When you use a virtual service to define routing rules for a service that contains multiple microservices or routing rules, the virtual service is complex, which brings much maintenance work. To reduce risks brought by changes in routing rules, Alibaba Cloud Service Mesh (ASM) introduces delegates to manage routing rules in a more fine-grained manner. This topic shows you how to use multiple virtual services to define routing rules for a service. The Bookinfo application is used as an example.
Prerequisites
- An ASM instance is created. For more information, see Create an ASM instance.
Note The ASM instance must be v1.8.6.4-g814070fe-aliyun or later.
- An ACK managed cluster is created. For more information, see Create an ACK managed cluster.
- The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
- An ingress gateway service is deployed. For more information, see Deploy an ingress gateway service.
- An application is deployed in the ACK cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance.
Background information
In an ASM instance, a virtual service is used to define routing rules for a service. The routing rules control the traffic routing of the service. In actual scenarios, you may need to maintain a complex virtual service. Each time you modify the routing rules that are defined by the virtual service, you must modify the virtual service. After the routing rules are modified, the routing rules may conflict with each other, specific routing rules may be redundant, or the routing rules may be coupled with each other. Configuration errors of routing rules may affect the services that are deployed in the cluster on the data plane or even make all services inaccessible.
ASM introduces delegates to extend the configuration of virtual services, which allows you to decouple routing rules that are defined for a service. You can split a virtual service into a primary virtual service and multiple secondary virtual services. The primary virtual service defines the overall routing rules of a service. Each secondary virtual service defines a detailed routing rule of the service. The primary virtual service is maintained by administrators, while the secondary virtual services are maintained by service maintainers. This greatly reduces risks that are brought by changes in routing rules and improves the efficiency of independent service deployment and updates.
Usage notes
- You can set delegate parameters only in a primary virtual service. If you set delegate parameters both in a primary virtual service and secondary virtual services, the primary virtual service and secondary virtual services do not take effect.
- The HTTPMatchRequest configuration in secondary virtual services must be a subset of that in the primary virtual service. Otherwise, a conflict exists, and the HTTPRoute configuration does not take effect.
- Delegate parameters can be specified only when the route and redirect parameters in the primary virtual service are left empty. The hosts parameter in secondary virtual services must be left empty. The routing rules that are defined by secondary virtual services are combined with the routing rules that are defined by the primary virtual service.
Step 1: Configure an Istio gateway
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose Create from YAML. in the left-side navigation pane. On the Gateway page, click
- On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create. In this example, the default namespace is used.
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"
Set the
number
parameter to80
. This setting specifies that the Bookinfo application can receive inbound or outbound HTTP connections by using port 80.
Step 2: Configure a primary virtual service
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose Create from YAML. in the left-side navigation pane. On the VirtualService page, click
- On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create. In this example, the default namespace is used.
The following content can be used to create a vs-1 delegate and a vs-2 delegate. The vs-1 delegate specifies that only request URLs that contain
/log
can be used to access the Bookinfo application. The vs-2 delegate specifies that only request URLs that contain/
can be used to access the Bookinfo application.apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: bookinfo namespace: default spec: gateways: - bookinfo-gateway hosts: - '*' http: - delegate: name: vs-1 namespace: ns1 match: - uri: prefix: /log - delegate: name: vs-2 namespace: ns1 match: - uri: prefix: /
Description of the delegate parameter:- name: the name of delegate.
- namespace: the namespace of delegate.
Step 3: Configure secondary virtual services
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose Create from YAML. in the left-side navigation pane. On the VirtualService page, click
- On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create. In this example, the ns1 namespace is used.
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: vs-1 namespace: ns1 spec: http: - match: - uri: exact: /login - uri: exact: /logout route: - destination: host: productpage.default.svc.cluster.local port: number: 9080
- metadata: associates the secondary virtual service with a delegate in the primary virtual service. The settings of metadata must be the same as those of a delegate in the primary virtual service. In this substep, the settings of metadata are the same as those of the vs-1 delegate. This means that the secondary virtual service is associated with the vs-1 delegate.
- match: specifies filter conditions for HTTP requests. In this substep, the
uri
field is set toexact: /login
andexact: /logout
. This setting specifies that you can log on to or log off from the Bookinfo application.
- Repeat Substep 5. On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create.
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: vs-2 namespace: ns1 spec: http: - match: - uri: exact: /productpage - uri: prefix: /static - uri: prefix: /api/v1/products route: - destination: host: productpage.default.svc.cluster.local port: number: 9080
- metadata: associates the secondary virtual service with a delegate in the primary virtual service. The settings of metadata must be the same as those of a delegate in the primary virtual service. In this substep, the settings of metadata are the same as those of the vs-2 delegate. This means that the secondary virtual service is associated with the vs-2 delegate.
- match: specifies filter conditions for HTTP requests. In this substep, the setting specifies that only request URLs that contain /productpage or start with /static or /api/v1/products can be used to access the Bookinfo application.
Step 4: Query the IP address of the ingress gateway
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
- In the left-side navigation pane of the details page, choose
- At the top of the Services page, select istio-system from the Namespace drop-down list. Find the ingress gateway that is named istio-ingressgateway and view the IP address whose port is 80 in the External Endpoint column.
Verify the result
/productpage
. The result indicates that the secondary virtual service that is associated with the vs-2 delegate takes effect.

