Deploy an ingress gateway service

To allow Internet access to an application in an Alibaba Cloud Service Mesh (ASM) instance, you must deploy an ingress gateway service in the cluster in which the application resides. This topic describes how to deploy an ingress gateway service in a Container Service for Kubernetes (ACK) cluster that is added to an ASM instance.

1. Log on to the ASM console.
2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
4. On the details page of the ASM instance, click ASM Gateways in the left-side navigation pane. On the ASM Gateways page, click Create.
5. On the Create page, configure the basic information about the ingress gateway service.
   Note You can also click Create from YAML and define a custom ingress gateway service. For more information, see Define a custom ingress gateway service.

   Parameter	Description
   Name	The name of the ingress gateway service.
   Cluster	The cluster in which you want to deploy the ingress gateway service.
   Gateway types	The type of the ingress gateway service. Valid values: North-South IngressGateway and North-South EgressGateway.
   SLB Instance Type	The access type of the Server Load Balancer (SLB) instance. Valid values: Internet Access and Private Access.
   Create SLB Instance or Use Existing SLB Instance	The SLB instance that you want to use. You can select an SLB instance by using one of the following methods: Use Existing SLB Instance: Select an existing SLB instance from the drop-down list. Create SLB Instance: Click Create SLB Instance and select an SLB instance type from the drop-down list. Note We recommend that you assign a dedicated SLB instance to each Kubernetes Service in the cluster. If multiple Kubernetes Services share the same SLB instance, the following risks and limits exist: If you assign a Kubernetes Service with an SLB instance that is used by another Kubernetes Service, the existing listeners of the SLB instance are forcibly overwritten. This may interrupt the original Kubernetes Service and make your application unavailable. If you create an SLB instance when you create a Kubernetes Service, the SLB instance cannot be shared among Kubernetes Services. Only SLB instances that you create in the SLB console or by calling API operations can be shared. Kubernetes Services that share the same SLB instance must use different frontend listening ports. Otherwise, port conflicts may occur. If multiple Kubernetes Services share the same SLB instance, you must use the listener names and the vServer group names as unique identifiers in Kubernetes. Do not modify the names of listeners or vServer groups. You cannot share an SLB instance across clusters or regions.
   Port Mapping	The port mappings. Click Add Port. In the row that appears, specify a service port. Note ASM provides four default ports that are commonly used by Istio. You can keep or remove the default ports or add ports as needed.
   Resources Limits	The CPU and memory specifications for the pod of the ingress gateway service.
   Gateway instances	The number of replicas for the ingress gateway service.
   Automatic create gateway rules	Specifies whether to automatically create a gateway that has the same name as the ingress gateway service.

6. Optional: Click Advanced Options and set the parameters that are described in the following table as needed.

   Parameter	Description
   External Traffic Policy	The policy to distribute external traffic. Valid values: Local: This policy routes traffic only to pods on the node where the ingress gateway service is deployed. Cluster: This policy can route traffic to pods on other nodes in the cluster.
   HPA	Select HPA and set the following parameters: Note Only ASM Commercial Edition (Professional Edition) supports this feature. metrics: Set the Monitoring items and Threshold parameters. If the metric value exceeds the specified threshold, the number of replicas increases for the ingress gateway service. If the metric value is below the specified threshold, the number of replicas decreases for the ingress gateway service. If you specify thresholds for the CPU and memory specifications, both thresholds take effect. In this case, if the CPU utilization or memory usage exceeds or is below the specified threshold, the number of replicas is resized accordingly. Maximum replicas: the maximum number of replicas that can be resized for the ingress gateway service. Minimum number of replicas: the minimum number of replicas that can be resized for the ingress gateway service.
   Rolling Upgrade	Select Rolling Upgrade and set the following parameters: Maximum number of unavailable instances: the maximum number of unavailable replicas during a rolling update. Exceeding the desired number of instances: the maximum number of replicas that exceeds the expected number of replicas during a rolling update. For example, if you set this parameter to 25%, the number of replicas during a rolling update cannot exceed 125% of the original number of replicas.
   TLS performance optimization	Specifies whether to enable the Transport Layer Security (TLS) performance optimization feature. This feature speeds up TLS encryption and decryption. Select TLS performance optimization and select nodeAffinity labels to match the nodes with optimized performance based on the labels. Note Only ASM Commercial Edition (Professional Edition) supports this feature. You must also enable the Multi-Buffer for TLS acceleration feature.
   SLB graceful offline	After you select SLB graceful offline, the ingress gateway service is not affected if the SLB instance becomes unavailable. Note Only ASM Commercial Edition (Professional Edition) supports this feature.

7. Click Create.