This topic provides the latest updates for Service Mesh (ASM).
October 2025
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Support for version 1.26 |
| All | N/A | All | |
Enhanced graceful shutdown for ASM gateways | Supports a longer drain duration and provides better support for the HTTP and gRPC protocols. | All | 1.26 and later | Enterprise Edition and Ultimate Edition | |
Support for managing ASM through the ACK component center | Create and add ASM instances through the ACK component center. | All | N/A | All |
August–September 2025
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Data plane KubeAPI access | Supports server-side apply and patch operations. | All | 1.25.6.101 and later | All | Access Istio resources through the KubeAPI of a data plane cluster |
New diagnostic items for mesh diagnostics | New diagnostic items:
| All | 1.25.6.101 and later | All | |
Graceful shutdown support for waypoints in Ambient mode | You can customize the ProxyConfig field of the waypoint proxy to specify drain-related parameters. This enables graceful shutdown during waypoint rolling updates. | All | 1.25.6.101 and later | All | |
ASM gateways use Alibaba Cloud NLB by default | Network Load Balancer (NLB) is a new-generation Layer 4 load balancing service from Alibaba Cloud. It is designed for the Internet of Everything (IoE) era. NLB delivers ultra-high performance and automatic elasticity, easily handling high-concurrency scenarios with massive numbers of connections. | All | 1.18 and later | Enterprise Edition and Ultimate Edition |
June–July 2025
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Support for version 1.25 | Supports Istio 1.25. Ambient sidecarless mode is generally available (GA):
| All | N/A | All | |
Mesh Diagnostics 2.0 | Adds more than 30 new diagnostic rules. Supports diagnostics for Ambient mode, standardizes diagnostic results, and provides more specific content. Remains compatible with the upstream community. | All | 1.25 and later | All | N/A |
Certificate management support | Deploy certificates to data plane clusters directly from the Certificate Management Service console for use on ASM gateways. | All | 1.25 and later | All | Use SSL certificates provided by Certificate Management Service in an ASM gateway |
Enhanced circuit breaking and throttling | Enhances semantic self-consistency. Supports referencing VirtualService and Kubernetes Service resource objects in throttling objects. | All | 1.25 and later | All | |
GUI operations for the traffic scheduling suite | You can enable and configure the traffic scheduling suite from the GUI. This simplifies usage and improves user experience. | All | All | All | Use the ASM traffic scheduling suite for traffic control in distributed systems |
April–May 2025
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Set sidecar resources based on the resource ratio of application containers | You can configure a ratio to set the resource size of the sidecar container proportionally to the resources of the application container. | All | 1.24 and later | All | |
Local development and testing with KtConnect and Service Mesh | KtConnect is a local developer tool for Kubernetes. Its deployed proxy is compatible with the core traffic management features of Service Mesh. Using it with the traffic resources of Service Mesh, you can debug local applications more efficiently and accelerate local development and testing. This topic describes how to use KtConnect with ASM for local development and testing. | All | All | All | Local development and testing with KtConnect and Service Mesh |
Custom return status codes for throttling | Local throttling supports custom return status codes. | All | 1.24.6.64 and later | All | |
Tracing Analysis configuration at the namespace and workload levels | Starting from version 1.24.6.83, ASM lets you modify Telemetry resources through the Kubernetes API to configure Tracing Analysis at the namespace and workload levels. | All | 1.24.6.83 and later | All | |
Configure trusted XFF CIDRs on gateways | In addition to configuring the number of trusted proxies, you can now configure trusted CIDRs. This provides more flexibility in obtaining the originating IP addresses of requests. | All | 1.24 and later | All | Configure the X-Forwarded-For header to allow ASM gateways to obtain client IP addresses |
March 2025
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Enable the "force injection of ASM sidecars" policy | You can enable the "force injection of ASM sidecars" policy in ACK Policy Management to secure east-west traffic within the cluster. | All | 1.24 and later | All | Enable the security policy to force sidecar injection for a cluster |
ASMCircuitBreaker enhancement | Enhances ASMCircuitBreaker to support configuring circuit breaking rules for gateway errors. | All | 1.24.6.54 and later | All | |
LLMRoute CRD documentation | The | All | 1.21 and later | All | |
Manage Service Mesh resources using the Go SDK | Manage resources in Service Mesh using the Go SDK. | All | 1.24 and later | All | |
Configure Grafana dashboards and alert rules for circuit breaking and throttling protection | Provides best practices for configuring Grafana dashboards and alert rules for circuit breaking and throttling protection. | All | All | All | Configure Grafana dashboards and alert rules for circuit breaking and throttling protection |
February 2025
Feature | Description | Regions | Applicable versions | Applicable editions | References |
CNI compatibility with debian_12_7_x64_20G_alibase_20241031.vhd | ASM CNI supports nodes that use the Debian operating system. | All | 1.24 and later | All | None |
Configure mesh instances using the ASMMeshConfig CRD | ASMMeshConfig is a custom resource provided by Alibaba Cloud Service Mesh (ASM) for globally configuring core parameters of a service mesh. This CRD allows for centralized management of mesh-level configurations such as connection timeouts, protocol detection, path normalization, and retry policies. It also supports resource quotas and behavior control for the sidecar injector. | All | 1.24 and later | All | |
Message queue adaptation for traffic lanes | In flexible traffic lane scenarios, if you want message queues to maintain and carry tracing information, your application needs some adaptation. ASM provides a standard adaptation solution for reference. | All | 1.21 and later | All | |
ASMEgressTrafficPolicy supports connecting to external TCP services | ASMEgressTrafficPolicy now supports external TCP services. You can use ASMEgressTrafficPolicy to easily configure egress traffic for protocols such as HTTP, HTTPS, and TCP. This update also supports automatic allocation of egress gateway ports, reducing the maintenance burden. | All | 1.24 and later. | All | |
ASMExtensionProviders CRD documentation | ASMExtensionProvider is a component used to extend and configure mesh features. It supports flexible integration and customized configuration of key features such as Tracing Analysis and access logs. | All | 1.23 and later | All |
January 2025
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Support for version 1.24 | Supports Istio 1.24. | All | N/A | All | |
Enhanced load balancing and traffic management for in-cluster LLM services | For LLM inference services deployed in Kubernetes clusters, classic load balancing methods are not effective due to the unique characteristics of LLM inference traffic and workloads. Additionally, LLM inference-related information cannot be obtained from logs and monitoring metrics. Service Mesh (ASM) lets you declare inference service pools and routing definitions for LLM inference services deployed within a cluster. This improves the load balancing performance of LLM inference services while enabling traffic routing and observability. This feature currently supports LLM inference services deployed based on vLLM. | All | 1.24 or later | All | |
In-place migration from Istio | Supports in-place migration to ASM for clusters that have Istio installed. During the migration, ASM and Istio coexist. You can gradually switch workloads from injecting Istio sidecars to injecting ASM mesh proxies until all Istio sidecars are replaced. This feature helps you migrate from Istio to ASM progressively and without downtime. Currently, ASM in-place migration supports migrating single-cluster Istio, primary-remote, multi-primary, and mixed primary-remote and multi-primary Istio deployments to ASM. | All | 1.24 or later | All |
December 2024
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Support for version 1.23 | Supports Istio 1.23. | All | 1.23 or later | All | |
Use Envoy External Processing for custom request handling | Envoy External Processing is an extension that allows Envoy to enhance its HTTP request and response handling capabilities through an external processing service. This eliminates the need to write Wasm plugins or other processing scripts, making the process more flexible and scalable. | All | 1.23 or later | All | |
Support for token-based throttling for LLM requests | Throttling LLM requests is different from throttling normal HTTP requests. The number of tokens consumed by each LLM request is not fixed and needs to be dynamically obtained from the response. ASM provides a default LLM request throttling capability based on the token bucket algorithm. You can also customize the throttling algorithm. | All | 1.23 or later | All | |
Support for excluding pods with specified labels from the service discovery scope | When a pod is outside the service discovery scope, the service mesh control plane will not discover this pod. Any requests proxied by a sidecar will not be sent to this pod. You can configure a label selector to exclude pods with specified labels from the service discovery scope. This lets you quickly divert all traffic from a pod, enabling rapid traffic shifting in case of a failure. | All | 1.20 or later | All | Configure a service discovery scope to improve the efficiency of mesh configuration pushes |
New field support for ASMGrpcJsonTranscoder | The ASMGrpcJsonTranscoder CRD is used for JSON/HTTP-to-gRPC protocol transcoding. In version 1.22 and later, ASMGrpcJsonTranscoder adds support for multiple new fields to handle advanced scenarios, such as converting gRPC errors to the response body and ignoring specific request query parameters. | All | 1.22 or later | All | |
LLM traffic management | Most major large language model (LLM) providers offer services to users through the HTTP protocol. This protocol has been specially optimized for LLM requests. ASM now supports the protocol standards of several major LLM providers, offering a simple and efficient integration experience. This topic describes how to manage LLM traffic in ASM from the perspectives of traffic routing and observability. | Alibaba Cloud International Website (www.alibabacloud.com) | 1.21 or later | All |
November 2024
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Implement user identity-based canary testing with traffic lanes and hash tagging | In a production environment, developers may want to use traffic lanes to isolate stable and canary release versions and route traffic to different lanes based on user identity. Specifically, you might want to route a specific group of users to the canary release version for testing, while routing a certain percentage of requests from other users to the canary release version randomly based on weight. | All | 1.18 or later | All | Implement user identity-based canary testing with traffic lanes and hash tagging |
ASM supports namespace-level RBAC authorization | You can use RBAC authorization to control the permissions of RAM users and RAM roles to operate on ASM custom resources. When RAM users and RAM roles need to operate on custom resources within ASM, you must grant them RBAC authorization. | All | All | All |
October 2024
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Support for multi-primary control plane mode | Supports a multi-primary control plane mode, where multiple Service Mesh instances jointly manage multiple Kubernetes clusters. Compared to adding multiple Kubernetes clusters to a single ASM instance, the multi-primary control plane architecture offers significant advantages in configuration isolation and configuration push latency. It is more suitable for building multi-cluster disaster recovery plans with peer-to-peer business deployments. | All | 1.22 and later | All | Implement multi-cluster disaster recovery through the ASM multi-primary control plane architecture |
Native sidecar proxy documentation | Kubernetes 1.28 introduced the native sidecar mechanism, addressing known issues with its lifecycle and the pod lifecycle. ASM has adapted to support this feature starting from version 1.22. It supports adaptively switching to the native sidecar mode to add mesh proxy containers to pods. | All | 1.22 and later | All | |
Added metric collection instructions for the traffic scheduling suite | By integrating with Alibaba Cloud Managed Service for Prometheus or a self-managed Prometheus instance, you can configure the collection of monitoring metrics for the ASM request scheduling agent. This lets you monitor the traffic scheduling behavior of various policies in the ASM traffic scheduling suite. | All | 1.21 and later | All | Use the ASM traffic scheduling suite for traffic control in distributed systems |
Use Wasm plugins to extend dimension information for monitoring metrics in ASM | In addition to built-in monitoring metrics and dimensions, ASM provides a powerful extension mechanism. You can write your own processing logic based on request or response information and add the processed results to the dimensions of monitoring metrics. This allows for better monitoring of application runtime status. | All | 1.18 and later | All | Use a Wasm plugin to extend the dimension information of ASM monitoring metrics |
New periodic cleanup mechanism for monitoring metrics | Service Mesh (ASM) generates metrics for all inbound, outbound, and internal service traffic to monitor service behavior. These metrics include total traffic count, error rate, and request response time. However, long-term operation generates a large amount of metric data, significantly increasing the resource consumption of Envoy and Prometheus. To address this, ASM provides a periodic cleanup configuration for monitoring metrics. It supports periodically cleaning up unused metrics cached in Envoy for a certain period to reduce Envoy memory consumption and lower the network load when Prometheus scrapes metrics. | All | 1.18 and later | All |
September 2024
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Support for deploying and using ASM on CloudBox | You can create a CloudBox node pool in an ACK cluster and schedule application pods to CloudBox nodes to use CloudBox resources. After adding the ACK cluster to ASM, ASM will manage pods in both the public cloud and the CloudBox node pool, providing rich and unified routing, security, and observability for traffic between applications. | All | All | All | |
Support for importing Kubeconfig for cluster management | ASM supports using a Kubeconfig with cluster administrator permissions to import any type of Kubernetes cluster and manage its applications. | All | 1.22 or later | All | |
Best practice: End-to-end security | In TLS communication, the client verifies whether the certificate provided by the server is valid, but the client itself does not need to provide a certificate. This means the server cannot verify the client's identity. In scenarios requiring a higher level of security, the server also needs to verify the client's identity, which requires mTLS communication. mTLS requires both the client and server to provide certificates. Encrypted communication can only proceed after mutual verification. | All | 1.22 or later | All | |
Best practice: Custom error page | In certain situations, an ASM gateway or mesh proxy may directly return an HTTP response with a specific response code to the downstream service without proxying the request to the upstream service. The | All | All | All | |
ASMSwimlane/ASMSwimlaneGroup CRD documentation update | Traffic lanes support customizing destination traffic policies and HTTP routing operations for services within a traffic lane group. | All | 1.22 or later | All | |
Support for remote control plane mode | When the data plane cluster is located in another cloud service or an on-premises data center, and connects to the ASM control plane over the Internet or through other special means with an unstable or bandwidth-limited network, it is recommended to use the ASM remote control plane to reduce push latency. | All | 1.22 or later | All | |
Develop Wasm plugins using Rust | ASM supports deploying Wasm plugins in the mesh proxy to implement custom processing logic. The proxy-wasm community provides a Rust SDK for Wasm. | All | 1.18 or later | All |
August 2024
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Support for version 1.22 | Supports Istio 1.22, including the following important updates:
| All | 1.22 or later | All | N/A |
New ACMG mode | Alibaba Centralized Mesh Gateway (ACMG) mode is a solution designed for large-scale network architectures to enhance network scalability, flexibility, and management efficiency. | All | 1.22 or later | All | |
Support for egress traffic security protection | Protects the security of traffic transmitted from within the mesh to the outside based on ASMEgressTrafficPolicy and egress gateways. | All | 1.20 or later | All | |
Enhanced multi-cluster capabilities | Enhances east-west gateway capabilities. Cross-cluster calls via the east-west gateway support full Layer 7 load balancing and authorization policies, and shield CIDR conflicts. For multi-cluster scenarios where underlying network connectivity is not available, using the ASM east-west gateway provides an experience fully aligned with that of a connected underlying network. | All | 1.22 or later | Enterprise Edition, Ultimate Edition | |
ARMS uses a new integration center (extended metrics) | Service Mesh (ASM) supports enabling monitoring metrics for the service mesh data plane. This allows gateways and sidecar proxies to generate metrics related to their operational status and collect these metrics in Alibaba Cloud Managed Service for Prometheus. | All | 1.17.2.35 or later | All | |
Best practice - Support for integrating custom authorization services | Supports connecting to custom authorization services using HTTP and gRPC protocols to meet user needs for integrating existing or custom-implemented authorization services. | All | 1.20 or later | All | |
Support for metric monitoring and alerting for throttling and circuit breaking | Supports collecting monitoring metrics related to throttling and circuit breaking capabilities, such as local throttling, global throttling, service-level circuit breaking, host-level circuit breaking, and connection pool circuit breaking, into Managed Service for Prometheus. It also supports configuring alerts based on these monitoring metrics for when throttling or circuit breaking events occur. | All | All | All |
July 2024
Feature | Description | Regions | Applicable versions | Applicable editions | References |
ASM gateways support HTTP/3 and QUIC protocols | ASM gateways support the HTTP/3 protocol. Compared to HTTP/2, HTTP/3 has lower handshake latency, supports a new multiplexing mechanism, allows connection migration, and is more secure. HTTP/3 is based on the UDP protocol and can enable TCP and UDP listeners on the same port simultaneously without affecting existing HTTP/2 and HTTP/1 listeners. | All | 1.16 or later | All | |
Sidecar configuration supports setting the maximum number of downstream connections | Supports configuring the maximum number of downstream connections that a mesh proxy can accept, based on business needs. By properly configuring this limit, you can prevent malicious attacks on the mesh proxy. | All | 1.21 or later | All | |
Support for configuring path normalization policies | Supports configuring path normalization policies for HTTP requests in the mesh proxy. This ensures that the paths of HTTP requests in the service mesh remain consistent and standardized, reducing security risks. | All | 1.21 or later | All | |
ASM traffic scheduling suite supports closed-loop feedback, concurrency limit, concurrency scheduling, and quota scheduling policies | The ASM traffic scheduling suite supports four new policies:
| All | 1.21 or later | All | Use the ASM traffic scheduling suite for traffic control in distributed systems |
Playground feature | ASM Playground lets you set up a complete environment for a specific scenario with a single click, including workloads and all declarative API (CR) resources. Each ASM Playground demonstrates a specific scenario and automatically deploys the required resources, allowing you to have some control over the scenario (the degree of control depends on the scenario). This way, you can quickly set up a scenario environment and experience the powerful features of ASM with just one click. | All | 1.21 or later | All |
June 2024
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Service mesh network packet capture | For traffic within the service mesh, the network packet capture task can quickly capture traffic information for a workload, assisting in the rapid diagnosis of complex traffic issues. | All | 1.21 or later | All | Use network packet capture tasks to diagnose traffic in the mesh |
ASM traffic scheduling suite | The ASM traffic scheduling suite is a unified traffic scheduling architecture pattern based on Service Mesh, along with various traffic scheduling policies developed based on this pattern. It can implement various advanced traffic scheduling scenarios, such as per-user throttling and request priority scheduling. | All | 1.21 or later | All | Use the ASM traffic scheduling suite for traffic control in distributed systems |
New EWMA load balancing mechanism | The EWMA load balancer calculates a score for each node by computing the moving average of static weights, latency, error rates, and other factors to make load balancing decisions. In scenarios where applications experience occasional increases in latency or errors, it avoids abnormal endpoints to improve overall performance. | All | 1.21 or later | All | Use Exponentially Weighted Moving Average (EWMA) for workload latency-based load balancing |
Enhanced Knative integration | Knative on ASM releases version 1.12.4 and optimizes the integration experience with Container Service for Knative, enabling one-click deployment. | All | 1.21 or later | All | |
Improved Terraform support |
| All | 1.21 or later | All |
May 2024
Feature | Description | Regions | Applicable versions | Applicable editions | References |
Release of Istio 1.21. | Releases the official version of Istio 1.21, available in all regions. It is compatible with the latest community features, including the following:
Important In version 1.21, the ability for a sidecar proxy to load a bootstrap configuration before startup is deprecated. For more information, see Configure a sidecar proxy. | All | 1.21 or later | All | |
Traffic lanes | Traffic lanes 3.0 supports baggage pass-through and traffic routing by percentage. | All | 1.21 or later | All | |
Enhanced multi-cluster capabilities | Provides a new multi-cluster network solution. In scenarios where the underlying network cannot be connected, it supports using ASM east-west gateways to connect the cluster network over the Internet. A new document, Overview of multi-cluster management, has been added to fully describe the modes and paths of ASM multi-cluster management. | All | 1.21 or later | All | |
Mesh topology supports subgraph display | Mesh topology supports selecting a namespace and an application within that namespace to directly view the sub-topology around that application. This optimizes the display and usability of the service topology for large-scale services. | All | 1.21 or later | All | |
ASMCompressor supports route-level configuration | ASMCompressor supports route-level configuration, enabling scenarios where it is enabled by default but disabled on specific routes. This simplifies configuration and reduces the risk of misconfiguration. | All | 1.21 or later | All | Use ASMCompressor to define compression configurations for inter-application service calls |
April 2024
Feature | Description | Regions | Applicable Istio versions | Applicable editions | References |
Release of Istio 1.21. | Releases Istio 1.21 (whitelist canary), compatible with the latest community features, including the following:
Important In version 1.21, the ability for a sidecar proxy to load a bootstrap configuration before startup is deprecated. For more information, see Configure a sidecar proxy. | All | 1.21 or later | All | |
Automatically issue certificates for ASM gateways using the ACME protocol | Automatic Certificate Management Environment (ACME) is a protocol for automating the processing of X.509 digital certificate signing requests. Through the ACME protocol, a Certificate Authority (CA) can automatically verify the domain ownership of a certificate applicant and then issue a certificate. ASM gateways support connecting to various CAs via the ACME protocol to dynamically obtain domain name certificates, reducing the burden of certificate maintenance. | All | All | All | |
eRDMA+SMC data plane performance optimization | On Alibaba Cloud's 8th generation ECS instances that support eRDMA, in an Alinux 3 environment, you can enable SMC-based performance optimization for service mesh data plane communication. | All | 1.21 or later | All | Accelerate network performance between service mesh pods based on eRDMA |
Manage connectivity between control plane and data plane clusters across VPCs using PrivateLink | When the VPC of an ASM instance is different from the VPC of a data plane ACK cluster but they are in the same region, you can use PrivateLink to manage connectivity between the control plane and data plane clusters across VPCs. ASM provides a CRD-based method to simplify network connectivity. | All | 1.21 or later | All | Manage connectivity between control plane and data plane clusters across VPCs using PrivateLink |
Use dynamic subset routing to accelerate model service mesh inference | Use the dynamic subset routing capability of Service Mesh (ASM) to accurately route requests directly to the correct runtime environment, accelerating the inference process of the model service mesh. | All | 1.21 or later | All | Use dynamic subset routing to accelerate model service mesh inference |
Use ASMCircuitBreaker to configure circuit breaking rules for inter-service call traffic | Use the ASMCircuitBreaker CRD to configure circuit breaking rules for east-west call traffic. | All | 1.19 and later | All | Use ASMCircuitBreaker to configure circuit breaking rules for inter-service call traffic |
March 2024
Feature | Description | Regions | Applicable Istio versions | Applicable editions | References |
Access logs support output definition in plain text (non-JSON). | Supports outputting access logs to the container's standard output in plain text format. Compared to JSON format, plain text has higher information density and saves space. | All | v1.20 and later | All | |
Support for configuring maintenance windows. | Supports configuring service mesh maintenance windows to specify the time for automatic maintenance of the managed control plane. | All | All | All | |
Support for developing Wasm extensions for mesh proxies using Go. | Supports developing Wasm extensions using Go and inserting them into the filter chain of the mesh proxy. This allows for more flexible implementation of specific scenario requirements, such as dynamically adding or modifying HTTP headers according to specific rules, adjusting routing destinations, and accessing external custom authorization services. | All | v1.18 and later | All | |
Support for managed security groups. | New ASM instances start using managed security groups to provide a higher level of security protection for the ASM control plane. | All | v1.20 and later | All |
February 2024
Feature | Description | Regions | Applicable Istio versions | Applicable editions | References |
Release of Istio 1.20. | Releases Istio 1.20, compatible with the latest community features. | All | v1.20 and later | All | |
ASM gateways support canary upgrades. | To better ensure business continuity after an upgrade, ASM gateways support canary upgrades. You can first start a new version of the gateway pod to verify traffic. After verification passes, you can fully upgrade the gateway. If any issues occur during verification, you can delete the new version of the pod at any time and continue the upgrade after resolving the issues. | All | v1.20 and later | All | |
Support for collecting monitoring metrics for in-mesh applications via mTLS. | For some critical business services, in addition to encrypting business communication, it is also necessary to encrypt the collection of monitoring metrics. ASM supports collecting monitoring metrics for in-mesh applications via mTLS. | All | All | All | Collect monitoring metrics for in-mesh applications via mTLS |
Optimized plugin center and Envoy filters. |
| All | v1.18 and later | All | |
Support for managing Envoy filter templates and traffic lanes in a declarative way |
| All | v1.20 and later | All |
January 2024
Feature | Description | Regions | Applicable Istio versions | Applicable editions | References |
Mesh diagnostics feature supports intelligent diagnostics. | Integrates an AI assistant for intelligent diagnostics. After generating diagnostic results, it uses a large language model to explain the causes of diagnostic items and their solutions. | All | All | All | |
Enhanced mesh topology feature. | Mesh topology provides more powerful observability and usability improvements.
| All | All | All | |
Support for custom request and response headers. | Supports using VirtualService and EnvoyFilter resources to customize request and response headers. | All | All | All | |
Scenario-based throttling feature. | Provides best practices for using the throttling feature in the following specific scenarios.
| All | v1.11.5 and later | Enterprise Edition, Ultimate Edition |
December 2023
Feature | Description | Regions | Applicable Istio versions | Applicable editions | References |
Release of Istio 1.19 and 1.18 patch versions. |
| All | All | All | None |
CLB for new ASM clusters switched to pay-as-you-go billing. | When creating a new ASM cluster (ASM instance), a private-facing, pay-as-you-go CLB instance is created by default for API Server and Istio control plane access. | All | All | All | |
Support for using CEL to set log filtering rules. | Supports using Common Expression Language (CEL) to set log filtering rules. In high-traffic business scenarios, filtering logs based on specific conditions can save resource overhead for sidecar proxies and allow focus on critical log content. | All | v1.18 and later | All | |
Simplified management of local throttling. | Enhances the local throttling feature to meet common user throttling needs, while providing a graphical interface to simplify the configuration process and reduce operational errors, thereby improving overall usability. | All | v1.18 and later | All |
November 2023
Feature | Description | Regions | Applicable Istio versions | Applicable editions | References |
Support for model service mesh. | Manage and route model services through the mesh, providing features such as traffic splitting, A/B testing, and phased releases to better control and manage model service traffic, and easily switch between and roll back different model versions. Supports dynamic routing, which can route requests to the appropriate model service based on request attributes, such as model type, data format, or other metadata. Using a model service mesh, developers can more easily deploy, manage, and scale machine learning models, ensuring their high availability, elasticity, and flexibility to meet various business needs. | All | v1.18 and later | All | |
Support for standalone deployment of ASM gateways in Serverless form. | Provides a Serverless gateway form based on virtual nodes and ECI, deployed independently in a Serverless manner to support various elastic and node-free O&M scenarios. | All | v1.18 and later | All | Use an ASM Serverless gateway to improve high availability and elasticity |
Managed mesh topology service supports CLB mounting. | The managed mode of mesh topology supports direct access to applications deployed within the mesh via Server Load Balancer (CLB), simplifying the access configuration of the mesh topology. | All | v1.18 and later | All | |
Support for KServe 0.11. | Supports integration with KServe 0.11 to simplify user management of model service workloads. Supports deploying Transformer services via InferenceService. You can select the KServe version as needed during integration. | All | v1.18 and later | All | |
Support for connecting to OpenTelemetry Collector. | ASM switches the observability tracing export method to OpenTelemetry (users who have already connected via Zipkin can continue to use the old method), facilitating easy connection to Alibaba Cloud ARMS Tracing Analysis or self-managed tracing services. | All | v1.18 and later | All |
October 2023
Feature | Description | Regions | Applicable Istio versions | Applicable editions | References |
Release of ASMCompressor, supporting CRD-based definition of compression configurations for inter-application service calls. | Provides the ability to define compression configurations for inter-application service calls via CRDs, supporting a consistent way to add compression filters to applications. Supports Gzip and Brotli compression algorithms. | All | v1.18 and later | All | |
Release of ASMGrpcJsonTranscoder, supporting CRD-based definition of JSON/HTTP to gRPC conversion configurations for inter-application service calls. | Provides the ability to define JSON/HTTP to gRPC conversion configurations for inter-application service calls via CRDs, supporting a consistent way to add transcoding filters to applications. Supports JSON/HTTP to gRPC conversion configurations. | All | v1.18 and later | All | |
Support for custom extension of ASM data plane with Wasm plugins. | Supports configuring custom Wasm plugins for ASM mesh proxies or ASM gateways, enhancing the extensibility of the ASM data plane. Wasm plugins can be written in multiple languages (such as C++ and Golang) and loaded in various forms (such as HTTP, OCI Image Hub, and ConfigMap). | All | v1.18 and later | All | Use a Coraza Wasm plugin to implement WAF capabilities on an ASM gateway |
Release of ASMGlobalRateLimiter, supporting global throttling for gateways and application services. | Provides the ability to define global throttling for gateways and application services via CRDs. | All | v1.18 and later | All |
September 2023
Feature | Description | Regions | Applicable Istio versions | Applicable editions | References |
Release of dynamic subset load balancing. | Provides a dynamic subset load balancing feature that allows flexible selection of target service subsets based on dynamic information such as request | All | v1.18 and later | Enterprise Edition, Ultimate Edition | |
Release of traffic lanes 2.0, supporting strict and loose modes. | Supports strict and loose modes. In loose mode, the fallback mechanism based on the baseline traffic lane simplifies handling in scenarios where end-to-end request headers are already passed through. | All | v1.18 and later | Enterprise Edition, Ultimate Edition | |
Release of mesh topology 2.0, supporting enabling mesh topology in managed mode. | Compared to enabling mesh topology with a deployment inside the data plane Kubernetes cluster, managed mode mesh topology offers greater advantages in unified multi-cluster observability, configuration complexity, and service reliability. | All | v1.18 and later | Enterprise Edition, Ultimate Edition |
August 2023
Feature | Description | Regions | Applicable Istio versions | Applicable editions | References |
Support for a new data plane mode. | Provides a new data plane mode compatible with the community's Istio Ambient Mesh. You can adopt service mesh technology in a progressive, incremental way based on the scope of required features, including new L4 and L7 routing and authorization features. | All | v1.18 and later | Enterprise Edition, Ultimate Edition | |
Release of Istio 1.18. | Releases Istio 1.18, compatible with the latest community features. | All | v1.18 and later | All | None |
Mesh CNI mode used by default when creating an ASM instance. | The mesh CNI mode is used by default when creating an ASM instance, adapting to CNI DaemonSet compatibility in environments such as ACK on ECI and ACK Serverless. | All | v1.18 and later | All | |
Support for Knative 1.8. | When deploying Serverless workloads with Knative on ASM in ASM 1.18, version 1.8 of Knative is used by default. | All | v1.18 and later | All | |
ASM gateways support Network Load Balancer (NLB). | Supports using Network Load Balancer (NLB) upon creation, leveraging NLB's ultra-high performance and automatic elasticity to further enhance traffic stability. | All | v1.18 and later | All |
July 2023
Feature | Description | Regions | Applicable Istio versions | Applicable editions | References |
New control plane canary upgrade. | Supports an upgrade mode based on revisions and labels to perform canary upgrades of the new version control plane in a safer and more stable manner. | All | v1.16 and later | Enterprise Edition, Ultimate Edition | |
Simplified tag sync management for global namespaces. | Adds support for associating global namespaces with specific Kubernetes clusters, allowing you to selectively sync different namespace labels to different clusters. The ASM console provides the namespace label | All | v1.16 and later | All | |
New audit alerts for mesh resource operations. | After enabling the mesh audit feature, you can configure alerts in SLS to add audit alert capabilities for changes to mesh resources. This sends timely alert notifications to alert contacts when important resources are modified. | All | v1.15 and later | All | |
Adaptive configuration push optimizes egress gateway configuration. | After the adaptive configuration push optimization feature is enabled, the cluster deploys an egress gateway named istio-axds-egressgateway and adds the ability to modify its configuration. | All | v1.15 and later | All | Use adaptive configuration push to improve the push efficiency of the control plane |
Support for integrating an external OPA execution engine. | Compared to the sidecar mode, an external OPA can achieve lower resource consumption, allow applications to be connected without restarting, and freely decide which requests arriving at the application should execute OPA policies. | All | v1.15 and later | All | Use ASM security policies to connect to an external OPA execution engine |
New gateway log dashboards. | Adds a gateway-level log page. You can view the raw logs and log dashboards for a specific gateway separately. | All | v1.17 and later | All |
June 2023
Feature | Description | Regions | Applicable Istio versions | Applicable editions | References |
New observability management center 2.0. | Provides integrated observability rule settings for logs, monitoring metrics, and tracing analysis. | All | v1.17.2.35 and later | All | |
Dynamically enable or disable the merging of Istio and application monitoring metrics. | Enables services with existing Prometheus monitoring endpoints to output their original business metrics through the mesh proxy by merging Istio and application metrics. | All | v1.17 and later | All | |
Service discovery scope configuration supports a blacklist mode for namespaces. | This feature supports both whitelist and blacklist modes. In blacklist mode, the ASM control plane discovers and processes only applications in namespaces that are not on the blacklist. This improves the efficiency of pushing configurations from the control plane to the Sidecar proxies in the data plane. | All | v1.17 and later | Enterprise Edition, Ultimate Edition | Configure the service discovery scope to improve mesh configuration push efficiency |
Traffic management now supports a fallback mechanism. | A fallback mechanism provides an alternative execution path when a service invocation fails. ASM supports this feature by letting you define the fallback parameter in a VirtualService. | All | v1.17 and later | Enterprise and Ultimate Editions | |
Supports logon to the grid topology with Resource Access Management (RAM) users and custom access methods. | Supports default logon to the grid topology UI console with Alibaba Cloud RAM users, and configuration of the access domain name, port, root path, and protocol. | All | v1.17 or later | All | |
ASM certificate management supports anomaly alerts in Simple Log Service (SLS). | Supports configuring alerts for certificate management in control plane alerting. The supported alarm metrics are expired and expiring soon. | All | v1.17 and later | All |
May 2023
Feature | Feature description | Release region | Applicable Istio version | Applicable product edition | References |
Release of Istio 1.17. | Istio 1.17 is released. This version is compatible with the latest features from the community. | All | v1.17 and later | All | None |
KServe on ASM supports MLOps management for model services. | ASM now supports integration with KServe to manage model service workloads. | All | v1.17 and later | Enterprise Edition, Ultimate Edition | Use KServe on ASM for cloud-native AI model inference services |
ASM gateways support a serverless mode. | An ASM serverless gateway is a type of serverless gateway based on virtual nodes and ECI. It supports various elastic and node-free O&M scenarios. | All | v1.16 and later | Enterprise Edition, Ultimate Edition | Use ASM serverless gateways to support elastic business scenarios |
Global certificate management. | ASM supports global certificate management:
| All | v1.17 and later | All | |
Mesh topology supports the visualization of Istio resources. | The mesh topology page has a new "Virtual Service logo" display option. This option lets you check whether virtual service resources are configured in the mesh topology. | All | v1.15 and later | Enterprise Edition, Ultimate Edition | |
Mesh diagnostics supports excluding specified namespaces at runtime. | When running mesh diagnostics, select namespaces to exclude. Diagnostic results are not generated for the excluded namespaces. | All | v1.17 and later | All |
April 2023
Feature | Feature description | Release region | Applicable Istio version | Applicable product edition | References |
Support for Istio 1.16. | Compatible with the community Istio 1.16 series. | All | 1.16 and later | All | None |
Enhanced sidecar injection management. | Simplified configuration management for injection policies and sidecar injectors. | All | 1.16 and later | All | |
Support for the gRPC-JSON transcoder plugin. | Lets you use RESTful APIs or other HTTP/JSON tools to access gRPC services. This simplifies integration with and the use of gRPC services. | All | 1.16 and later | Enterprise Edition, Ultimate Edition | Use ASMGrpcJsonTranscoder to request gRPC services in a mesh using HTTP/JSON |
RAM logon for ASM Mesh Topology. | Lets you use an Alibaba Cloud RAM user to log on. This enables single sign-on (SSO) for the ASM Mesh Topology user interface (UI). | All | 1.16 and later | Enterprise Edition, Ultimate Edition |
March 2023
Feature | Description | Publishing region | Supported Istio versions | Applicable product specifications | References |
The gateway supports integration with WAF. |
| All | All | Enterprise Edition, Ultimate Edition | |
Supports configuring Ingress resources. | Supports using Ingress resources to specify traffic rules for ASM gateways in data plane clusters. | All | v1.16 and later | Enterprise Edition, Ultimate Edition | Use an ASM gateway as an Ingress controller to expose services in a cluster |
Manages Knative services. | Integrates the Knative Serving capabilities of ACK and ACK Serverless clusters to simplify the management of serverless workloads. | All | v1.16 and later | Enterprise Edition, Ultimate Edition | |
The grid topology supports OpenID Connect (OIDC) logon. | Integrates the OpenID Connect (OIDC) protocol and an identity provider (IdP), letting you configure single sign-on (SSO) for the grid topology from the ASM console. | All | v1.15.3.120 or later | Enterprise Edition, Ultimate Edition | |
The Sidecar proxy supports oversubscription mode. | Dynamic resource overcommitment supports setting the resource type for the Proxy pod. | All | v1.16 or later | Enterprise Edition, Ultimate Edition | |
Added a new egress traffic policy: ASMEgressTrafficPolicy. | An ASMEgressTrafficPolicy defines how to manage and access external traffic through an egress gateway. You can combine Sidecar and AuthorizationPolicy resources for more comprehensive control over egress traffic. | All | v1.16 or later | Enterprise Edition, Ultimate Edition | |
Supports a global default retry policy for HTTP requests. | Supports a global default retry policy for HTTP requests, including the number of retries, retry timeout period, and retry conditions. | All | v1.15 and later | All | None |
February 2023
Feature | Feature description | Release region | Applicable Istio version | Applicable product edition | References |
Released Istio version 1.15.3.105. | Compatible with the community Istio 1.15 series. Supports Kubernetes versions 1.21 to 1.25. | All | v1.15.3.105 | All | None |
Enhanced mesh observability. |
| All | All | All | |
Optimized ASM Mesh Topology performance. |
| All | v1.14 and later | All | |
Enhanced multi-cluster traffic management. | Supports configuring in-cluster traffic locality in a multi-cluster environment. When this feature is enabled for a service, traffic is directed only to workloads within the same cluster. | All | v1.15.3.101 and later | All | Disaster recovery scenarios for multiple ACK clusters in the same VPC |
Enhanced Sidecar proxy configuration. |
| All | v1.15.3.101 and later | All | |
Support for custom configuration of ASM gateways and enhanced observability. |
| All | All | Enterprise Edition, Ultimate Edition |
January 2023
Feature | Feature description | Publish region | Supported Istio versions | Applicable product specifications | References |
Query the grid topology for any time range. | Query topology graphs from any time range within the last 90 days to view historical topologies. | All | v1.14 and later | All | |
Enhanced data plane Sidecar proxy configuration parameters. | Adds an option to configure environment variables for the Sidecar proxy. This lets you load the bootstrap configuration before the proxy starts. | All | v1.15.3.63 or later | All | |
Enhances gateway security. | The gateway supports one-stop configuration of OpenID Connect (OIDC) single sign-on and JWT authentication. | All | v1.15.3.25 or later | Enterprise Edition, Ultimate Edition |
Feature release history
For Service Mesh release notes before 2023, see Historical release notes (before 2023).