Alibaba Cloud Service Mesh (ASM) of Enterprise Edition or Ultimate Edition uses Intel Multi-Buffer to accelerate Transport Layer Security (TLS) processing in Envoy. This topic describes how to enable Multi-Buffer in different situations.
- An ASM instance is created. The instance type is Enterprise Edition or Ultimate Edition and the Istio version is 1.10 or later. For more information, see Create an ASM instance.
- A Container Service for Kubernetes (ACK) cluster is created, and the instance families of nodes in the cluster support the Multi-Buffer CPU model of Intel Ice Lake. For more information, see Create an ACK managed cluster. The following table describes the instance families that support Intel Ice Lake.Note For more information about instance families, see Overview of instance families.
Instance family Description g7 g7se, storage-enhanced general-purpose instance family g7, general-purpose instance family g7t, security-enhanced general-purpose instance family c7 c7, compute-optimized instance family c7re, RDMA-enhanced instance family c7se, storage-enhanced compute-optimized instance family c7t, security-enhanced compute-optimized instance family r7 r7p, memory-optimized instance family r7se, storage-enhanced memory-optimized instance family r7, memory-optimized instance family r7t, security-enhanced memory-optimized instance family Others re7p, high-memory instance family vgn7i-vws, vGPU-accelerated instance family gn7i, GPU-accelerated compute-optimized instance family ebmgn7i, GPU-accelerated compute-optimized ECS Bare Metal Instance family sccc7, compute-optimized SCC instance family sccg7, general-purpose SCC instance family
- The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
With the development of network security technologies, TLS has become the cornerstone of network communication. A TLS session is generally divided into the handshake phase and the data transmission phase. The most important task in the handshake phase is to use asymmetric encryption to negotiate a session key. In the data transmission phase, the session key is used to perform symmetric encryption on the data before data is transmitted.
In microservice scenarios, Envoy needs to process a large number of TLS requests, whether Envoy serves as an ingress gateway or as a proxy for microservices. Especially during the handshake phase, asymmetric encryption and decryption consume a large amount of CPU resources. This may become a bottleneck in large-scale microservice scenarios. ASM uses Intel Multi-Buffer to accelerate TLS processing in Envoy to alleviate the bottleneck.
Multi-Buffer uses Intel CPU AVX-512 to process multiple independent buffers at the same time. In other words, multiple encryption and decryption operations can be simultaneously executed in one execution cycle, which accelerates encryption and decryption. Multi-Buffer does not need additional hardware. The CPU package must contain the AVX-512 instruction set. Alibaba Cloud has included the latest AVX-512 instruction set in the Ice Lake processor.
Enable Multi-Buffer for an ASM instance
To enable Multi-Buffer for an ASM instance, perform the following steps:
- Log on to the ASM console. In the left-side navigation pane, choose .
- On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
- In the upper-right corner of the Basic Information page, click Settings.
- In the Settings Update panel, select Enable MultiBuffer-based TLS encryption and decryption performance optimization, and then click OK. If your cluster nodes are of the general-purpose instance family g7, Multi-Buffer increases the query per second (QPS) performance by 75%. If your cluster nodes are running on ECS bare metal instances, the performance is further improved.
Enable Multi-Buffer for an ingress gateway
- Enable Multi-Buffer for a new ingress gateway:
- On the details page of the ASM instance, choose Create. in the left-side navigation pane. On the page that appears, click
- In the lower part of the Create page, click Advanced Options, select Enable MultiBuffer-based TLS encryption and decryption performance optimization, and then configure the related parameters.
Parameter Description supported nodeaffinity Select the label of the nodes on which Multi-Buffer takes effect. Poll Delay(ms)
In most cases, you do not need to change the value of this parameter.Multi-Buffer encrypts and decrypts multiple requests at the same time. Assume that Multi-Buffer can encrypt and decrypt eight requests at the same time. Multi-Buffer does not start to work until it receives eight requests. If the number of requests is large, Multi-Buffer receives eight requests within a short period of time. However, if the number of requests is small, Multi-Buffer may wait for a long time. In this case, if you specify a polling delay, Multi-Buffer encrypts and decrypts existing requests after the specified delay ends even if the number of requests is smaller than eight.
For more information about how to create an ingress gateway, see Deploy an ingress gateway service.
- Enable Multi-Buffer for an existing ingress gateway:
- On the details page of the ASM instance, choose in the left-side navigation pane. Click the ingress gateway for which you want to enable Multi-Buffer.
- Choose Advanced Options section, click the icon next to Performance Optimization, select Enable MultiBuffer-based TLS encryption and decryption performance optimization, configure the related parameters, and then click Submit. . In the
What happens if Multi-Buffer is enabled on the control plane, but the nodes in the data-plane Kubernetes cluster do not support Intel Ice Lake?
ASM instances whose type is the Enterprise Edition or Ultimate Edition and Istio version is 1.10 or later can automatically determine whether TLS acceleration takes effect when TLS acceleration is enabled. If the node to which the service or gateway pod is scheduled does not support Intel Ice Lake, ASM does not deliver the corresponding acceleration configuration to the node. In this case, TLS acceleration does not take effect.
How do I add a node that supports Multi-Buffer to a Kubernetes cluster and enable Multi-Buffer?
- Add a node that supports Intel Ice Lake to the Kubernetes cluster. For more information, see Add existing ECS instances to an ACK cluster.
- Add the
multibuffer-support:truelabel to the newly added node. For more information, see Manage node labels.
- Add the following content to the YAML file of the ingress gateway. For more information, see Modify an ingress gateway service.
After you add the node affinity, the ingress gateway pod is scheduled to the newly-added node that supports Multi-Buffer.
affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: feature.node.kubernetes.io/mb-feature-enabled operator: In values: - 'true' weight: 1
- Enable Multi-Buffer for the ASM instance. For more information, see the Enable Multi-Buffer for an ASM instance section.
After you enable Multi-Buffer for the ASM instance, the newly-added node can use Multi-Buffer to accelerate TLS processing.