All Products
Search

This Product

    Alibaba Cloud Service Mesh:Create an ASM instance

    Document Center

    Alibaba Cloud Service Mesh:Create an ASM instance

    Last Updated:Dec 04, 2025

    Before you can use Service Mesh (ASM), you must create an ASM instance. An ASM instance lets you manage traffic, security, fault recovery, and observability for your applications. This topic describes how to create an ASM instance in the ASM console.

    Prerequisites

    Configuration description

    When you create a Service Mesh instance, ASM may perform the following operations based on your configurations:

    • Create a security group. This security group allows inbound traffic on all ICMP ports within the VPC.

      Note

      You cannot use an existing security group when you create an ASM instance. You cannot change the security group after the instance is created.

    • Create VPC routing rules.

    • Create elastic IP addresses (EIPs).

    • Create a RAM role and the corresponding policies. This role is granted full permissions on Cloud Load Balancer (CLB), Cloud Monitor, VPC, and Simple Log Service. Service Mesh dynamically creates resources such as CLB instances and VPC routing rules based on your deployment configuration.

    • Create an internal-facing CLB instance and expose ports 6443 and 15011.

    • ASM ensures the stability of Service Mesh by collecting logs from managed control plane components.

    Procedure

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click Create Mesh, and configure the parameters for the mesh.

      Configuration item

      Description

      Mesh Name

      The name of the Service Mesh instance.

      Instance Type

      You can select Enterprise Edition or Ultimate Edition. For more information about the features of different ASM instance editions, see What is ASM?.

      Region

      The region where the Service Mesh instance resides.

      Istio Version

      The Istio version. You can select one of the two latest major versions, such as 1.22.* and 1.23.*. For more information about versions, see Version mechanism. If you require other versions, submit a ticket.

      Kubernetes Cluster

      The VPC, vSwitch, and cluster domain are automatically populated based on the Kubernetes cluster that you add to the Service Mesh. For more information, see Create an ACK managed cluster.

      VPC

      The VPC of the Service Mesh instance. You can click Create VPC to create a VPC. For more information, see Create and manage a VPC.

      VSwitch

      The vSwitch of the Service Mesh instance. You can click Create VSwitch to create a vSwitch. For more information, see Create and manage a vSwitch.

      Istio Control Plane Access

      The CLB instance used to access the Istio control plane.

      API Server Access

      The CLB instance used to access the API Server. You can also specify whether to Expose the API Server using an EIP.

      • Expose: An EIP is created and attached to the internal-facing CLB instance. This lets you connect to and manage the ASM instance from the internet using a kubeconfig file.

      • Do not expose: No EIP is created. You can connect to and manage the ASM instance using a kubeconfig file only from within the VPC.

      Observability

      Whether to Enable Tracing Analysis.

      ASM integrates with Alibaba Cloud Tracing Analysis. Tracing Analysis provides features for developers of distributed applications, such as trace restoration, request statistics, topology analysis, and application dependency analysis. These features help developers quickly identify and diagnose performance bottlenecks in distributed application architectures and improve development and diagnostic efficiency. For more information, see Use Tracing Analysis to implement integrated tracing for applications in and outside a mesh.

      Note

      Before you enable this feature, you must activate Tracing Analysis.

      Whether to Enable Prometheus Monitoring. For more information about Prometheus, see Integrate with Prometheus Service to implement mesh monitoring and Integrate a self-managed Prometheus system to implement mesh monitoring.

      Whether to Enable ASM Mesh Topology to improve mesh observability.

      Service Mesh is a Service Mesh observability tool that provides a visual interface for you to view related services and configurations. ASM supports the built-in mesh topology feature in versions 1.7.5.25 and later. For more information about how to enable ASM Mesh Topology to improve mesh observability, see Enable mesh topology to improve observability.

      Whether to Collect access logs to Simple Log Service. This lets you view the access logs of the ingress gateway in Simple Log Service. For more information about access logs, see Generate and collect access logs of an ASM gateway and Use Simple Log Service to collect access logs of data plane clusters.

      Whether to Enable control plane log collection.

      ASM lets you collect control plane logs and configure log-based alerting. For example, you can collect logs about the configurations that are pushed from the ASM control plane to data plane sidecars. For more information about control plane log collection, see Enable control plane log collection and log-based alerting (Old version) or Enable control plane log collection and log-based alerting (New version).

      Mesh Audit

      Whether to Enable mesh audit.

      The mesh audit feature helps administrators record and trace the daily operations of different users. This is a crucial part of security operations and maintenance (O&M) for clusters. For more information about the mesh audit feature, see Use KubeAPI operation audit.

      Resource Configuration

      Whether to Enable historical versions for Istio resources.

      When you update the content in the spec field of an Istio resource, ASM records the historical versions of the Istio resource. ASM records up to five of the most recent versions. For more information about historical versions of Istio resources, see Roll back an Istio resource to a historical version.

      Whether to Enable access to Istio resources from data plane clusters using KubeAPI.

      ASM lets you create, retrieve, update, and delete Istio resources using the Kubernetes API (KubeAPI) of data plane clusters. For more information about how to access Istio resources using the KubeAPI of a data plane cluster, see Access Istio resources using the KubeAPI of a data plane cluster.

      Cluster Domain

      The cluster domain used by the Service Mesh instance. The default value is cluster.local. You can add only Kubernetes clusters that use the same cluster domain to the mesh instance.

      Note

      Only ASM instances of version 1.6.4.5 or later support custom cluster domains. Otherwise, the Cluster Domain parameter is hidden.

      Data Plane Mode

      Select whether to Enable the ambient mesh mode. Ambient Mesh supports two data plane architectures: sidecar and sidecarless. You can use either or both architectures as needed. For more information, see Ambient mode.

    3. Activate the pay-as-you-go billing method.

      If this is the first time you create a commercial instance, Not Passed is displayed in the Status column for Dependency Check. You must activate the pay-as-you-go billing method.

      In the Description column for Dependency Check, click Activate Now. Select the Service Mesh (Pay-As-You-Go) Terms Of Service check box and then click Activate Now. Return to the Create Service Mesh page and click Recheck for ASM Service Activation Check. Passed then appears in the Status column for Dependency Check.

    4. Read the Terms Of Service and click Create Service Mesh.

      Note

      Creating an ASM instance takes about 2 to 3 minutes.

    Related operations

    After the instance is created, you can view the instance in the instance list on the Mesh Management page. You can also perform the following operations in the Actions column of the instance list.

    Operation

    Description

    View information about an instance

    Click Manage for the target instance. On the Basic Information page, view the detailed information.

    The system creates five namespaces for a new instance by default. The console displays only the istio-system and default namespaces. You can use kubectl to query and manage other namespaces, including istio-system, kube-node-lease, kube-public, kube-system, and default.

    Modify the information about an instance

    1. Click Manage for the target instance.

    2. In the upper-right corner of the Basic Information page, click Feature Settings. In the Feature Settings Update panel, modify the configurations and click OK.

    Change the instance type

    Click Change Instance Type for the target instance. For more information, see Change the instance type of an ASM instance.

    View logs

    Click Logs for the target instance. For more information, see Log analysis.

    Delete an instance

    Click the 更多..png > Delete icon in the row of the target instance. In the Delete Mesh dialog box, carefully read the notes on deletion, select the resources that you want to retain, and then click OK.

    Important

    Before you delete an instance, note the following items and proceed with caution.

    • If you delete an ASM instance, you can no longer use the Service Mesh features of the instance.

    • If you delete the CLB instance that is used by the API Server, you can no longer manage the Service Mesh and related configurations.

    • If you delete the CLB instance that is used by Istio Pilot, you can no longer manage the Service Mesh and related configurations.