Service Mesh (ASM) is a fully managed, Istio-compatible service mesh available in two commercial editions: Enterprise Edition and Ultimate Edition. Each edition supports two data plane modes: sidecar mode and ambient mode.
Compare feature availability across editions and modes to determine which combination fits your workload.
Choose an edition
| Dimension | Enterprise Edition | Ultimate Edition |
|---|---|---|
| Target workload | Production workloads up to 1,000 pods | Large-scale production workloads up to 10,000 pods |
| Control plane | Hosted Istiod (multiple replicas) | Hosted Istiod (multiple replicas) |
| Cluster types (sidecar mode) | ACK managed, dedicated, Serverless, Edge, ACS, and external Kubernetes clusters | Same as Enterprise Edition |
| Cluster types (ambient mode) | ACK managed clusters only | ACK managed clusters only |
| Multi-cluster (sidecar mode) | Cross-VPC and cross-region | Cross-VPC and cross-region |
| Multi-cluster (ambient mode) | Single cluster only | Single cluster only |
Both editions support sidecar mode and ambient mode. Ambient mode has a narrower feature set. See the tables below for specifics.
The open source community version of Istio is included in the tables below as a baseline. It is suitable for development and testing only.
Features by category
Mesh management
Create, upgrade, and manage mesh instances and clusters through the ASM console or the KubeConfig file of a data plane cluster.
| Feature | OSS | Enterprise | Ultimate |
|---|---|---|---|
| Console-based lifecycle management (deploy, upgrade) | -- | Sidecar / Ambient | Sidecar / Ambient |
| ACK clusters (managed, dedicated, ECI on ACK) | -- | Sidecar: all types / Ambient: managed only | Sidecar: all types / Ambient: managed only |
| ACS clusters | -- | Sidecar only | Sidecar only |
| ACK Serverless clusters | -- | Sidecar only | Sidecar only |
| External Kubernetes clusters | -- | Sidecar only | Sidecar only |
| ACK Edge clusters | -- | Sidecar only | Sidecar only |
| Production-grade multi-cluster (cross-VPC, cross-region) | -- | Sidecar only | Sidecar only |
| Supported node operating systems | Alibaba Cloud Linux 2 only | Alibaba Cloud Linux 2 and 3 | Alibaba Cloud Linux 2 and 3 |
| Automatic mesh configuration diagnosis | Partial | Sidecar / Ambient | Sidecar / Ambient |
| Istio resource version history | -- | Sidecar / Ambient | Sidecar / Ambient |
| Access Istio resources via data plane KubeConfig | -- | Sidecar / Ambient | Sidecar / Ambient |
Data plane component management
Configure sidecar proxies and manage injectors at the global, namespace, or workload level.
| Feature | OSS | Enterprise | Ultimate |
|---|---|---|---|
| Multi-level sidecar proxy configuration (global, namespace, workload) | Partial | Sidecar only | Sidecar only |
| Console-based sidecar injector management | -- | Sidecar only | Sidecar only |
| CNI mode compatibility in ACK clusters | -- | Sidecar / Ambient | Sidecar / Ambient |
Gateway management
Create and manage ASM ingress gateways with routing, security, and high availability.
| Feature | OSS | Enterprise | Ultimate |
|---|---|---|---|
| Gateway lifecycle management (create, upgrade, delete, configure) | -- | Sidecar / Ambient | Sidecar / Ambient |
| Console-based routing management | -- | Sidecar / Ambient | Sidecar / Ambient |
| Advanced gateway features (graceful shutdown, HPA autoscaling, traffic-lossless upgrades, TLS optimization) | -- | Sidecar / Ambient | Sidecar / Ambient |
| External authorization (ext_authz) with visual configuration | -- | Sidecar / Ambient | Sidecar / Ambient |
| One-click OIDC-based single sign-on (SSO) | -- | Sidecar / Ambient | Sidecar / Ambient |
| Throttling and circuit breaking | -- | Sidecar only | Sidecar only |
| Certificate management | -- | Sidecar / Ambient | Sidecar / Ambient |
| Built-in observability | -- | Sidecar / Ambient | Sidecar / Ambient |
| High availability (HA) | -- | Sidecar / Ambient | Sidecar / Ambient |
Traffic management
Control how traffic flows between services with routing rules, rate limiting, circuit breaking, and traffic labeling.
| Feature | OSS | Enterprise | Ultimate |
|---|---|---|---|
| Istio VirtualService, DestinationRule, and Gateway compatibility | All | All | All |
| Console-based traffic rule configuration | -- | Sidecar / Ambient | Sidecar / Ambient |
| Local rate limiting | Partial (sidecar) | Sidecar only | Sidecar only |
| Spring Cloud service management | -- | Sidecar only | Sidecar only |
| Lossless service startup and shutdown | -- | Sidecar / Ambient | Sidecar / Ambient |
| Traffic lanes and traffic tags (TrafficLabel) | -- | Sidecar only | Sidecar only |
| Route-level circuit breaking | -- | Sidecar only | Sidecar only |
| Same-zone-prioritized routing | All | All | All |
| Service prefetching | All | All | All |
| Service-centric traffic management | -- | Sidecar only | Sidecar only |
| Layer 7 load balancing for east-west gateways | -- | Sidecar only | Sidecar only |
Observability
Monitor service health, visualize mesh topology, and integrate with Alibaba Cloud monitoring services.
| Feature | OSS | Enterprise | Ultimate |
|---|---|---|---|
| Visual mesh topology and analysis | Partial | Sidecar / Ambient | Sidecar / Ambient |
| Self-managed Prometheus integration | Partial (requires separate install) | Sidecar / Ambient | Sidecar / Ambient |
| Application Real-Time Monitoring Service (ARMS) integration | -- | Sidecar / Ambient | Sidecar / Ambient |
| Simple Log Service (SLS) integration | -- | Sidecar / Ambient | Sidecar / Ambient |
| Custom monitoring metrics | Partial | Sidecar / Ambient | Sidecar / Ambient |
| Enhanced dashboards and reports | -- | Sidecar / Ambient | Sidecar / Ambient |
| Service-level objective (SLO) policies | -- | Sidecar only | Sidecar only |
| SLO-driven application elasticity | -- | Sidecar only | Sidecar only |
Security
Enforce authentication, authorization, and audit policies with Resource Access Management (RAM), OIDC, Open Policy Agent (OPA), and dry-run testing.
| Feature | OSS | Enterprise | Ultimate |
|---|---|---|---|
| RAM authorization | -- | Sidecar / Ambient | Sidecar / Ambient |
| Console-based security policy configuration | -- | Sidecar / Ambient | Sidecar / Ambient |
| OIDC-based SSO and JWT authentication | -- | Sidecar / Ambient | Sidecar / Ambient |
| OPA fine-grained access control | -- | Sidecar / Ambient | Sidecar / Ambient |
| Alibaba Cloud OpenAPI audit | -- | Sidecar / Ambient | Sidecar / Ambient |
| Kubernetes API audit | -- | Sidecar / Ambient | Sidecar / Ambient |
| Alibaba Cloud account authorization | -- | Sidecar / Ambient | Sidecar / Ambient |
| Dry-run mode | All | All | All |
Extensibility and ecosystem integration
Extend ASM with plugins, third-party registries, and integrations for CI/CD and infrastructure-as-code tools.
| Feature | OSS | Enterprise | Ultimate |
|---|---|---|---|
| Plugin marketplace | -- | Sidecar only | Sidecar only |
| Multiple EnvoyFilter API versions | -- | Sidecar only | Sidecar only |
| Third-party registry integration | -- | Sidecar only | Sidecar only |
| KServe inference framework integration | -- | Sidecar only | Sidecar only |
| Argo CD, Argo Rollouts, and KubeVela best practices | -- | Sidecar only | Sidecar only |
| Terraform support | -- | Sidecar / Ambient | Sidecar / Ambient |
Performance optimization
Improve throughput with TLS acceleration, hardware-aware optimization, and resource tuning recommendations.
| Feature | OSS | Enterprise | Ultimate |
|---|---|---|---|
| TLS acceleration with Multi-Buffer | -- | Sidecar / Ambient | Sidecar / Ambient |
| Console-based selective service discovery | -- | Sidecar / Ambient | Sidecar / Ambient |
| Automatic sidecar resource optimization based on access log analysis | -- | Sidecar only | Sidecar only |
| Hardware-software co-design with NFD (AVX instruction sets, QAT acceleration) | -- | Sidecar / Ambient | Sidecar / Ambient |
| Best practices for service definitions and parameter tuning | -- | Sidecar / Ambient | Sidecar / Ambient |
Stability and scale
| Dimension | OSS | Enterprise Edition | Ultimate Edition |
|---|---|---|---|
| Data plane scale | Development and testing only | 1,000 pods | 10,000 pods |
| Hosted Istiod | -- | Multiple replicas | Multiple replicas |
References
For step-by-step guides on commercial edition features, see the following topics: