what is asm - Alibaba Cloud Service Mesh - Alibaba Cloud Documentation Center

Alibaba Cloud Service Mesh (ASM) is a fully managed service mesh platform based on Kubernetes. It is compatible with open source Istio, simplifies service administration. For example, you can use ASM to route and split inter-service traffic, secure inter-service communication with authentication, and observe the behavior of services in meshes. This can reduce your workload in development and O&M.

Architecture

The following figure shows the architecture of ASM.

ASM integrates and manages all components on the Istio control plane to simplify your use of ASM. So you can focus on application development and deployment. ASM is compatible with open source Istio. You can use declarative parameters to define flexible routing rules and manage traffic between services in a mesh.

An ASM instance can manage application services from multiple Kubernetes clusters. It provides comprehensive traffic management and service discovery functions. By centrally managing service traffic across different clusters, ASM instances can route requests to ensure high availability and load balancing.

Key features

The following table describes key features of ASM. For more information, see Features.

Feature	Description	References
Full lifecycle management of mesh instances	Fully managed control plane, compatible with Istio community specifications, supporting one-click deployment, upgrade, and deletion operations. Reduces usage and maintenance barriers.	Instance management
Support for multiple infrastructure applications	Support for applications on ACK, ACK Serverless, ACS clusters, edge clusters, and externally registered Kubernetes clusters.	Multi-cluster application management
Unified ingress and egress gateways	Provides unified traffic entry and exit points within the mesh. Supports one-click enabling or disabling of mTLS, implementing end-to-end secure encryption and traffic control.	Overview of ASM gateways
Multiple types of traffic management	Support for multi-protocol traffic management, end-to-end canary releases, circuit breaking, local rate limiting, slow start warm-up, and traffic fallback capabilities.	Traffic management
Compatible with multiple observability capabilities	Provides mesh diagnostic capabilities, integrates managed tracing, monitoring, and logging services to achieve end-to-end visibility.	Observability management
Non-intrusive zero trust security system	Provides an out-of-the-box feature, zero trust security solution with dynamic configuration. Includes identity authentication, security certificates, policy enforcement, and visual analytics.	Overview of zero trust security
Extensibility for custom logic	The plug-in marketplace includes multiple out-of-the-box extension plug-ins. Also supports custom EnvoyFilter.	Extension center
Comprehensive ecosystem integration	Support for GitOps tools. Also for Serverless and AI services such as Knative and KServe.	Ecosystem integration

Editions

ASM is divided into Enterprise Edition and Ultimate Edition based on different features and support capabilities. These include multi-protocol support and dynamic extension capabilities, fine-grained service governance. Also provides a comprehensive zero trust security system, and continuously improved performance and large-scale cluster support capabilities. These editions lower the barrier to implementing Service Mesh in production environments. It is comfortable with scenarios with cross-language interoperability, fine-grained service governance, and large-scale use of Service Mesh in production environments.

Edition		Description
Commercial	Enterprise Edition	Designed for small to medium-scale production. Supports up to 1,000 pods, has enterprise-level enhancement capabilities, with SLA guarantees.
Commercial	Ultimate Edition	Designed for large-scale production. Supports up to 10,000 pods, has enterprise-level enhancement capabilities, with SLA guarantees.

For more information about the features of Enterprise Edition, and Ultimate Edition, see Features.
For more information about how to change the specifications of an instance, see Change the specifications of an ASM instance.
For more information about instance specifications, see Commercialization announcement.

Use ASM

You can use the following methods to create and manage your mesh instances:

Through the ASM console. The ASM console provides a web interface for accessing. For more information, see Create an ASM instance.
Through ASM CLI command line. ASM CLI is a command-line from the Alibaba Cloud command-line tool set. For latest version, go to aliyun-cli distribution package. For more information, see Install and use ASM CLI.

ASM has the following common application scenarios:

Scenario	Description
Traffic management	Separates traffic management from infrastructure management. Provides many traffic management features independent of application code. Helps to simplify traffic management of growing deployment. Manages service discovery, traffic routing, and load balancing for Service Mesh. Simplifies the configuration of service-level attributes such as timeouts and retries.
Service security	Supports progressive implementation of mTLS mutual authentication, ensuring secure communication between services and between end users and services. Mutual TLS authentication does not require changes to service code. Also can provide a strong role-based identity authentication mechanism for each service to enable cross-cluster and cross-cloud interaction. Ensures only strictly authenticated and authorized clients can access services with sensitive data by using the Istio authorization mechanism. Supports access control for services in the mesh at namespace, service, and method levels. The control includes role-based semantics, service-to-service and end-user-to-service authorization. Provides flexible custom attribute support for roles and role bindings. Supports automatic generation, distribution, rotation, and revocation of keys and certificates based on Istio's key management system.
Failback	Distributed systems are complex. They have stability risks in infrastructure, application logic, operational processes, and other aspects that can lead to business system failures. Provides Istio-based chaos engineering capabilities, including implementing circuit breaking with connection pool configuration and outlier detection. Supports retry and fault injection capabilities for services.
Observability	Provides distributed application developers through integrated Managed Service for OpenTelemetry. With complete tools for call chain restoration, it can call request volume statistics, chain topology, and application dependency analysis, helping developers quickly analyze and diagnose performance bottlenecks in distributed application architectures. Improves development and diagnostic efficiency.
Cloud-native application architecture	In enterprises, each microservice application is stored in Alibaba Cloud's image repository for management through reasonable microservice decomposition. You only need to iterate on each microservice application, Alibaba Cloud will provide scheduling, orchestration, deployment, and canary release capabilities. Load balancing and service discovery support 4-layer and 7-layer request forwarding and backend binding. Rich scheduling and exception recovery policies support service-level affinity scheduling, cross-availability zone high availability, and disaster recovery. Microservice monitoring and elastic scaling support monitoring at microservice and container levels, and automatic scaling of microservices.
Multi-cluster disaster recovery	Cloud businesses may encounter some extreme failures, such as region-level failures, availability zone-level failures, and the most common service-level failures. Region-level disaster recovery: Uses a multi-primary control plane architecture, it ensures cross-region high availability combined with Alibaba Cloud DNS and Global Traffic Manager (GTM). Availability zone-level disaster recovery: Dynamically monitors service metrics in different availability zones and automatically switches traffic to maintain business continuity. Service-level disaster recovery: Supports various application deployment topologies, ensuring system robustness through degradation and circuit breaking mechanisms.

Billing

ASM is divided into Enterprise Edition and Ultimate Edition based on different features and support capabilities. Both are commercial editions, but have different billing standards. For more information about ASM billing, see Billing rules.

Limits

You need to understand the following limits before using ASM:

Limitation	Description
Creating ASM instances	The following operations are not supported once a mesh instance is created: Changing the VPC and virtual switch that the mesh depends on. Adding a public CLB to expose the API Server, if public network exposure of the API Server was not enabled during creation. Adding a public CLB to expose Istio Pilot, if public network exposure of Istio Pilot was not enabled during creation.
Quotas	For standard edition, up to 10 ASM instances can be created. No limitation for enterprise and professional edition. If you need to increase the quota, please submit ticket for help. The number of Envoy proxies for each mesh varies based on ASM instance specifications. For details, see Billing rules.
Nodes using Alibaba Cloud Linux 3 operating system	You need to upgrade your service mesh to version 1.14 or higher to support nodes using the Alibaba Cloud Linux 3 operating system.

Note

You need to ensure that you can create standard managed ACK clusters before using ASM. For information about limitations when using Alibaba Cloud Container Service for Kubernetes clusters, see Quotas and limits.

Learn more

Link

Description

Istio

Istio is an open source service mesh that provides connection, protection, control, and observation functions. It can solve service network governance issues such as cloud-native service management, network connectivity, and security management by providing a complete non-intrusive microservice governance solution. ASM creates and manages the Istio control plane, featuring simplicity, low cost, high availability. No need for operations management of the Istio control plane.