Alibaba Cloud Service Mesh (ASM) of Enterprise Edition or Ultimate Edition uses Intel Multi-Buffer to accelerate Transport Layer Security (TLS) processing in Envoy. This topic describes how to enable Multi-Buffer in different situations.

Prerequisites

  • An ASM instance is created. The instance type is Enterprise Edition or Ultimate Edition and the Istio version is 1.10 or later. For more information, see Create an ASM instance.
  • A Container Service for Kubernetes (ACK) cluster is created, and the instance families of nodes in the cluster support the Multi-Buffer CPU model of Intel Ice Lake. For more information, see Create an ACK managed cluster.
    The following table describes the instance families that support Intel Ice Lake.
    Note For more information about instance families, see Overview of instance families.
    Instance familyDescription
    g7g7se, storage-enhanced general-purpose instance family
    g7, general-purpose instance family
    g7t, security-enhanced general-purpose instance family
    c7c7, compute-optimized instance family
    c7re, RDMA-enhanced instance family
    c7se, storage-enhanced compute-optimized instance family
    c7t, security-enhanced compute-optimized instance family
    r7r7p, memory-optimized instance family
    r7se, storage-enhanced memory-optimized instance family
    r7, memory-optimized instance family
    r7t, security-enhanced memory-optimized instance family
    Othersre7p, high-memory instance family
    vgn7i-vws, vGPU-accelerated instance family
    gn7i, GPU-accelerated compute-optimized instance family
    ebmgn7i, GPU-accelerated compute-optimized ECS Bare Metal Instance family
    sccc7, compute-optimized SCC instance family
    sccg7, general-purpose SCC instance family
  • The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.

Background information

With the development of network security technologies, TLS has become the cornerstone of network communication. A TLS session is generally divided into the handshake phase and the data transmission phase. The most important task in the handshake phase is to use asymmetric encryption to negotiate a session key. In the data transmission phase, the session key is used to perform symmetric encryption on the data before data is transmitted.

In microservice scenarios, Envoy needs to process a large number of TLS requests, whether Envoy serves as an ingress gateway or as a proxy for microservices. Especially during the handshake phase, asymmetric encryption and decryption consume a large amount of CPU resources. This may become a bottleneck in large-scale microservice scenarios. ASM uses Intel Multi-Buffer to accelerate TLS processing in Envoy to alleviate the bottleneck.

Multi-Buffer uses Intel CPU AVX-512 to process multiple independent buffers at the same time. In other words, multiple encryption and decryption operations can be simultaneously executed in one execution cycle, which accelerates encryption and decryption. Multi-Buffer does not need additional hardware. The CPU package must contain the AVX-512 instruction set. Alibaba Cloud has included the latest AVX-512 instruction set in the Ice Lake processor.

Procedure

Enable Multi-Buffer for an ASM instance

To enable Multi-Buffer for an ASM instance, perform the following steps:

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Instance > Base Information.
  3. In the upper-right corner of the Basic Information page, click Settings.
  4. In the Settings Update panel, select Enable MultiBuffer-based TLS encryption and decryption performance optimization, and then click OK.
    If your cluster nodes are of the general-purpose instance family g7, Multi-Buffer increases the query per second (QPS) performance by 75%. If your cluster nodes are running on ECS bare metal instances, the performance is further improved.

Enable Multi-Buffer for an ingress gateway

  • Enable Multi-Buffer for a new ingress gateway:
    1. On the details page of the ASM instance, choose ASM Gateways > Ingress Gateway in the left-side navigation pane. On the page that appears, click Create.
    2. In the lower part of the Create page, click Advanced Options, select Enable MultiBuffer-based TLS encryption and decryption performance optimization, and then configure the related parameters.
      ParameterDescription
      supported nodeaffinitySelect the label of the nodes on which Multi-Buffer takes effect.
      Poll Delay(ms)

      In most cases, you do not need to change the value of this parameter.

      Multi-Buffer encrypts and decrypts multiple requests at the same time. Assume that Multi-Buffer can encrypt and decrypt eight requests at the same time. Multi-Buffer does not start to work until it receives eight requests. If the number of requests is large, Multi-Buffer receives eight requests within a short period of time. However, if the number of requests is small, Multi-Buffer may wait for a long time. In this case, if you specify a polling delay, Multi-Buffer encrypts and decrypts existing requests after the specified delay ends even if the number of requests is smaller than eight.

      For more information about how to create an ingress gateway, see Deploy an ingress gateway service.

  • Enable Multi-Buffer for an existing ingress gateway:
    1. On the details page of the ASM instance, choose ASM Gateways > Ingress Gateway in the left-side navigation pane. Click the ingress gateway for which you want to enable Multi-Buffer.
    2. Choose Overview > Gateway Details. In the Advanced Options section, click the The Edit icon icon next to Performance Optimization, select Enable MultiBuffer-based TLS encryption and decryption performance optimization, configure the related parameters, and then click Submit. MultiBuffer
Note To enable Multi-Buffer for a pod, the Istio version of your ASM instance must be 1.14.3 or later. For more information about how to update an ASM instance, see Update an ASM instance.

FAQ

What happens if Multi-Buffer is enabled on the control plane, but the nodes in the data-plane Kubernetes cluster do not support Intel Ice Lake?

Alert logs are generated from Envoy, and Multi-Buffer does not take effect. Alert logs

ASM instances whose type is the Enterprise Edition or Ultimate Edition and Istio version is 1.10 or later can automatically determine whether TLS acceleration takes effect when TLS acceleration is enabled. If the node to which the service or gateway pod is scheduled does not support Intel Ice Lake, ASM does not deliver the corresponding acceleration configuration to the node. In this case, TLS acceleration does not take effect.

How do I add a node that supports Multi-Buffer to a Kubernetes cluster and enable Multi-Buffer?

  1. Add a node that supports Intel Ice Lake to the Kubernetes cluster. For more information, see Add existing ECS instances to an ACK cluster.
  2. Add the multibuffer-support:true label to the newly added node. For more information, see Manage node labels.
  3. Add the following content to the YAML file of the ingress gateway. For more information, see Modify an ingress gateway service.

    After you add the node affinity, the ingress gateway pod is scheduled to the newly-added node that supports Multi-Buffer. 

    affinity:
    nodeAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - preference:
            matchExpressions:
              - key: feature.node.kubernetes.io/mb-feature-enabled
                operator: In
                values:
                  - 'true'
          weight: 1
  4. Enable Multi-Buffer for the ASM instance. For more information, see the Enable Multi-Buffer for an ASM instance section.

    After you enable Multi-Buffer for the ASM instance, the newly-added node can use Multi-Buffer to accelerate TLS processing.