When you use a virtual service to define routing rules for a service that contains
multiple microservices or routing rules, the virtual service is complex, which brings
much maintenance work. To reduce risks brought by changes in routing rules, Alibaba
Cloud Service Mesh (ASM) introduces delegates to manage routing rules in a more fine-grained
manner. This topic shows you how to use multiple virtual services to define routing
rules for a service. The Bookinfo application is used as an example.
Background information
In an ASM instance, a virtual service is used to define routing rules for a service.
The routing rules control the traffic routing of the service. In actual scenarios,
you may need to maintain a complex virtual service. Each time you modify the routing
rules that are defined by the virtual service, you must modify the virtual service.
After the routing rules are modified, the routing rules may conflict with each other,
specific routing rules may be redundant, or the routing rules may be coupled with
each other. Configuration errors of routing rules may affect the services that are
deployed in the cluster on the data plane or even make all services inaccessible.
ASM introduces delegates to extend the configuration of virtual services, which allows
you to decouple routing rules that are defined for a service. You can split a virtual
service into a primary virtual service and multiple secondary virtual services. The
primary virtual service defines the overall routing rules of a service. Each secondary
virtual service defines a detailed routing rule of the service. The primary virtual
service is maintained by administrators, while the secondary virtual services are
maintained by service maintainers. This greatly reduces risks that are brought by
changes in routing rules and improves the efficiency of independent service deployment
and updates.
Usage notes
- You can set delegate parameters only in a primary virtual service. If you set delegate parameters both in a primary virtual service and secondary virtual services, the
primary virtual service and secondary virtual services do not take effect.
- The HTTPMatchRequest configuration in secondary virtual services must be a subset
of that in the primary virtual service. Otherwise, a conflict exists, and the HTTPRoute
configuration does not take effect.
- Delegate parameters can be specified only when the route and redirect parameters in
the primary virtual service are left empty. The hosts parameter in secondary virtual
services must be left empty. The routing rules that are defined by secondary virtual
services are combined with the routing rules that are defined by the primary virtual
service.
Step 1: Configure an Istio gateway
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM
instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose in the left-side navigation pane. On the Gateway page, click Create from YAML.
- On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create. In this example, the default namespace is used.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
Set the number
parameter to 80
. This setting specifies that the Bookinfo application can receive inbound or outbound
HTTP connections by using port 80.
Step 2: Configure a primary virtual service
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM
instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose in the left-side navigation pane. On the VirtualService page, click Create from YAML.
- On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create. In this example, the default namespace is used.
The following content can be used to create a vs-1 delegate and a vs-2 delegate. The
vs-1 delegate specifies that only request URLs that contain /log
can be used to access the Bookinfo application. The vs-2 delegate specifies that
only request URLs that contain /
can be used to access the Bookinfo application.
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
namespace: default
spec:
gateways:
- bookinfo-gateway
hosts:
- '*'
http:
- delegate:
name: vs-1
namespace: ns1
match:
- uri:
prefix: /log
- delegate:
name: vs-2
namespace: ns1
match:
- uri:
prefix: /
Description of the delegate parameter:
- name: the name of delegate.
- namespace: the namespace of delegate.
Step 3: Configure secondary virtual services
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM
instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose in the left-side navigation pane. On the VirtualService page, click Create from YAML.
- On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create. In this example, the ns1 namespace is used.
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: vs-1
namespace: ns1
spec:
http:
- match:
- uri:
exact: /login
- uri:
exact: /logout
route:
- destination:
host: productpage.default.svc.cluster.local
port:
number: 9080
- metadata: associates the secondary virtual service with a delegate in the primary virtual
service. The settings of metadata must be the same as those of a delegate in the primary
virtual service. In this substep, the settings of metadata are the same as those of
the vs-1 delegate. This means that the secondary virtual service is associated with
the vs-1 delegate.
- match: specifies filter conditions for HTTP requests. In this substep, the
uri
field is set to exact: /login
and exact: /logout
. This setting specifies that you can log on to or log off from the Bookinfo application.
- Repeat Substep 5. On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create.
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: vs-2
namespace: ns1
spec:
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.default.svc.cluster.local
port:
number: 9080
- metadata: associates the secondary virtual service with a delegate in the primary virtual
service. The settings of metadata must be the same as those of a delegate in the primary
virtual service. In this substep, the settings of metadata are the same as those of
the vs-2 delegate. This means that the secondary virtual service is associated with
the vs-2 delegate.
- match: specifies filter conditions for HTTP requests. In this substep, the setting specifies
that only request URLs that contain /productpage or start with /static or /api/v1/products can be used to access the Bookinfo application.
Step 4: Query the IP address of the ingress gateway
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- In the left-side navigation pane of the details page, choose
- At the top of the Services page, select istio-system from the Namespace drop-down list. Find the ingress gateway that is named istio-ingressgateway and view
the IP address whose port is 80 in the External Endpoint column.
Verify the result
Enter
http://<IP address of the ingress gateway>/productpage in the address bar of a browser. The following page appears. This means that the
Bookinfo application is accessed by using the request URL that contains
/productpage
. The result indicates that the secondary virtual service that is associated with
the vs-2 delegate takes effect.

Click
Sign in in the upper-right corner. In the dialog box that appears, enter the username and
password to log on to the Bookinfo application. The following page appears. This means
that you have logged on to the Bookinfo application. The result indicates that the
secondary virtual service that is associated with the vs-1 delegate takes effect.
