Use PrivateLink to manage network connectivity between a control plane and a data-plane cluster across VPCs - Alibaba Cloud Service Mesh

When a Service Mesh (ASM) instance and a Container Service for Kubernetes (ACK) cluster on the data plane reside in different virtual private clouds (VPCs) within the same region, you need private connectivity between them. PrivateLink establishes this connectivity without exposing traffic to the public internet.

ASM provides the ASMPvlConfig CustomResourceDefinition (CRD) to automate PrivateLink setup. You define a single YAML resource, and ASM creates and manages the underlying endpoint services and endpoints.

How it works

The ASM control plane and the ACK data-plane cluster communicate through two separate channels. When you apply the ASMPvlConfig resource, ASM creates a PrivateLink connection for each channel:

Connection	Purpose	Endpoint service location	Endpoint location
API server	Allows the ASM control plane to reach the ACK cluster's API server	ACK cluster's Server Load Balancer (SLB) instance	ASM VPC
Pilot	Allows data-plane sidecars to receive configuration from the ASM control plane (Istio Pilot)	ASM instance's SLB instance	ACK VPC

Each PrivateLink connection requires an endpoint in the same availability zone as the target endpoint service. Because the endpoint service for the ACK API server is in the ACK VPC's zone, the ASM-side endpoint must also be in that zone, and vice versa. This is why the ASMPvlConfig resource uses cross-matched zone IDs between the two VPCs (detailed in Configure the ASMPvlConfig resource).

PrivateLink traffic stays within the Alibaba Cloud network and does not traverse the public internet, ensuring that control-plane-to-data-plane communication remains private.

Prerequisites

An ASM instance is created
An ACK cluster is created in the same region as the ASM instance but in a different VPC
The PrivateLink service is activated
kubectl is installed and configured with the kubeconfig file of the ASM instance

Add the ACK cluster to the ASM instance

Add the ACK cluster to the ASM instance.

After you add the cluster, its status shows Connected in the ASM console. This only indicates that the cluster is registered with ASM. PrivateLink connectivity is not yet established. Proceed to the next section to configure it.

Configure the ASMPvlConfig resource

Important

The zone IDs in the YAML are intentionally cross-matched. Under ackVpcEndpoint, set zoneId to the zone of the ASM instance's vSwitch. Under asmVpcEndpoint, set zoneId to the zone of the ACK cluster's vSwitch. This cross-matching is required because PrivateLink creates an endpoint in the remote VPC that must be in the same availability zone as the target endpoint service.

Create a file named asmpvlconfig.yaml with the following content:

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMPvlConfig
metadata:
  name: default
spec:
  ackVpcEndpoint:
  - clusterId: <ack-cluster-id>
    vSwitches:
    - vSwitchId: <ack-vswitch-id>
      zoneId: <asm-vswitch-zone-id>
  asmVpcEndpoint:
    vSwitches:
    - vSwitchId: <asm-vswitch-id>
      zoneId: <ack-vswitch-zone-id>

Replace the placeholders with your actual values:

Placeholder	Description	Where to find it	Example
`<ack-cluster-id>`	ID of the ACK cluster added to the ASM instance	ACK console or ASM console cluster list	cab9ace222210457a83f09fcd42e9\\\\
`<ack-vswitch-id>`	ID of a vSwitch in the ACK cluster's VPC	VPC console, vSwitch page	vsw-bp1jsgsanpvxpj32yai50
`<asm-vswitch-zone-id>`	Zone of the ASM instance's vSwitch. Used under `ackVpcEndpoint` for cross-matching.	VPC console, vSwitch details	cn-hangzhou-i
`<asm-vswitch-id>`	ID of a vSwitch in the ASM instance's VPC	VPC console, vSwitch page	vsw-bp1l5hini55sstnwd2skf
`<ack-vswitch-zone-id>`	Zone of the ACK cluster's vSwitch. Used under `asmVpcEndpoint` for cross-matching.	VPC console, vSwitch details	cn-hangzhou-j

Important

The metadata.name field must be default. Other names are not valid.

Field reference

Field	Description
`spec.ackVpcEndpoint`	Array of ACK cluster configurations. Each entry contains a `clusterId` and a list of vSwitches in the ACK cluster's VPC.
`spec.ackVpcEndpoint[].clusterId`	ID of an ACK cluster that has been added to the ASM instance.
`spec.ackVpcEndpoint[].vSwitches`	Available vSwitches in the ACK cluster's VPC. Each vSwitch must specify `vSwitchId` and `zoneId`.
`spec.asmVpcEndpoint.vSwitches`	vSwitches in the ASM instance's VPC. Each vSwitch must specify `vSwitchId` and `zoneId`.

Apply the ASMPvlConfig resource

Connect to the ASM instance with kubectl and apply the resource:

kubectl apply -f asmpvlconfig.yaml

Verify the PrivateLink status

Wait a few minutes for ASM to provision the PrivateLink resources, then check the status:

kubectl get asmpvlconfig default -o yaml

A successful configuration adds a status section to the output:

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMPvlConfig
metadata:
  name: default
spec:
  ackVpcEndpoint:
  - clusterId: cab9ace222210457a83f09fcd42****
    vSwitches:
    - vSwitchId: vsw-bp1jsgsanpvxpj32yai50
      zoneId: cn-hangzhou-j
  asmVpcEndpoint:
    vSwitches:
    - vSwitchId: vsw-bp1l5hini55sstnwd2skf
      zoneId: cn-hangzhou-i
status:
  clusters:
  - clusterId: cab9ace222210457a83f09fcd42****
    pvlEndpoint:
      connectionStatus: Connected
      domainName: ep-bp1i06bad79eb60c60cc.epsrv-bp1gqb8g1b8d7uactd.cn-hangzhou.privatelink.aliyuncs.com
      id: ep-bp1i06bad79eb60c60
      status: Active
    pvlEndpointService:
      id: epsrv-bp1gqb8g1b8d7uactd
      name: com.aliyuncs.privatelink.cn-hangzhou.epsrv-bp1gqb8g1b8d7uactd
      status: Active
  pilot:
    clusters:
    - clusterId: cab9ace222210457a83f09fcd42****
      pvlEndpoint:
        connectionStatus: Connected
        domainName: ep-bp1i52311b91a5a25e.epsrv-bp1cl4qwzkf747ug6tmy.cn-hangzhou.privatelink.aliyuncs.com
        id: ep-bp1i52311b91a5a25e
        status: Active
    pvlEndpointService:
      id: epsrv-bp1cl4qwzkf747ug6t
      name: com.aliyuncs.privatelink.cn-hangzhou.epsrv-bp1cl4qwzkf747ug6tmy
      status: Active
  status: Available

Confirm that status.status is Available. This means both the API server and Pilot connections are established. Any other value indicates a configuration issue -- review your vSwitch IDs and zone IDs.

Status field reference

The status section contains two groups that reflect the two PrivateLink connections:

status.clusters -- PrivateLink connection for the ACK cluster's API server:

Field	Description
`clusterId`	ID of the ACK cluster.
`pvlEndpoint.connectionStatus`	Connection state. `Connected` means the connection is established.
`pvlEndpoint.domainName`	Domain name of the PrivateLink endpoint. You need this value in Add the PrivateLink domain to the API server certificate.
`pvlEndpoint.id`	ID of the PrivateLink endpoint.
`pvlEndpoint.status`	Endpoint state. `Active` means the endpoint is operational.
`pvlEndpointService.id`	ID of the endpoint service on the SLB instance that exposes the ACK cluster's API server.
`pvlEndpointService.name`	Name of the endpoint service.
`pvlEndpointService.status`	Endpoint service state. `Active` means the service is operational.

status.pilot -- PrivateLink connection for Istio Pilot on the ASM control plane:

Field	Description
`clusters[].clusterId`	ID of the ACK cluster.
`clusters[].pvlEndpoint.connectionStatus`	Connection state. `Connected` means the connection is established.
`clusters[].pvlEndpoint.domainName`	Domain name of the PrivateLink endpoint for Pilot.
`clusters[].pvlEndpoint.id`	ID of the PrivateLink endpoint for Pilot.
`clusters[].pvlEndpoint.status`	Endpoint state. `Active` means the endpoint is operational.
`pvlEndpointService.id`	ID of the endpoint service on the SLB instance that exposes Istio Pilot.
`pvlEndpointService.name`	Name of the endpoint service for Pilot.
`pvlEndpointService.status`	Endpoint service state. `Active` means the service is operational.

status.status -- Overall availability. Available indicates that cross-VPC connectivity is fully configured.

Verify the PrivateLink resources in the VPC console

To inspect the endpoint service and endpoint directly:

Log on to the VPC console.
In the left-side navigation pane, click Endpoints Service.
In the top navigation bar, select the region where the endpoint service resides.
On the Endpoints Service page, click the instance ID of the target endpoint service to view its details.
In the left-side navigation pane, click Endpoints. On the Endpoints page, click the instance ID of the target endpoint to view its details.

Add the PrivateLink domain to the API server certificate

The ASM control plane accesses the ACK cluster's API server through the PrivateLink endpoint domain name. For TLS validation to succeed, this domain name must be listed as a Subject Alternative Name (SAN) in the API server certificate. Without this, the control plane cannot establish a trusted connection to the API server.

From the status output in Verify the PrivateLink status, copy the pvlEndpoint.domainName value under clusters (for example, ep-bp1i06bad79eb60c60cc.epsrv-bp1gqb8g1b8d7uactd.cn-hangzhou.privatelink.aliyuncs.com) and add it to the custom SAN field of the ACK cluster's API server certificate.

For instructions, see Customize the SAN of the API server certificate when you create an ACK cluster.

Confirm cross-VPC connectivity

Check the ACK cluster's status in the ASM console. If the cluster is in the Running state, cross-VPC connectivity through PrivateLink is successfully established.