory specifications, both thresholds take effect. In this case, if the CPU utilization or memory usage exceeds or is below the specified threshold, the number of replicas is resized accordingly.

    • Maximum replicas: the maximum number of replicas that can be resized for the ingress gateway service.
    • Minimum number of replicas: the minimum number of replicas that can be resized for the ingress gateway service.
    Rolling Upgrade Select Rolling Upgrade and set the following parameters:
    • Maximum number of unavailable instances: the maximum number of unavailable replicas during a rolling update.
    • Exceeding the desired number of instances: the maximum number of replicas that exceeds the expected number of replicas during a rolling update. For example, if you set this parameter to 25%, the number of replicas during a rolling update cannot exceed 125% of the original number of replicas.
    TLS performance optimization

    Specifies whether to enable the Transport Layer Security (TLS) performance optimization feature. This feature speeds up TLS encryption and decryption.

    Select TLS performance optimization and select nodeAffinity labels to match the nodes with optimized performance based on the labels.

    Note Only ASM Commercial Edition (Professional Edition) supports this feature. You must also enable the Multi-Buffer for TLS acceleration feature.
    SLB graceful offline After you select SLB graceful offline, the ingress gateway service is not affected if the SLB instance becomes unavailable.
    Note Only ASM Commercial Edition (Professional Edition) supports this feature.
  7. Click Create.

Result

After you deploy the ingress gateway service, you can view the details of the ingress gateway service in the ACK console.
  • To view the basic information about the ingress gateway service, perform the following steps:
    1. Log on to the ACK console.
    2. In the left-side navigation pane, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click its name or click Details in the Actions column.
    4. In the left-side navigation pane of the details page, choose Network > Services.
    5. In the upper part of the Services page, select istio-system from the Namespace drop-down list.
    6. Find the ingress gateway service that you want to view and click Details in the Actions column.
  • To view the pod information about the ingress gateway service, perform the following steps:
    1. Log on to the ACK console.
    2. In the left-side navigation pane, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click its name or click Details in the Actions column.
    4. In the left-side navigation pane, choose Workloads > Pods.
    5. In the upper part of the Pods page, select istio-system from the Namespace drop-down list.
    6. Find the pod of the ingress gateway service and click View Details in the Actions column.