By default, the control plane of a Service Mesh (ASM) instance is accessible only within its virtual private cloud (VPC). If a data plane cluster runs in a different VPC without private connectivity to the ASM instance, associate an elastic IP address (EIP) with the control plane so the data plane can reach it over the internet.
Associating an EIP exposes the control plane to the public internet. Evaluate private connectivity options before you proceed. If you must use an EIP, restrict access with security group rules to allow only trusted source IP addresses.
When to associate an EIP
| Scenario | Action |
|---|---|
| Data plane cluster is in the same VPC as the ASM instance | None. The cluster connects over the private network. |
| Data plane cluster is in a different VPC with private connectivity | None. Private connectivity is already in place. |
| Data plane cluster is in a different VPC without private connectivity | Associate an EIP with the control plane. |
| The control plane no longer needs internet exposure | Disassociate the EIP. |
Prerequisites
Before you begin, make sure that you have:
An ASM instance
An idle EIP in the same region as the ASM instance, or the ability to create one
Permissions to manage ASM instances and EIP resources
Associate or disassociate an EIP in the ASM console
Associate or replace an EIP
In the ASM instance list, click the name of the target instance.
In the left-side navigation pane, choose ASM Instance > Base Information.
In the Basic Information section, find Istio Pilot Endpoint and click Bind EIP. If an EIP is already associated, click Replace EIP instead.
In the Bind EIP dialog box, select an idle EIP from the Select an existing EIP drop-down list and click OK.
Disassociate an EIP
In the ASM instance list, click the name of the target instance.
In the left-side navigation pane, choose ASM Instance > Base Information.
In the Basic Information section, find Istio Pilot Endpoint and click Unbind EIP.
In the Unbind EIP dialog box, click OK.
Associate or disassociate an EIP by calling API operations
Use the ModifyPilotEipResource operation through OpenAPI Explorer.
Associate or replace an EIP
If you do not have an idle EIP, create one. For more information, see Apply for an EIP.
Call
ModifyPilotEipResourcewith the following parameters:NoteIf an EIP is already associated with the control plane, the existing EIP is automatically disassociated and replaced with the EIP you specify in
EipId.Parameter Value ServiceMeshId The ID of the ASM instance Operation BindEip EipId The ID of the EIP
Disassociate an EIP
Call ModifyPilotEipResource with the following parameters:
| Parameter | Value |
|---|---|
| ServiceMeshId | The ID of the ASM instance |
| Operation | UnBindEip |
| EipId | Do not specify this parameter |
Verify the result
After you associate or disassociate an EIP:
In the ASM console, navigate to ASM Instance > Base Information.
In the Basic Information section, check the Istio Pilot Endpoint value:
After association: The endpoint displays the EIP address.
After disassociation: The endpoint no longer displays a public IP address.
Security recommendations
Prefer private connectivity. Use private network connectivity options instead of a public EIP whenever possible. Private connections are more secure and offer lower latency.
Restrict access. Configure security group rules to allow inbound traffic only from trusted source IP addresses.
Monitor the endpoint. Periodically verify that only expected clusters connect to the control plane through the EIP.
Disassociate the EIP when no longer needed. Remove the EIP from the control plane as soon as you establish private connectivity or decommission the remote cluster.