This topic describes the release notes for Alibaba Cloud Service Mesh (ASM) and provides links to the relevant references.

May 2022

Feature Description Region References
Terraform for managing ASM instances ASM allows you to use Terraform to create and update ASM instances and grant permissions to RAM users. All regions Use Terraform to manage ASM instances
Istio 1.12.4 The service management module is added to help you manage services and configure policies in an efficient manner. Kiali for ASM can be used to observe ASM instances. Kiali for ASM provides a GUI that allows you to view services and configurations. All regions None
Istio Container Network Interface (CNI) plug-in ASM allows you to use the CNI plug-in to configure pod traffic redirection in the network setup phase of the pod lifecycle. If the CNI plug-in is enabled, pods no longer need to include an init container that requires the NET_ADMIN capability. This improves security for ASM. All regions None
Configuration of a sidecar proxy by adding resource annotations ASM allows you to modify a sidecar proxy by adding resource annotations. You can modify the configurations of a sidecar proxy at the global, namespace, and workload levels. This allows you to implement more flexible and fine-grained management of sidecar proxies. All regions Configure a sidecar proxy by adding resource annotations
Enhanced mesh diagnosis capabilities ASM allows you to diagnose ASM instances based on more items. This helps you identify more types of exceptions and locate the exceptions in an efficient manner. All regions Diagnose ASM instances
Enhanced observability ASM provides a unified dashboard for viewing monitoring logs, enhances Prometheus monitoring, and optimizes Kiali for ASM to display the topology of ASM instances. All regions Enable Kiali for ASM to observe an ASM instance in the ASM console

April 2022

Feature Description Region References
Commercial release ASM is commercially released on April 1, 2022, and provides the following commercial editions: Enterprise Edition and Ultimate Edition. All regions Billing
Envoy filter marketplace ASM provides Envoy filter templates and allows you to bind Envoy filter templates to workloads to implement custom Envoy filter extensions. All regions Manage Envoy filters
Association or disassociation of an elastic IP address (EIP) with or from the API server ASM can generate a public endpoint for the API server after an EIP is associated with the internal-facing SLB instance configured for the API server. You can disassociate the EIP from the API server and associate a new EIP with the API server. All regions None
Multiple enhanced capabilities of ASM gateways ASM gateways support graceful shutdown of Server Load Balancer (SLB) connections, IPv6 addresses, certificate management, and multiple O&M and management capabilities. For example, you can retain the SLB instance of an ASM instance after the ASM instance is deleted, obtain the originating IP addresses of clients that access an ASM gateway, and use SLB instances with different specifications to expose an ASM gateway. All regions
Multiple enhanced security capabilities
  • A role-based access control (RBAC) role can be used to implement fine-grained control over mesh management permissions. You can view the users that are authorized to access an ASM instance on the Authorization Information page after you access the details page of the ASM instance.
  • The external authorization capability is enhanced. A header can be overwritten if access requests pass or fail to pass the authentication by an HTTP-based external authorization service.
  • Refined Resource Access Management (RAM) authorization is supported to meet the diverse authorization requirements of users.
All regions
Enhanced O&M capabilities The ASM console can detect the alert rules that you configure for the SLB instance for exposing Istio Pilot. You can navigate to the monitoring page of the SLB instance for exposing Istio Pilot from the ASM console. All regions None

March 2022

Feature Description Region References
OPA injection scope control ASM allows you to control the injection scope of Open Policy Agent (OPA) by using the opa-istio-injection label of a namespace. This decouples OPA from the automatic injection policy of Istio-proxy, and allows you to control the effective scope of OPA. All regions None
Domain name and certificate management ASM allows you to use cert-manager to issue certificates for ASM gateways. This way, you can use the ASM gateways to access services over HTTPS. This ensures data transmission security. All regions Use cert-manager to manage certificates for ASM gateways
Updated Envoy filter marketplace ASM allows you to bind Envoy filter templates to workloads to implement custom Envoy filter extensions. The following built-in templates are provided. You can also customize Envoy filter templates.
  • Template that supports Spring Cloud services
  • Template that adds the HTTP body to access logs
  • Template that retains the case of request and response headers
  • Template that sets the allow_connect parameter to true to allow updated protocol connections
  • Template that adds request header information to response headers
  • Template that adds HTTP response headers
All regions None

February 2022

Feature Description Region References
Istio 1.12 and Kubernetes 1.22 Istio 1.12 and Kubernetes 1.22 are supported. All regions None
Envoy filter template A plug-in center is added to the ASM console, in which Envoy filters can be managed. In addition, Envoy filters can be created by using Envoy filter templates. All regions Manage Envoy filters
Local throttling The local throttling feature is supported in ASM to throttle the traffic of gateways and services so as to protect the system. All regions Use the local throttling feature of ASM

January 2022

Feature Description Region References
ASM gateway update
  • ASM gateway details and configuration modification pages are added.
  • ASM gateways can be associated with upstream services, and traffic policies can be created.
All regions None
Enhanced ASM Professional Edition features
  • SLB traffic is lossless when ASM gateway replica instances are offline.
  • Gateways can be deployed on models that support Multi-Buffer for Transport Layer Security (TLS) acceleration.
All regions None
Spring Cloud services Spring Cloud services can be managed by using ASM. All regions Manage Spring Cloud services
New region ASM is available in the China (Guangzhou), China (Hohhot), China (Heyuan), and India (Mumbai) regions. All regions None
Istio 1.11.5 Istio 1.11.5 is supported. All regions None

December 2021

Feature Description Region References
Flexible external authorization External authorization services can be declared in meshes, and external authorization can be flexibly customized by using authorization policies. All regions Implement custom external authorization in ASM
Sidecar resources automatically recommended based on access log analysis Sidecar resources can be automatically recommended based on access log analysis. This way, the sidecars of workloads focus only on the services that have dependency relationships with the workloads. All regions Use the sidecars that are automatically recommended based on access log analysis
Global and namespace-level sidecar proxies Global and namespace-level sidecar proxies can be configured in ASM. All regions Configure namespace-level sidecar proxies
Custom metrics Custom metrics are supported in ASM. You can customize metrics for a specific ASM instance, namespace, or workload. All regions Customize metrics in ASM
Dashboards for scenarios such as gateway monitoring and global mesh status monitoring Dashboards can be added to monitor items such as gateways or global mesh status. On the details page of a mesh, choose Observability Management > Prometheus Monitoring in the left-side navigation pane. Then, you can add the dashboards on the Prometheus Monitoring page.
Notice Only Istio 1.10 and later support this feature.
All regions None
Istio 1.10.5 Istio 1.10.5 is supported. All regions None

November 2021

Feature Description Region References
Multi-Buffer for TLS acceleration Intel Multi-Buffer can be used to optimize the performance of TLS encryption and decryption. This way, encrypted communication between services can be accelerated. All regions Enable Multi-Buffer for TLS acceleration
Selective service discovery Mesh administrators are allowed to modify global mesh configurations to optimize service discovery. This way, the control plane needs to only discover and process the services in a specific namespace. All regions Use selective service discovery to improve the configuration push efficiency of the control plane
Improved gateway updates In the ASM console, the versions of ASM gateways can be viewed and ASM gateways can be manually updated on the gateway update page. This improves gateway stability during updates. All regions None
Detailed gateway and data plane logs The log center feature is integrated into the observability management page of the ASM console. This allows you to view detailed gateway and data plane logs. All regions None
Check item for Envoy filters that are not provided by ASM on the control plane A check item is provided by the mesh diagnostics feature. This check item allows you to check whether the control plane contains Envoy filters that are not provided by ASM. All regions None

October 2021

Feature Description Region References
Rollback of Istio resources to previous versions Istio resources can be rolled back to previous versions. When you update fields in the spec block of an Istio resource, ASM records the resource version before the update. ASM stores up to five latest versions. You can roll back an Istio resource to a previous version to meet your business needs. All regions Roll back an Istio resource to an earlier version
Support for the Kubernetes API of clusters on the data plane to access Istio resources The Kubernetes API of clusters on the data plane is allowed to access ASM-managed Istio resources. You can use the kubeconfig file to install, update, and uninstall Helm packages, such as Istio resources. All regions Use the Kubernetes API of clusters on the data plane to access Istio resources
Cross-region failover and load balancing The cross-region traffic distribution feature is supported to implement cross-region load balancing by routing traffic to multiple clusters based on their weights. The cross-region failover feature is also supported to implement cross-region disaster recovery by transferring traffic from a faulty region to another region. All regions Use ASM to implement cross-region disaster recovery and load balancing
Control-plane log collection and alerting The control-plane log collection and alerting features are supported. For example, if the control plane pushes configurations to the sidecar proxies on the data plane, you can query the logs of the ASM instance for information about the operation. All regions Enable collection of control plane logs and control plane alerting
Progressive release of applications ASM is integrated with KubeVela to implement progressive releases for applications. This allows you to release updated applications in a gradual manner. All regions Use ASM and KubeVela to implement a canary release
Prometheus monitoring ASM is integrated with Prometheus to allow you to view the statistics of data-plane services and workloads in the ASM console. All regions None
Optimized ASM gateways
  • The Create ASM Gateways page is optimized to improve user experience.

    You can select a gateway type and specify the number of gateway instances when you create an ASM gateway.

  • By default, horizontal pod autoscaling (HPA) is disabled. You can configure a Horizontal Pod Autoscaler for an ASM Professional Edition instance based on custom metrics including CPU and memory.
  • By default, syntax checking is enabled to ensure the accuracy of the definition of Istio gateways.
All regions None
Optimized access log collection feature The access log collection feature is optimized. You can create new projects and use existing projects. All regions None

September 2021

Feature Description Region References
asmctl command line tool available for use The asmctl diagnostics tool is provided to detect configuration problems in ASM. All regions
OPA policy OPA policies can be configured in the ASM console. All regions Use OPA to implement fine-grained access control in ASM
RBAC permissions RAM users are allowed to grant each other RBAC permissions. All regions None
Custom access logs The access logging feature can be configured and customized. ASM allows you to enable or disable the feature and customize the content of access logs on the data plane. All regions Customize access logs on the data plane
Cross-origin resource sharing (CORS) CORS is supported. You can set the corsPolicy field in the virtual service that is defined for a service to allow cross-origin requests that are initiated to the service and enable CORS. All regions Implement CORS in ASM
GUI for destination rules and gateways Destination rules and gateways can be created by using a GUI. All regions None

August 2021

Feature Description Region References
Zero-trust security capabilities Multiple zero-trust security capabilities are supported, such as peer authentication, request authentication, Istio authorization policies, and OPA-based fine-grained permission control. You can use these capabilities to strengthen the security of applications. All regions

None

Optimized ASM gateways ASM gateways are optimized in the following ways:
  • Custom host networks and Domain Name System (DNS) policies are supported.
  • Rolling updates are supported in ASM Professional Edition. The rolling update feature allows you to perform scaling without interrupting the traffic of online business.
  • High availability is supported for ASM gateways.
  • Custom access logs are supported.
All regions
Optimized ASM console The ASM console is optimized. For example, security policies and virtual services can be created by using a GUI, custom resources can be created by using YAML templates, and the page for configuring automatic sidecar injection is optimized. All regions Enable automatic sidecar injection by using multiple methods
Optimized ASM observability
  • Kiali for ASM is updated to V1.34.
  • The metrics of Prometheus Service are obtained by Kiali for ASM over the internal network. Before this feature update, the metrics are obtained over the Internet.
  • The logs of an ingress gateway service are collected only by the Logstore that is specified for the ingress gateway service. Logstores that are used to collect the logs of sidecar proxies no longer collect the logs of ingress gateway services.
  • The observability dashboards are optimized to fix the issue that dashboards display null values. The dashboards provide you with data such as top 10 provinces or cities with the most access traffic and top visitors by URL or IP address.
All regions

July 2021

Feature Description Region References
Connection to one or more Consul service registries ASM can be connected to one or more Consul service registries. All regions Connect to Consul
Dynamic update of OPA policies The authorization mechanism of ASM is improved to support the dynamic update of OPA policies. All regions Dynamically update OPA policies in ASM
Addition of VMs to ASM instances VMs can be added to ASM instances. All regions

June 2021

Feature Description Region References
Governance of applications deployed on edge Kubernetes clusters in ASM instances Edge Kubernetes clusters that are provided by Container Service for Kubernetes (ACK) can be added to ASM instances. This allows you to manage ASM instances in edge computing scenarios that are powered by 5G networks. After this feature update, ASM provides unified governance for services that are deployed on all types of cloud-native heterogeneous computing infrastructure. All regions None
Five check items added to the mesh diagnostics feature of ASM The following five check items are added to the mesh diagnostics feature of ASM:
  • Check whether the istio-injection parameter is set to the same value for the namespaces on the data plane and control plane.
  • Check whether a port under 1024 can be used in the pod of a gateway.
  • Check whether the namespace of a destination rule is valid.
  • Check whether the type of the secret of the TLS certificate that is referenced by a gateway is valid.
  • Check whether the secret of the TLS certificate that is referenced by a gateway exists.
All regions Diagnose ASM instances

May 2021

Feature Description Region References
Canary releases based on routing rules Canary releases can be implemented based on routing rules. Scope configurations are extended custom resource definitions (CRDs). ASM Professional Edition instances allow you to use scope configurations to implement canary releases for pods by using virtual services or Envoy filters. You can use a scope configuration to configure a canary release in one of the following modes:
  • Selector mode: To use this mode, you must add labels to one or more pods. Then, you can use a scope configuration to apply a rule to route traffic to specific pods based on the specified label information.
  • RollingUpdate mode: In this mode, you can apply a rule to route traffic to pods by batch. Istio divides pods into batches as specified and then applies a rule to route traffic to the pods in batches.
You can use scope configurations to control the risks that are brought by changes in routing rules. You can also use scope configurations and Microservice Engine (MSE) to implement canary releases.
All regions This feature is discontinued.

April 2021

Feature Description Region References
Delegate capabilities to configure virtual services in an ASM instance Delegates are introduced to manage routing rules in a finer-grained manner. This reduces risks brought by changes in routing rules. All regions Use delegates to configure virtual services in an ASM instance
Gzip-based data compression

Gzip-based data compression is supported. After you enable data compression for the ingress gateway service of an ASM instance, the server compresses the response content for HTTP requests. This reduces response time and your traffic usage.

All regions Enable data compression for the ingress gateway service of an ASM instance
WebAssembly (Wasm)-based ASM instance extension Wasm allows you to extend the data plane of an ASM instance with new features. Wasm-based ASM instance extension can be enabled in the ASM console. All regions Use ORAS to simplify Wasm-based ASM instance extension

March 2021

Feature Description Region References
DNS proxy feature

The DNS proxy feature is supported. ASM uses Kubernetes services and defined service entries to configure hostname-to-IP-address mappings for all services that an application may access. When an ASM instance with the DNS proxy feature enabled receives DNS queries from applications, the specified sidecar proxy transparently intercepts the queries and resolves the DNS information in these queries.

The DNS proxy feature improves the performance and availability of ASM instances. You can enable or disable the feature in the ASM console or by using Alibaba Cloud CLI.

All regions Use the DNS proxy feature in an ASM instance
Modification of kernel parameters The kernel parameters of ingress gateway services can be modified. This improves the flexibility in optimizing the performance of ingress gateway services. All regions Modify an ingress gateway service
Read-only configurations By default, the read-only mode is enabled for the configurations of the API servers and SLB instances that are created in ASM. This prevents accidental operations, such as modification and deletion, on API servers or SLB instances, and improves the availability of ASM. All regions None
Unified settings of automatic sidecar injection The automatic sidecar injection settings for the namespaces of the control plane can be automatically unified with those for the namespaces of the data plane. This improves the usability of namespaces. If you add a Kubernetes cluster to an ASM instance, the automatic sidecar injection settings for the namespace of the ASM instance are automatically unified with those for the namespace of the Kubernetes cluster. You can also manually unify the settings of automatic sidecar injection in the ASM console. All regions None

February 2021

Feature Description Region References
Availability in 12 regions, Istio 1.8.3, serverless Kubernetes clusters, and applications in Elastic Container Instance (ECI) pods that run on the Kubernetes clusters that are deployed on elastic container instances
  • ASM is updated to support Istio 1.8.3.
  • ASM supports serverless Kubernetes clusters and applications in ECI pods that run on the Kubernetes clusters that are deployed on elastic container instances.
  • The service-linked role for ASM is supported. This improves the usability and compatibility of ASM.
  • ASM is available in 12 regions.
All regions
Custom ingress gateway services and better lifecycle management of ingress gateway services
  • A custom ingress gateway service can be created by using a CRD.
  • TLS pass-through and Secret Discovery Service (SDS) are supported to improve the security of Istio gateways.
All regions Define a custom ingress gateway service
Connection to multiple service registries
  • The connection to the Nacos service registry is supported. This allows you to migrate microservices in the Nacos service registry to ASM.
  • The connection to the Consul service registry is supported. This allows you to migrate microservices in the Consul service registry to ASM.
All regions

Connect to Consul

Simplified Wasm-based ASM instance extension OCI Registry as Storage (ORAS) is supported. You can use ORAS to simplify Wasm-based ASM instance extension. All regions Use ORAS to simplify Wasm-based ASM instance extension

January 2021

Feature Description Region References
New region ASM is available in the China (Chengdu) region on the China site (aliyun.com) and the US (Virginia) region on the International site (alibabacloud.com). All regions None
Access log collection, Prometheus monitoring, and Kiali for ASM The access log collection, Prometheus monitoring, and Kiali for ASM features can be enabled in a few simple steps. This improves the observability of ASM. All regions
HTTP/1.0 HTTP/1.0 is supported. By default, Envoy requires that upstream services use HTTP/1.1 or HTTP/2.0. In this version, ASM allows you to enable HTTP/1.0 in just a few simple steps so that you can ensure compatibility with legacy systems that use HTTP/1.0. All regions None
Improved definition of ingress gateway services and optimized configuration and version updates
  • The definition of ingress gateway services is improved. The nodeSelector configuration is supported. The use of annotations to configure SLB is standardized for ingress gateway services.
  • The configuration update of ASM instances and the version update are optimized to reduce waiting duration and improve user experience.
  • The verification feature of Envoy filters is enhanced.
All regions None

November 2020

Feature Description Region References
Istio 1.7.5 and availability on the International site (alibabacloud.com) Istio 1.7.5 is supported. ASM is available on the International site (alibabacloud.com). All regions None
Istio CNI plug-in The Istio CNI plug-in is supported for ASM instances whose Istio version is 1.7 or later. The Istio CNI plug-in replaces the istio-init container and does not require you to enable elevated privileges. This improves security. All regions Due to conflicts with other CNI plug-ins, this feature is phased out and needs to be re-evaluated.
Kiali for ASM Kiali for ASM is supported. This tool provides a web-based GUI that allows you to observe the status of ASM instances. All regions None
Hot update of data planes (Beta) Hot updates of data planes are supported. You can update the data plane of an ASM instance without interrupting services or affecting applications. All regions Upgrade the data plane of an ASM instance without service interruption (Beta)

October 2020

Feature Description Region References
Multiple methods of enabling automatic sidecar injection The following methods are supported for enabling automatic sidecar injection:
Note The Istio version of ASM instances must be 1.6.8.19 or later.
  • Enable automatic sidecar injection for all namespaces.
  • Use pod annotations to enable automatic sidecar injection.
  • Enable or disable automatic sidecar injection by setting the alwaysInjectSelector or neverInjectSelector parameter in specific scenarios.
All regions Enable automatic sidecar injection by using multiple methods
Kubernetes 1.18 Kubernetes 1.18 is supported on the data planes of ASM instances. This feature is applicable to all supported versions of Kubernetes clusters.
Note The Istio version of ASM instances must be 1.6.8.19 or later.
All regions None

September 2020

Feature Description Region References
Istio 1.6.8 Istio 1.6.8 is supported. In addition to dedicated Kubernetes clusters, managed Kubernetes clusters, registered external clusters, elastic container instances, and Elastic Compute Service (ECS) instances, ASM also supports serverless Kubernetes clusters and ACK clusters that are deployed on elastic container instances. All regions None
Enhanced Telemetry V2 Mixerless Telemetry V2 Mixerless is enhanced to collect telemetry data without the need to use Mixer. ASM automatically adjusts the traffic to the workloads based on the collected telemetry data. All regions Implement auto scaling for workloads by using ASM metrics
Mesh diagnostics Mesh diagnostics is supported. You can diagnose ASM instances based on the following items: the versions of data planes, service ports, applications in ASM instances, labels of applications and versions, destination addresses, and virtual service conflicts. This helps you use and manage your ASM instances. All regions Diagnose ASM instances

August 2020

Feature Description Region References
Cluster domain A cluster domain can be specified when you create an ASM instance. The default cluster domain is cluster.local. Only Kubernetes clusters that share the same cluster domain can be added to the ASM instance. All regions None
Non-containerized applications on VMs Non-containerized applications on VMs can be added to ASM instances. This way, you can throttle traffic for non-containerized and containerized applications at the same time. All regions Use ASM to manage non-containerized applications
Serverless Kubernetes clusters on elastic container instances Serverless Kubernetes clusters that are deployed on elastic container instances are supported. You can use ASM to throttle traffic for the workloads of elastic container instances in a centralized manner. All regions None

July 2020

Feature Description Region References
Available for commercial use ASM is available for commercial use. ASM is a fully managed platform for service meshes and is compatible with the open source Istio service mesh. ASM allows you to manage services in a simplified manner and helps reduce your development and O&M costs. For example, you can use ASM to route and split inter-service traffic, secure inter-service communication based on authentication, and observe the behavior of services in meshes. ASM builds managed and unified service mesh capabilities in core scenarios, such as hybrid cloud, multi-cloud, multi-cluster, and non-containerized application migration. ASM provides you with the following benefits:
  • Centralized management mode
  • Centralized traffic throttling
  • Managed core components of control planes

    ASM is a free service. When you use ASM, you need to pay only for associated services, such as ACK, SLB, and Log Service.

China (Beijing), China (Hangzhou), China (Zhangjiakou), China (Shanghai), China (Shenzhen), Indonesia (Jakarta), and Germany (Frankfurt) None
Tracing data export from ASM to user-created systems Tracing data can be exported. After you enable tracing for an ASM instance, you can export the tracing data to Tracing Analysis or a user-created system that is compatible with Zipkin. All regions Export tracing data from ASM to a self-managed system
Registered external clusters Registered external clusters are supported. You can use ASM to manage applications in external Kubernetes clusters that are registered in the ACK console. All regions Use ASM to manage applications in registered external Kubernetes clusters