Create an ASM instance - Alibaba Cloud Service Mesh - Alibaba Cloud Documentation Center

To use Alibaba Cloud Service Mesh (ASM), you must create an ASM instance. This topic describes how to create an ASM instance in the ASM console.

Prerequisites

The following services are activated:
- ASM
- Auto Scaling
- Resource Access Management (RAM)
- (Optional) Tracing Analysis
The AliyunServiceMeshDefaultRole RAM role is assumed by ASM, and the AliyunCSClusterRole and AliyunCSManagedKubernetesRole RAM roles are assumed by Container Service for Kubernetes (ACK).

Configuration descriptions

When you create and use an ASM instance, ASM may perform the following operations based on your settings:

Creates a security group that allows access to a virtual private cloud (VPC) by using all Internet Control Message Protocol (ICMP) ports.
Note
An existing security group cannot be reused. A security group cannot be modified after it is created.
Adds route entries to the route table of the VPC.
Creates an elastic IP address (EIP).
Creates a RAM role and policies, and attaches the policies to the RAM role to grant full permissions on Server Load Balancer (SLB), CloudMonitor, VPC, and Log Service. The RAM role allows ASM to dynamically create SLB instances and add route entries to the route table of the VPC based on your settings.
Creates an internal-facing SLB instance to expose port 6443.
Creates an internal-facing SLB instance to expose port 15011.
Collects the logs of managed components to ensure stability when you use the ASM instance.

Procedure

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click Create ASM Instance.

On the Create Service Mesh page, set the parameters as required.

The following table describes some of the parameters.

Parameter	Description
Service mesh name	The name of the ASM instance.
Spec	The edition of the ASM instance. Valid values: Enterprise Edition and Ultimate Edition. For more information about the features provided by different editions, see What is ASM?
Region	The region in which the ASM instance resides.
Payment type	The billing method of the ASM instance. Only the pay-as-you-go billing method is supported.
Istio Version	The Istio version.
VPC	The VPC of the ASM instance. You can click Create VPC to create a VPC. For more information, see Create and manage a VPC.
vSwitch	The vSwitch of the ASM instance. You can click Create vSwitch to create a vSwitch. For more information, see Create and manage a vSwitch.
Istio control plane access	The specification of the SLB instance that is used to control access to the Istio control plane.
API Server access	The specification of the SLB instance that is used to control access to the API server. You can specify whether to enable access to the API server by using an EIP. If you select Use EIP to expose API Server, an EIP is created and associated with the internal-facing SLB instance. Then, you can use the kubeconfig file to connect to and manage the ASM instance over the Internet. If you clear Use EIP to expose API Server, no EIP is created. You can use the kubeconfig file to connect to and manage the ASM instance only in the VPC.
Observability	Specifies whether to enable Tracing Analysis for the ASM instance. ASM integrates with Tracing Analysis. Tracing Analysis provides a wide range of tools to help you efficiently identify the performance bottlenecks of distributed applications. For example, you can use these tools to view trace data, display trace topologies, analyze application dependencies, and count the number of requests. This helps you improve the efficiency of developing and troubleshooting distributed applications. For more information about Tracing Analysis, see Use Tracing Analysis to trace applications inside and outside an ASM instance. Note Before you enable Tracing Analysis, make sure that you have activated Tracing Analysis in the Alibaba Cloud Console.
	Specifies whether to enable Prometheus for the ASM instance. For more information about Prometheus, see Monitor service meshes based on ARMS Prometheus and Monitor ASM instances by using a self-managed Prometheus instance.
	Specifies whether to enable ASM Mesh Topology. ASM Mesh Topology is a tool that is used to observe ASM instances. This tool provides a GUI that allows you to view related services and configurations. ASM Mesh Topology is a built-in tool for ASM instances whose Istio versions are 1.7.5.25 or later. For more information, see Enable Mesh Topology to observe an ASM instance in the ASM console.
	Specifies whether to collect access logs for Alibaba Cloud Log Service. If access logs are collected, you can use Log Service to view the access logs of ingress gateways. For more information about access logs, see Use Log Service to collect logs of ingress gateways on the data plane and Use Log Service to collect access logs on the data plane.
	Specifies whether to enable collection of control plane logs. ASM can collect logs of the control plane and generate alerts based on the logs. For example, ASM can collect logs related to configuration pushes from the control plane to the sidecar proxies on the data plane. For more information, see Enable control-plane log collection and log-based alerting.
Mesh Audit	Specifies whether to enable the mesh audit feature. You can enable the mesh audit feature to record and trace the operations of users. This is an important O&M feature that ensures cluster security. For more information about the mesh audit feature, see Use the KubeAPI operation audit feature in ASM.
Resource configuration	Specifies whether to enable version control for custom Istio resources. When you update fields in the `spec` block of an Istio resource, ASM records the resource version before the update. ASM stores up to five latest versions. For more information about how to roll back an Istio resource to an earlier version, see Roll back an Istio resource to an earlier version.
Resource configuration	Specifies whether to allow access to Istio resources by using the Kubernetes API of clusters on the data plane. ASM allows you to create, delete, modify, and query Istio resources by using the Kubernetes API of clusters on the data plane. For more information, see Use the Kubernetes API of clusters on the data plane to access Istio resources.
Cluster Domain	The cluster domain for the ASM instance. Default value: cluster.local. You can add only Kubernetes clusters that share the same cluster domain with the ASM instance to the ASM instance. Note You can set this parameter only if the Istio version of the ASM instance is 1.6.4.5 or later. Otherwise, this parameter is unavailable.

Activate the pay-as-you-go billing method for ASM.
If you create an ASM instance of a commercial edition for the first time, the value in the State column on the right of Dependency Check is Not pass. In this case, you must activate the pay-as-you-go billing method for ASM.
Click Activate now in the Illustrate column on the right of Dependency Check. On the page that appears, select ASM (Pay-as-you-go) Terms of Service and click Activate Now. Return to the Create Service Mesh page and click Check again for ASM service activation check. Pass is displayed in the State column.
Select I have understood and accepted the Service Agreement and have read and agreed Alibaba Cloud Service Mesh ASM Service Level Agreement.
Click Create Service Mesh.
Note
It takes about 2 to 3 minutes to create an ASM instance.

Result

After the ASM instance is created, you can perform the following operations on the instance:

On the Mesh Management page, you can view the basic information about the ASM instance.
To view the latest information about the ASM instance, click on the right.
On the Mesh Management page, find the ASM instance and click Log in the Actions column. In the ASM Instance Logs panel, you can view the logs of the ASM instance.
On the Mesh Management page, find the ASM instance and click Specification change in the Actions column to update the instance type. For more information, see Update an ASM instance.
On the Mesh Management page, find the ASM instance and click Manage in the Actions column. On the Basic Information page, you can view the basic information of the instance, such as the instance ID and the security group.
By default, the system creates five namespaces for a new ASM instance. Only the istio-system and default namespaces can be viewed in the ASM console. You can use the kubectl client to query and manage all namespaces, including istio-system, kube-node-lease, kube-public, kube-system, and default.

Important

Exercise caution when you perform delete operations:

After you delete an ASM instance, you cannot use the ASM features of the instance.
After you delete the SLB instance that is used to expose the API server, you cannot perform operations on the clusters managed by the ASM instance and related configurations.
After you delete the SLB instance that is used by Istio Pilot, you cannot perform operations on the ASM instance and related configurations.