Enable HTTP/3 Access on ASM Ingress Gateway via QUIC - Alibaba Cloud Service Mesh

HTTP/3 replaces TCP with the QUIC protocol at the transport layer, eliminating head-of-line blocking, reducing connection latency to zero round trips (0-RTT), and maintaining connections across network changes such as Wi-Fi-to-mobile handoffs. Service Mesh (ASM) gateways support HTTP/3, so you can expose services over QUIC to improve service performance and stability on mobile and latency-sensitive workloads.

Capability	HTTP/2 (TCP)	HTTP/3 (QUIC/UDP)
Handshake latency	TCP handshake + separate TLS handshake	0-RTT connection establishment with TLS 1.3 built into QUIC
Multiplexing	Multiple streams share one TCP connection; a single lost packet blocks all streams	Independent QUIC streams; packet loss on one stream does not block others
Connection migration	Connection breaks when the client IP changes (for example, Wi-Fi to mobile)	Connection survives IP changes through connection IDs instead of IP/port tuples
Security	TLS optional in some implementations	TLS 1.3 mandatory for all connections

This guide walks through enabling HTTP/3 on an ASM ingress gateway, adding a UDP listener for QUIC traffic, configuring TLS, and verifying connectivity with curl.

Before you begin

An ASM instance (v1.16 or later) with a Container Service for Kubernetes (ACK) cluster (v1.24 or later) added. See Add a cluster to an ASM instance
Cloud Controller Manager (CCM) component in the ACK cluster at version 2.6.0 or later
An ingress gateway deployed. See Create an ingress gateway
The HTTPBin sample application deployed. See Deploy the HTTPBin application
A TLS certificate named aliyun.com.cert created for your ASM instance. See Use the certificate management feature of ASM

Step 1: Enable HTTP/3 in the ASM console

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Instance > Base Information.
In the upper-right corner of the Base Information page, click Settings.
In the Settings Update panel, select Enable HTTP/3.

Step 2: Add a UDP listener to the ingress gateway

QUIC runs over UDP. To accept HTTP/3 traffic, add a UDP listener to the ingress gateway alongside its existing TCP listeners.

Edit the IstioGateway resource to add a UDP port. The following example adds a UDP listener on port 444:

apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
  labels:
    asm-gateway-type: ingress
  name: ingressgateway
  namespace: istio-system
spec:
  ......
  ports:
    - name: http-0
      port: 80
      protocol: HTTP
      targetPort: 80
    # Add a UDP listener for QUIC traffic.
    # You can use the same port as your HTTPS listener (e.g. 443)
    # because ASM supports TCP and UDP listeners on the same port.
    - name: udp
      port: 444
      protocol: UDP
      targetPort: 444
  ......

Note

ASM supports TCP and UDP listeners on the same port. For example, if port 443 already serves HTTPS over TCP, you can add a UDP listener on port 443 for QUIC traffic without conflict.

Step 3: Configure the Istio gateway with TLS

QUIC requires TLS 1.3. Configure a TLS certificate on the Istio gateway for the QUIC port by applying the following Gateway resource:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: httpbin
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
    # HTTP listener on port 80
    - hosts:
        - '*'
      port:
        name: test
        number: 80
        protocol: HTTP
    # QUIC/HTTP3 listener on port 444 with TLS.
    # Set protocol to HTTPS so the gateway terminates TLS,
    # which QUIC requires.
    - hosts:
        - '*'
      port:
        name: quic
        number: 444
        protocol: HTTPS
      tls:
        # References the certificate created in prerequisites.
        credentialName: aliyun.com.cert
        mode: SIMPLE

After you apply this configuration, the gateway automatically adds an Alt-Svc response header (for example, alt-svc: h3=":444"; ma=86400) to HTTP responses. Browsers and HTTP clients use the Alt-Svc header to discover HTTP/3 availability and upgrade subsequent requests to QUIC. This is how internet-facing services advertise HTTP/3 support -- for internal services where clients are explicitly configured for HTTP/3, the header is informational only.

Step 4: Verify HTTP/3 connectivity

Check curl for HTTP/3 support

Most default curl installations do not include HTTP/3 support. Check whether your curl binary supports it:

curl --version | grep http3

If the output includes http3, your curl supports HTTP/3:

curl 8.9.0-DEV (aarch64-apple-darwin23.5.0) libcurl/8.9.0-DEV quictls/3.1.4 zlib/1.2.12 libidn2/2.3.7 nghttp2/1.59.0 ngtcp2/1.2.0 nghttp3/1.1.0

If no output appears, your curl does not support HTTP/3. You can rebuild curl of a version that supports HTTP/3. For more information, see Build with quictls.

Send a test request

Replace <IP-address-of-ASM-gateway> with the external IP of your ASM ingress gateway:

curl -k --http3-only \
  -H Host:aliyun.com \
  --resolve aliyun.com:444:<IP-address-of-ASM-gateway> \
  https://aliyun.com:444/headers -v

A successful response shows using HTTP/3 and an HTTP/3 200 status:

......
* Connected to aliyun.com (xxx.xx.xx.x) port 444
* using HTTP/3
* [HTTP/3] [0] OPENED stream for https://aliyun.com:444/headers
* [HTTP/3] [0] [:method: GET]
* [HTTP/3] [0] [:scheme: https]
* [HTTP/3] [0] [:authority: aliyun.com]
* [HTTP/3] [0] [:path: /headers]
* [HTTP/3] [0] [user-agent: curl/8.9.0-DEV]
* [HTTP/3] [0] [accept: */*]
> GET /headers HTTP/3
> Host:aliyun.com
> User-Agent: curl/8.9.0-DEV
> Accept: */*
>
* Request completely sent off
* old SSL session ID is stale, removing
< HTTP/3 200
< server: istio-envoy
< date: Wed, 26 Jun 2024 07:40:07 GMT
< content-type: application/json
< content-length: 460
< access-control-allow-origin: *
< access-control-allow-credentials: true
< x-envoy-upstream-service-time: 1
< alt-svc: h3=":444"; ma=86400
<
{
  "headers": {
    "Accept": "*/*",
    "Host": "aliyun.com",
    "Transfer-Encoding": "chunked",
    "User-Agent": "curl/8.9.0-DEV",
    "X-Envoy-Attempt-Count": "1",
    "X-Envoy-External-Address": "xx.xx.xx.xx",
    "X-Forwarded-Client-Cert": "xxxxxxx"
  }
}
* Connection #0 to host aliyun.com left intact

The alt-svc: h3=":444"; ma=86400 header confirms that the gateway advertises HTTP/3 availability. Browsers and compatible clients use this header to discover and automatically upgrade to HTTP/3 on subsequent requests.

Alibaba Cloud Service Mesh:Use HTTP/3 to access an ASM ingress gateway