This topic describes the release notes for Alibaba Cloud Service Mesh (ASM) and provides links to the relevant references.

March 2022

Feature Description Region References
Commercial release ASM is commercially released on April 1, 2022 and provides the following commercial editions: Enterprise Edition and Ultimate Edition. All Billing
OPA injection scope control ASM allows you to control the injection scope of Open Policy Agent (OPA) by using the opa-istio-injection label of a namespace. This decouples OPA from the automatic injection policy of Istio-proxy, and allows you to control the effective scope of OPA. All None
Domain name and certificate management ASM allows you to use cert-manager to issue certificates for ASM gateways. This way, you can use the ASM gateways to access services over HTTPS. This ensures data transmission security. All Use cert-manager to manage certificates for ASM gateways
Updated Envoy filter marketplace ASM allows you to bind Envoy filter templates to workloads to implement custom Envoy filter extensions. The following built-in templates are provided. You can also customize Envoy filter templates.
  • Template that supports Spring Cloud services
  • Template that adds the HTTP body to access logs
  • Template that retains the case of request and response headers
  • Template that sets the allow_connect parameter to true to allow updated protocol connections
  • Template that adds request header information to response headers
  • Template that adds HTTP response headers
All None

February 2022

Feature Description Region References
Istio 1.12 and Kubernetes 1.22 Istio 1.12 and Kubernetes 1.22 are supported. All None
Envoy filter template A plug-in center is added to the ASM console, in which Envoy filters can be managed. In addition, Envoy filters can be created by using Envoy filter templates. All Manage Envoy filters
Local throttling The local throttling feature is supported in ASM to throttle the traffic of gateways and services so as to protect the system. All None

January 2022

Feature Description Region References
ASM gateway update
  • ASM gateway details and configuration modification pages are added.
  • ASM gateways can be associated with upstream services, and traffic policies can be created.
All None
Enhanced ASM Professional Edition features
  • Server Load Balancer (SLB) traffic is lossless when ASM gateway replica instances are offline.
  • Gateways can be deployed on models that support Multi-Buffer for Transport Layer Security (TLS) acceleration.
All None
Spring Cloud services Spring Cloud services can be managed by using ASM. All Manage Spring Cloud services
New region ASM is available in the China (Guangzhou), China (Hohhot), China (Heyuan), and India (Mumbai) regions. All None
Istio 1.11.5 Istio 1.11.5 is supported. All None

December 2021

Feature Description Region References
Flexible external authorization External authorization services can be declared in meshes, and external authorization can be flexibly customized by using authorization policies. All Enable external authorization in ASM
Sidecar resources automatically recommended based on access log analysis Sidecar resources can be automatically recommended based on access log analysis. This way, the sidecars of workloads focus only on the services that have dependency relationships with the workloads. All Use the sidecars that are automatically recommended based on access log analysis
Global and namespace-level sidecar proxies Global and namespace-level sidecar proxies can be configured in ASM. All Configure namespace-level sidecar proxies
Custom metrics Custom metrics are supported in ASM. You can customize metrics for a specified ASM instance, namespace, or workload. All None
Dashboards for scenarios such as gateway and global mesh status monitoring Dashboards can be added to monitor items such as gateways or global mesh status. On the details page of a mesh, choose Observability Management > Prometheus Monitoring in the left-side navigation pane. Then, you can add the dashboards on the Prometheus Monitoring page.
Notice Only Istio 1.10 and later support this feature.
All None
Istio 1.10.5 Istio 1.10.5 is supported. All None

November 2021

Feature Description Region References
Multi-Buffer for TLS acceleration Intel Multi-Buffer can be used to optimize the performance of TLS encryption and decryption. This way, encrypted communication between services can be accelerated. All Enable Multi-Buffer for TLS acceleration
Selective service discovery Mesh administrators are allowed to modify global mesh configurations to optimize service discovery. This way, the control plane needs to only discover and process the services in the specified namespace. All Use selective service discovery to improve the configuration push efficiency of the control plane
Improved gateway updates In the ASM console, the versions of ASM gateways can be viewed and ASM gateways can be manually updated on the gateway update page. This improves gateway stability during updates. All None
Detailed gateway and data plane logs The log center feature is integrated into the observability management page of the ASM console. This allows you to view detailed gateway and data plane logs. All None
Check item for Envoy filters that are not provided by ASM on the control plane A check item is provided by the mesh diagnostics feature. This check item allows you to check whether the control plane contains Envoy filters that are not provided by ASM. All None

October 2021

Feature Description Region References
Rollback of Istio resources to previous versions Istio resources can be rolled back to previous versions. When you update fields in the spec block of an Istio resource, ASM records the resource version before the update. ASM stores up to five latest versions. You can roll back an Istio resource to a previous version to meet your business needs. All Roll back an Istio resource to an earlier version
Support for the Kubernetes API of clusters on the data plane to access Istio resources The Kubernetes API of clusters on the data plane is allowed to access ASM-managed Istio resources. You can use the kubeconfig file to install, update, and uninstall Helm packages, such as Istio resources. All Use the Kubernetes API of clusters on the data plane to access Istio resources
Cross-region failover and load balancing The cross-region traffic distribution feature is supported to implement cross-region load balancing by routing traffic to multiple clusters based on their weights. The cross-region failover feature is also supported to implement cross-region disaster recovery by transferring traffic from a faulty region to another region. All Use ASM to implement cross-region disaster recovery and load balancing
Control-plane log collection and alerting The control-plane log collection and alerting features are supported. For example, if the control plane pushes configurations to the sidecar proxies on the data plane, you can query the logs of the ASM instance for information about the operation. All Enable collection of control plane logs and control plane alerting
Progressive release of applications ASM is integrated with KubeVela to implement progressive releases for applications. This allows you to release updated applications in a gradual manner. All Use ASM and KubeVela to implement a progressive release
Prometheus monitoring ASM is integrated with Prometheus to allow you to view the statistics of data-plane services and workloads in the ASM console. All None
Optimized ASM gateways
  • The Create ASM Gateways page is optimized to improve user experience.

    You can select a gateway type and specify the number of gateway instances when you create an ASM gateway.

  • By default, horizontal pod autoscaling (HPA) is disabled. You can configure a Horizontal Pod Autoscaler for an ASM Professional Edition instance based on custom metrics including CPU and memory.
  • By default, syntax checking is enabled to ensure the accuracy of the definition of Istio gateways.
All None
Optimized access log collection feature The access log collection feature is optimized. You can create new projects and use existing projects. All None

September 2021

Feature Description Region References
asmctl command line tool available for use The asmctl diagnostics tool is provided to detect configuration problems in ASM. All
OPA policy OPA policies can be configured in the ASM console. All Use OPA to implement fine-grained access control in ASM
Role-based access control (RBAC) permissions RAM users are allowed to grant each other RBAC permissions. All None
Custom access logs The access logging feature can be configured and customized. ASM allows you to enable or disable the feature and customize the content of access logs on the data plane. All Customize access logs on the data plane
Cross-origin resource sharing (CORS) CORS is supported. You can set the corsPolicy field in the virtual service that is defined for a service to allow cross-origin requests that are initiated to the service and enable CORS. All Implement CORS in ASM
GUI for destination rules and gateways Destination rules and gateways can be created by using a GUI. All None

August 2021

Feature Description Region References
Zero-trust security capabilities Multiple zero-trust security capabilities are supported, such as peer authentication, request authentication, Istio authorization policies, and OPA-based fine-grained permission control. You can use these capabilities to strengthen the security of applications. All

None

Optimized ASM gateways ASM gateways are optimized in the following ways:
  • Custom host networks and Domain Name System (DNS) policies are supported.
  • Rolling updates are supported in ASM Professional Edition. The rolling update feature allows you to perform scaling without interrupting the traffic of online business.
  • High availability is supported for ASM gateways.
  • Custom access logs are supported.
All
Optimized ASM console The ASM console is optimized. For example, security policies and virtual services can be created by using a GUI, custom resources can be created by using YAML templates, and the page for configuring automatic sidecar injection is optimized. All Enable automatic sidecar injection by using multiple methods
Optimized ASM observability
  • Kiali for ASM is updated to V1.34.
  • The metrics of Prometheus Service are obtained by Kiali for ASM over the internal network. Before this feature update, the metrics are obtained over the Internet.
  • The logs of an ingress gateway service are collected only by the Logstore that is specified for the ingress gateway service. Logstores that are used to collect the logs of sidecar proxies no longer collect the logs of ingress gateway services.
  • The observability dashboards are optimized to fix the issue that dashboards display null values. The dashboards provide you with data such as top 10 provinces or cities with the most access traffic and top visitors by URL or IP address.
All

July 2021

Feature Description Region References
Connection to one or more Consul service registries ASM can be connected to one or more Consul service registries. All Connect to Consul
Dynamic update of OPA policies The authorization mechanism of ASM is improved to support the dynamic update of OPA policies. All Dynamically update OPA policies in ASM
Addition of VMs to ASM instances VMs can be added to ASM instances. All

June 2021

Feature Description Region References
Governance of applications deployed on edge Kubernetes clusters in ASM instances Edge Kubernetes clusters that are provided by Container Service for Kubernetes (ACK) can be added to ASM instances. This allows you to manage ASM instances in edge computing scenarios that are powered by 5G networks. After this feature update, ASM provides unified governance for services that are deployed on all types of cloud-native heterogeneous computing infrastructure. All None
Five check items added to the mesh diagnostics feature of ASM The following five check items are added to the mesh diagnostics feature of ASM:
  • Check whether the istio-injection parameter is set to the same value for the namespaces on the data plane and control plane.
  • Check whether a port under 1024 can be used in the pod of a gateway.
  • Check whether the namespace of a destination rule is valid.
  • Check whether the type of the secret of the TLS certificate that is referenced by a gateway is valid.
  • Check whether the secret of the TLS certificate that is referenced by a gateway exists.
All Diagnose ASM instances

May 2021

Feature Description Region References
Canary releases based on routing rules Canary releases can be implemented based on routing rules. Scope configurations are extended custom resource definitions (CRDs). ASM Professional Edition instances allow you to use scope configurations to implement canary releases for pods by using virtual services or Envoy filters. You can use a scope configuration to configure a canary release in one of the following modes:
  • Selector mode: To use this mode, you must add labels to one or more pods. Then, you can use a scope configuration to apply a rule to route traffic to specific pods based on the specified label information.
  • RollingUpdate mode: In this mode, you can apply a rule to route traffic to pods by batch. Istio divides pods into batches as specified and then applies a rule to route traffic to the pods in batches.
You can use scope configurations to control the risks that are brought by changes in routing rules. You can also use scope configurations and Microservice Engine (MSE) to implement canary releases.
All This feature is discontinued.

April 2021

Feature Description Region References
Delegate capabilities to configure virtual services in an ASM instance Delegates are introduced to manage routing rules in a finer-grained manner. This reduces risks brought by changes in routing rules. All Use delegates to configure virtual services in an ASM instance
Gzip-based data compression

Gzip-based data compression is supported. After you enable data compression for the ingress gateway service of an ASM instance, the server compresses the response content for HTTP requests. This reduces response time and your traffic usage.

All Enable data compression for the ingress gateway service of an ASM instance
WebAssembly (Wasm)-based ASM instance extension Wasm allows you to extend the data plane of an ASM instance with new features. Wasm-based ASM instance extension can be enabled in the ASM console. All Use ORAS to simplify Wasm-based ASM instance extension

March 2021

Feature Description Region References
DNS proxy feature

The DNS proxy feature is supported. ASM uses Kubernetes services and defined service entries to configure hostname-to-IP-address mappings for all services that an application may access. When an ASM instance with the DNS proxy feature enabled receives DNS queries from applications, the specified sidecar proxy transparently intercepts the queries and resolves the DNS information in these queries.

The DNS proxy feature improves the performance and availability of ASM instances. You can enable or disable the feature in the ASM console or by using Alibaba Cloud CLI.

All Enable the DNS proxy feature for an ASM instance
Modification of kernel parameters The kernel parameters of ingress gateway services can be modified. This improves the flexibility in optimizing the performance of ingress gateway services. All Modify an ingress gateway service
Read-only configurations By default, the read-only mode is enabled for the configurations of the API servers and SLB instances that are created in ASM. This prevents accidental operations, such as modification and deletion, on API servers or SLB instances, and improves the availability of ASM. All None
Unified settings of automatic sidecar injection The automatic sidecar injection settings for the namespaces of the control plane can be automatically unified with those for the namespaces of the data plane. This improves the usability of namespaces. If you add a Kubernetes cluster to an ASM instance, the automatic sidecar injection settings for the namespace of the ASM instance are automatically unified with those for the namespace of the Kubernetes cluster. You can also manually unify the settings of automatic sidecar injection in the ASM console. All None

February 2021

Feature Description Region References
Availability in 12 regions, Istio 1.8.3, serverless Kubernetes clusters, and applications in Elastic Container Instance (ECI) pods that run on the Kubernetes clusters that are deployed on elastic container instances
  • ASM is updated to support Istio 1.8.3.
  • ASM supports serverless Kubernetes clusters and applications in ECI pods that run on the Kubernetes clusters that are deployed on elastic container instances.
  • The service-linked role for ASM is supported. This improves the usability and compatibility of ASM.
  • ASM is available in 12 regions.
All
Custom ingress gateway services and better lifecycle management of ingress gateway services
  • A custom ingress gateway service can be created by using a CRD.
  • TLS pass-through and Secret Discovery Service (SDS) are supported to improve the security of Istio gateways.
All Define a custom ingress gateway service
Connection to multiple service registries
  • The connection to the Nacos service registry is supported. This allows you to migrate microservices in the Nacos service registry to ASM.
  • The connection to the Consul service registry is supported. This allows you to migrate microservices in the Consul service registry to ASM.
All

Connect to Consul

Simplified Wasm-based ASM instance extension OCI Registry as Storage (ORAS) is supported. You can use ORAS to simplify Wasm-based ASM instance extension. All Use ORAS to simplify Wasm-based ASM instance extension

January 2021

Feature Description Region References
New region ASM is available in the China (Chengdu) region on the China site (aliyun.com) and the US (Virginia) region on the International site (alibabacloud.com). All None
Access log collection, Prometheus monitoring, and Kiali for ASM The access log collection, Prometheus monitoring, and Kiali for ASM features can be enabled in a few simple steps. This improves the observability of ASM. All
HTTP/1.0 HTTP/1.0 is supported. By default, Envoy requires that upstream services use HTTP/1.1 or HTTP/2.0. In this version, ASM allows you to enable HTTP/1.0 in just a few simple steps so that you can ensure compatibility with legacy systems that use HTTP/1.0. All None
Improved definition of ingress gateway services and optimized configuration and version updates
  • The definition of ingress gateway services is improved. The nodeSelector configuration is supported. The use of annotations to configure SLB is standardized for ingress gateway services.
  • The configuration update of ASM instances and the version update are optimized to reduce waiting duration and improve user experience.
  • The verification feature of Envoy filters is enhanced.
All None

November 2020

Feature Description Region References
Istio 1.7.5 and availability on the International site (alibabacloud.com) Istio 1.7.5 is supported. ASM is available on the International site (alibabacloud.com). All None
Istio CNI plug-in The Istio CNI plug-in is supported for ASM instances whose Istio version is 1.7 or later. The Istio CNI plug-in replaces the istio-init container and does not require you to enable elevated privileges. This improves security. All Due to conflicts with other CNI plugins, this feature is phased out and needs to be re-evaluated.
Kiali for ASM Kiali for ASM is supported. This tool provides a web-based GUI that allows you to observe the status of ASM instances. All None
Hot update of data planes (Beta) Hot updates of data planes are supported. You can update the data plane of an ASM instance without interrupting services or affecting applications. All Upgrade the data plane of an ASM instance without service interruption (Beta)

October 2020

Feature Description Region References
Multiple methods of enabling automatic sidecar injection The following methods are supported for enabling automatic sidecar injection:
Note The Istio version of ASM instances must be 1.6.8.19 or later.
  • Enable automatic sidecar injection for all namespaces.
  • Use pod annotations to enable automatic sidecar injection.
  • Enable or disable automatic sidecar injection by setting the alwaysInjectSelector or neverInjectSelector parameter in specific scenarios.
All Enable automatic sidecar injection by using multiple methods
Kubernetes 1.18 Kubernetes 1.18 is supported on the data planes of ASM instances. This feature is applicable to all supported versions of Kubernetes clusters.
Note The Istio version of ASM instances must be 1.6.8.19 or later.
All None

September 2020

Feature Description Region References
Istio 1.6.8 Istio 1.6.8 is supported. In addition to dedicated Kubernetes clusters, managed Kubernetes clusters, registered external clusters, elastic container instances, and Elastic Compute Service (ECS) instances, ASM also supports serverless Kubernetes clusters and ACK clusters that are deployed on elastic container instances. All None
Enhanced Telemetry V2 Mixerless Telemetry V2 Mixerless is enhanced to collect telemetry data without the need to use Mixer. ASM automatically adjusts the traffic to the workloads based on the collected telemetry data. All Implement auto scaling for workloads by using ASM metrics
Mesh diagnostics Mesh diagnostics is supported. You can diagnose ASM instances based on the following items: the versions of data planes, service ports, applications in ASM instances, labels of applications and versions, destination addresses, and virtual service conflicts. This helps you use and manage your ASM instances. All Diagnose ASM instances

August 2020

Feature Description Region References
Cluster domain A cluster domain can be specified when you create an ASM instance. The default cluster domain is cluster.local. Only Kubernetes clusters that share the same cluster domain can be added to the ASM instance. All None
Non-containerized applications on VMs Non-containerized applications on VMs can be added to ASM instances. This way, you can throttle traffic for non-containerized and containerized applications at the same time. All Use ASM to manage non-containerized applications
Serverless Kubernetes clusters on elastic container instances Serverless Kubernetes clusters that are deployed on elastic container instances are supported. You can use ASM to throttle traffic for the workloads of elastic container instances in a centralized manner. All None

July 2020

Feature Description Region References
Available for commercial use ASM is available for commercial use. ASM is a fully managed platform for service meshes and is compatible with the open source Istio service mesh. ASM allows you to manage services in a simplified manner and helps reduce your development and O&M costs. For example, you can use ASM to route and split inter-service traffic, secure inter-service communication based on authentication, and observe the behavior of services in meshes. ASM builds managed and unified service mesh capabilities in core scenarios, such as hybrid cloud, multi-cloud, multi-cluster, and non-containerized application migration. ASM provides you with the following benefits:
  • Centralized management mode
  • Centralized traffic throttling
  • Managed core components of control planes

    ASM is a free service. When you use ASM, you need to pay only for associated services, such as ACK, SLB, and Log Service.

China (Beijing), China (Hangzhou), China (Zhangjiakou), China (Shanghai), China (Shenzhen), Indonesia (Jakarta), and Germany (Frankfurt) None
Tracing data export from ASM to user-created systems Tracing data can be exported. After you enable tracing for an ASM instance, you can export the tracing data to Tracing Analysis or a user-created system that is compatible with Zipkin. All Export tracing data from ASM to a self-managed system
Registered external clusters Registered external clusters are supported. You can use ASM to manage applications in external Kubernetes clusters that are registered in the ACK console. All Use ASM to manage applications in registered external Kubernetes clusters