All Products
Search

This Product

    Alibaba Cloud Service Mesh:Create an ASM instance

    Document Center

    Alibaba Cloud Service Mesh:Create an ASM instance

    Last Updated:Nov 24, 2023

    To use Service Mesh (ASM), you must first create an ASM instance. ASM allows you to perform operations such as traffic management, security management, fault recovery, observation, and monitoring on applications. This topic describes how to create an ASM instance in the ASM console.

    Prerequisites

    Configuration descriptions

    When you create a Service Mesh instance, ASM may perform the following operations based on your settings:

    • Creates a security group to allow all Internet Control Message Protocol (ICMP) ports to accept inbound traffic to a virtual private cloud (VPC).

      Note

      An existing security group cannot be reused. A security group cannot be modified after it is created.

    • Adds route entries to the route table of the VPC.

    • Creates an Elastic IP Address (EIP).

    • Creates a RAM role and policies, and attaches the policies to the RAM role to grant full permissions on Classic Load Balancer (CLB), CloudMonitor, VPC, and Simple Log Service. The RAM role allows Service Mesh to dynamically create CLB instances and add route entries to the route table of the VPC based on your settings.

    • Creates an internal-facing CLB instance and exposes ports 6443 and 15011.

    • Collects the logs of managed components to ensure stability when you use the Service Mesh instance.

    Procedure

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click Create ASM Instance. Then, configure related information.

      Configuration item

      Description

      Service mesh name

      The name of the Service Mesh instance.

      Spec

      The edition of the ASM instance. Valid values: Enterprise Edition and Ultimate Edition. For more information about the features provided by different editions, see What is ASM?

      Region

      The region in which the Service Mesh instance resides.

      Payment type

      The billing method of the ASM instance. Only the pay-as-you-go billing method is supported.

      Istio Version

      The Istio version.

      Kubernetes Cluster

      The system automatically selects a VPC, a vSwitch, and a cluster domain based on the information about the Kubernetes cluster to be added to the Service Mesh instance. For more information, see Create an ACK managed cluster.

      VPC

      The VPC of the Service Mesh instance. You can click Create VPC to create a VPC. For more information, see Create and manage a VPC.

      vSwitch

      The vSwitch of the Service Mesh instance. You can click Create vSwitch to create a vSwitch. For more information, see Create and manage a vSwitch.

      Istio control plane access

      The CLB instance that is used to access the Istio control plane.

      API Server access

      The specification of the CLB instance that is used to access the API server. You can specify whether to enable access to the API server by using an EIP by selecting or clearing Use EIP to expose API Server.

      • If you select Use EIP to expose API Server, an EIP is created and associated with the internal-facing CLB instance. Then, you can use kubectl to connect to and manage the ASM instance over the Internet based on the information in the kubeconfig file.

      • If you clear Use EIP to expose API Server, no EIP is created. You can use kubectl to connect to and manage the ASM instance only in the VPC based on the information in the kubeconfig file.

      Observability

      Specifies whether to enable Managed Service for OpenTelemetry for the ASM instance by selecting or clearing Enable Tracing Analysis.

      ASM integrates with Managed Service for OpenTelemetry. Managed Service for OpenTelemetry provides a wide range of tools to help you efficiently identify the performance bottlenecks of distributed applications. For example, you can use these tools to view trace data, display trace topologies, analyze application dependencies, and count the number of requests. This helps you improve the efficiency of developing and troubleshooting distributed applications. For more information, see Use Managed Service for OpenTelemetry to trace applications inside and outside an ASM instance.

      Note

      Before you enable Managed Service for OpenTelemetry, make sure that you have activated Managed Service for OpenTelemetry.

      Specifies whether to enable Prometheus for the ASM instance by selecting or clearing Use Managed Service for Prometheus to Collect Metrics. For more information about Prometheus, see Integrate Managed Service for Prometheus to monitor service meshes and Monitor ASM instances by using a self-managed Prometheus instance.

      Specifies whether to enable ASM Mesh Topology by selecting or clearing Enable ASM Mesh Topology.

      ASM Mesh Topology is a tool that is used to observe Service Mesh instances. This tool provides a GUI that allows you to view related services and configurations. ASM Mesh Topology is a built-in tool for ASM instances whose versions are 1.7.5.25 or later. For more information, see Enable Mesh Topology to observe an ASM instance in the ASM console.

      Specifies whether to collect access logs for Alibaba Cloud Simple Log Service by selecting or clearing Collect access logs to Alibaba Cloud Log Service. If access logs are collected, you can use Simple Log Service to view the access logs of ingress gateways. For more information about access logs, see Configure the features of generating and collecting the access logs of an ASM gateway and Use Simple Log Service to collect access logs on the data plane.

      Specifies whether to enable the collection of control plane logs by selecting or clearing Enable Control-plane log collection.

      ASM allows you to collect control plane logs and sends you alert notifications based on the log data. For example, you can collect logs related to configuration pushes from the control plane to sidecar proxies on the data plane. For more information, see Enable control-plane log collection and log-based alerting in an ASM instance of a version earlier than 1.17.2.35 or Enable control-plane log collection and log-based alerting in an ASM instance of version 1.17.2.35 or later.

      Mesh Audit

      Specifies whether to enable the mesh audit feature by selecting or clearing Enable Mesh Audit.

      You can enable the mesh audit feature to record and trace the operations of users. This is an important O&M feature that ensures cluster security. For more information about the mesh audit feature, see Use the KubeAPI operation audit feature in ASM.

      Resource configuration

      Specifies whether to enable version control for custom Istio resources by selecting or clearing Enable Istio custom resource version control.

      When you update fields in the spec block of an Istio resource, ASM records the resource version before the update. ASM stores up to five latest versions. For more information about how to roll back an Istio resource to an earlier version, see Roll back an Istio resource to an earlier version.

      Specifies whether to allow access to Istio resources by using the Kubernetes API of clusters on the data plane by selecting or clearing Allow data plane cluster KubeAPI to access Istio CR.

      ASM allows you to create, delete, modify, and query Istio resources by using the Kubernetes API of clusters on the data plane. For more information, see Use the Kubernetes API of clusters on the data plane to access Istio resources.

      Cluster Domain

      The cluster domain for the Service Mesh instance. Default value: cluster.local. You can add only Kubernetes clusters that share the same cluster domain with the ASM instance to the ASM instance.

      Note

      You can set this parameter only if the version of the ASM instance is 1.6.4.5 or later. For an ASM instance of a version earlier than 1.6.4.5, this parameter is not available.

      Dataplane Mode

      Specifies whether to enable the Ambient Mesh mode by selecting or clearing Enable Ambient Mesh mode. Ambient Mesh supports both data planes with and without sidecars. You can use one or both of them based on your business requirements. For more information, see Overview.

      Note

      This feature is in public preview.

    3. Activate the pay-as-you-go billing method for ASM.

      If you create an ASM instance of a commercial edition for the first time, the value in the State column on the right of Dependency Check is Not pass. In this case, you must activate the pay-as-you-go billing method for ASM.

      Click Activate now in the Illustrate column on the right of Dependency Check. On the page that appears, select ASM (Pay-as-you-go) Terms of Service and click Activate Now. Return to the Create Service Mesh page and click Check again for ASM service activation check. Pass is displayed in the State column on the right of Dependency Check.

    4. Select I have understood and accepted the Service Agreement and have read and agreed Alibaba Cloud Service Mesh ASM Service Level Agreement, and then click Create Service Mesh.

      Note

      It takes about 2 to 3 minutes to create an ASM instance.

    Related operations

    After an ASM instance is created, you can view the instance in the instance list on the Mesh Management page. In the Actions column of the instance list, you can also perform the following operations:

    Operation

    Description

    View the information about an ASM instance

    Find the desired ASM instance and click Manage in the Actions column. On the Base Information page, view the details of the ASM instance.

    By default, the system creates five namespaces for a new ASM instance. Only the istio-system and default namespaces are displayed in the ASM console. You can use kubectl to query and manage all namespaces, including istio-system, kube-node-lease, kube-public, kube-system, and default.

    Modify the information about an ASM instance

    1. Find the desired ASM instance and click Manage in the Actions column.

    2. In the upper-right corner of the Base Information page, click Settings. In the Settings Update panel, modify the settings and click OK.

    Change the specifications of an ASM instance

    Find the desired ASM instance and click Specification change in the Actions column. For more information, see Change the edition of an ASM instance.

    View logs of an ASM instance

    Find the desired ASM instance and click Log in the Actions column. For more information, see log analysis in Observability management.

    Delete an ASM instance

    Find the desired ASM instance and click 更多..png > Delete in the Actions column to delete the instance. In the Delete ASM Instance dialog box, read the Deletion Notice carefully, select the resources that you want to retain, and then click OK.

    Important

    Exercise caution when you perform delete operations:

    • After you delete an ASM instance, you cannot use the Service Mesh features of the instance.

    • After you delete the CLB instance that is used to expose the API server, you cannot perform operations on the clusters managed by the Service Mesh instance and related configurations.

    • After you delete the CLB instance that is used by Istio Pilot, you cannot perform operations on the Service Mesh instance and related configurations.