An ASM ingress gateway provides a unified entry point for external traffic to reach applications in a Kubernetes cluster. It performs Layer 7 load balancing, routing requests to backend services based on HTTP properties such as the URL path or host header. Deploy an ingress gateway to control how Internet or internal network traffic enters your service mesh.
Prerequisites
Choose a service type
The service type determines how external traffic reaches the ingress gateway. ASM supports three Kubernetes service types:
| Service type | Traffic access | Use when |
|---|---|---|
| LoadBalancer | Internet or internal network through an NLB or CLB instance | Production workloads that need a stable external or internal IP address. Most common choice. |
| ClusterIP | Cluster-internal only | The gateway is fronted by a separately managed proxy, or only cluster-internal access is needed. |
| NodePort | Node IP and a static port | Load balancer provisioning is unavailable, or direct node-level access is required. |
For more information about Kubernetes service types, see Service.
If your data plane cluster is a registered cluster and you select LoadBalancer, make sure the cluster supports LoadBalancer services. Otherwise, gateway creation fails.
Create the ingress gateway
Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, click Create.
NoteTo define the gateway as YAML instead of using the form, click Create from YAML. For the YAML field reference, see Manage the ingress gateway using KubeAPI.
Configure the basic parameters.
Parameter Description Name A name for the ingress gateway. Cluster The cluster in which to deploy the gateway. Service Type Select LoadBalancer, ClusterIP, or NodePort. See Choose a service type. NLB/CLB Displayed when Service Type is LoadBalancer. Select Internet Access or Private Access. Create LoadBalancer Instance Displayed when Service Type is LoadBalancer. See Configure the load balancer. Port Mapping Set the Protocol and Service Port. The console provides two default ports commonly used by Istio. Customize as needed. Resources Limits CPU and memory limits for the gateway pod. Gateway instances Number of gateway replicas. (Optional) Click Advanced Options to configure additional settings. See Advanced options.
Click Create.
Verify the result
After the gateway status changes to Running, the ingress gateway is ready. The Service address field shows the gateway IP address.
Configure the load balancer
When Service Type is LoadBalancer, choose one of the following options:
Create a new load balancer instance
CLB: Select a specification from the Select CLB Specifications drop-down list.
NLB: Select virtual switches in at least two zones from the Select Zones for NLB Instance drop-down list.
Use an existing load balancer instance
Select an instance from the list of existing Server Load Balancer instances.
Assign a dedicated Server Load Balancer instance to each Kubernetes service. Sharing an instance across services introduces the following risks:
Existing listeners are overwritten when the service binds to the instance, potentially making applications inaccessible.
Server Load Balancer instances created automatically by a Kubernetes Service cannot be reused. Only instances that you created manually in the console or through an API can be reused.
Services sharing the same instance must not use the same frontend listener port. Port conflicts cause service failures.
Do not rename listeners or vServer groups. Kubernetes uses their names as unique identifiers.
An instance cannot be reused across clusters or regions.
Advanced options
| Parameter | Description |
|---|---|
| External Traffic Policy | Controls how external traffic is distributed. Local: routes traffic only to pods on the node where the gateway runs and preserves the client source IP. Cluster: allows traffic to reach pods on any node in the cluster. |
| HPA | Enables the Horizontal Pod Autoscaler. Configure Monitoring items, Threshold, Maximum replicas, and Minimum number of replicas. When both CPU and memory thresholds are set, exceeding either threshold triggers scaling. Enterprise and Ultimate editions only. |
| Rolling Upgrade | Controls pod replacement during upgrades. Maximum number of unavailable: how many replicas can be down simultaneously. Exceeding the desired number of instances: how many extra replicas are allowed (for example, 25% means up to 125% of the desired count). |
| Enable MultiBuffer-based TLS encryption and decryption performance optimization | Accelerates TLS processing using Multi-Buffer. Configure supported nodeaffinity to select target node labels and Poll Delay(ms) to reduce processing latency. For details, see Configuration item description. Enterprise and Ultimate editions only. |
| Deploy ASM Gateway replicas as widely as possible | Sets podAntiAffinity to spread replicas across different nodes for higher availability. |
| Custom Deployment Policy | Specify nodeSelector, tolerations, and affinity fields for fine-grained pod scheduling. For the full field reference, see ASM gateway CRD description. |
| Graceful Shutdown | Prevents traffic disruption when a pod is removed from the load balancer backend. Set Connection timeout (seconds) to give in-flight requests time to complete. The default graceful shutdown period is 30 seconds; the load balancer timeout must not exceed this value. Enterprise and Ultimate editions only. |
Manage the ingress gateway
Edit or view gateway details
Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
Click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
Find the target gateway and perform one of the following actions:
Click View Details to view or modify gateway settings through the form.
Click Edit YAML to modify the gateway CRD directly. For the field reference, see ASM gateway CRD description.
Delete an ingress gateway
Deleting an ingress gateway permanently removes it. External traffic can no longer reach services through this gateway. To restore access, create a new ingress gateway.
On the Ingress Gateway page, find the target gateway and click Delete.
In the Submit dialog box, click OK.
View the ingress gateway in the ACK console
View service information
Log on to the ACK console. In the left-side navigation pane, click Clusters.
Click the name of the target cluster. In the left-side navigation pane, choose Network > Services.
Select istio-system from the Namespace drop-down list.
The External IP column shows the ingress gateway IP address.
View pod information
Log on to the ACK console. In the left-side navigation pane, click Clusters.
Click the name of the target cluster. In the left-side navigation pane, choose Workloads > Pods.
Select istio-system from the Namespace drop-down list.
Click the target pod to view details about the ingress gateway pod.
What's next
Create an egress gateway -- Provide centralized outbound traffic control for applications in the mesh.
Route traffic to different service versions -- Set up canary releases and A/B testing with Istio routing rules.
View mesh topology -- Visualize call relationships and traffic flows across services.
ASM gateways overview -- Explore the full set of gateway features.
CreateASMGateway API -- Create an ingress gateway programmatically.