All Products
Search

This Product

    Alibaba Cloud Service Mesh:Manage Istio gateways

    Document Center

    Alibaba Cloud Service Mesh:Manage Istio gateways

    Last Updated:Mar 11, 2026

    When services in your mesh need to receive external traffic, an Istio gateway acts as the entry point. It is a load balancer at the edge of your Service Mesh (ASM) instance that receives inbound or outbound HTTP/TCP connections, controlling which ports, protocols, and hosts are exposed before traffic reaches backend services through a VirtualService.

    How gateways work

    A gateway operates at L4-L6 of the network stack and defines:

    • Ports and protocols to listen on (HTTP, HTTPS, TCP)

    • Hosts to accept traffic for (specific domains or wildcard)

    • TLS settings for encrypted connections

    A gateway alone does not route traffic to services. You must bind a VirtualService to the gateway to forward traffic to specific backend services. For the complete API specification, see Gateway.

    Prerequisites

    Before you begin, make sure that you have:

    Create an Istio gateway

    Option 1: Use the ASM console

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Gateway. On the page that appears, click Create.

    3. On the Create page, configure the gateway parameters and click Create. For field descriptions, see or Gateway.

      Configuration example

    Option 2: Use a YAML file

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Gateway. On the page that appears, click Create from YAML.

    3. On the Create page, select a namespace from the Namespace drop-down list, select a template from the Template drop-down list, modify the configuration in the YAML code editor, and then click Create.

    Key fields

    The following table lists commonly configured fields. For the complete API reference, see Gateway.

    FieldDescription
    spec.selectorLabel selector that determines which gateway pods handle this configuration. Typically istio: ingressgateway.
    spec.servers[].port.numberPort number to listen on.
    spec.servers[].port.protocolProtocol type, such as HTTP, HTTPS, or TCP.
    spec.servers[].port.nameLabel for the port.
    spec.servers[].hostsHosts exposed on this port. Specify * to match all hosts, or list specific domains such as example.com.
    spec.servers[].tls.modeTLS mode, such as SIMPLE or MUTUAL.
    spec.servers[].tls.credentialNameName of the Kubernetes secret that contains the TLS certificate and key.

    YAML examples

    HTTP gateway

    Expose port 80 for all hosts and redirect HTTP traffic to HTTPS:

    apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: http-gateway
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*.example.com"
    tls:
      httpsRedirect: true

    HTTPS gateway with TLS

    Terminate TLS on port 443 using a Kubernetes secret:

    apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: https-gateway
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "bookinfo.example.com"
    tls:
      mode: SIMPLE
      credentialName: bookinfo-tls-secret

    Multi-port gateway

    Expose HTTP, HTTPS, and wildcard listeners on different ports:

    apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - test1.com
    - test2.com
    tls:
      httpsRedirect: true
  - port:
      number: 443
      name: https-443
      protocol: HTTPS
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com
    tls:
      mode: SIMPLE
      serverCertificate: /etc/certs/servercert.pem
      privateKey: /etc/certs/privatekey.pem
  - port:
      number: 9443
      name: https-9443
      protocol: HTTPS
    hosts:
    - "bookinfo-namespace/*.bookinfo.com"
    tls:
      mode: SIMPLE
      credentialName: bookinfo-secret
  - port:
      number: 9080
      name: http-wildcard
      protocol: HTTP
    hosts:
    - "*"

    This gateway exposes ports 80, 443, 9443, and 9080. It applies to pods that carry the istio: ingressgateway label.

    Modify an Istio gateway

    1. On the Gateway page, find the target Istio gateway and click YAML in the Actions column.

    2. In the Edit dialog box, modify the configuration based on your business requirements and click OK.

    Roll back an Istio gateway

    1. On the Gateway page, find the target Istio gateway and click Version in the Actions column.

    2. In the Version dialog box, click Rollback to restore a previous version.

    For more information, see Roll back an Istio resource to an earlier version.

    Delete an Istio gateway

    Important

    After you delete an Istio gateway, the corresponding traffic routing rules no longer work. As a result, services may be inaccessible. Exercise caution when you perform this operation.

    1. On the Gateway page, find the target Istio gateway and click Delete in the Actions column.

    2. In the Submit message, click OK.