Connect ASM to ACK Across VPCs via PrivateLink for Secure Istio Traffic - Alibaba Cloud Service Mesh

If a Service Mesh (ASM) instance and a Container Service for Kubernetes (ACK) cluster on the data plane reside in different virtual private clouds (VPCs) within the same region, use PrivateLink to establish private connectivity between them. ASM allows you to use CustomResourceDefinitions (CRDs) to simplify the PrivateLink network connectivity setup.

How it works

PrivateLink creates a private connection between two VPCs without exposing traffic to the public internet. In this scenario, ASM sets up two PrivateLink connections:

Control plane to data plane (Istio Pilot): An endpoint service on the ASM side and an endpoint in the ACK VPC allow the ASM control plane to push configurations to the data-plane cluster.
Data plane to control plane (API server): An endpoint service on the ACK side and an endpoint in the ASM VPC allow the ASM instance to access the ACK cluster's API server.

When you apply the ASMPvlConfig CRD, ASM sets up the PrivateLink endpoint services and endpoints so that the control plane and data plane can communicate across VPCs.

Prerequisites

Before you begin, make sure that you have:

An ASM instance. For more information, see Create an ASM instance
An ACK cluster in the same region as the ASM instance but in a different VPC. For more information, see Create a cluster
The PrivateLink service activated. For more information, see Overview

Add the ACK cluster to the ASM instance

Add the ACK cluster to the ASM instance. For more information, see Add a cluster to an ASM instance.

After the cluster is added, its status shows as Connected. This indicates cluster registration only -- actual network connectivity between the two VPCs is not yet established. Complete the following steps to configure PrivateLink.

Create the ASMPvlConfig resource

Create a file named asmpvlconfig.yaml with the following content:

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMPvlConfig
metadata:
  name: default
spec:
  ackVpcEndpoint:
  - clusterId: <your-ack-cluster-id>
    vSwitches:
    - vSwitchId: <ack-vswitch-id>
      zoneId: <zone-matching-asm-vswitch>
  asmVpcEndpoint:
    vSwitches:
    - vSwitchId: <asm-vswitch-id>
      zoneId: <zone-matching-ack-vswitch>

Replace the following placeholders with actual values:

Placeholder	Description	Example
`<your-ack-cluster-id>`	The ID of the ACK cluster added to the ASM instance	`cab9ace222210457a83f09fcd42e9****`
`<ack-vswitch-id>`	The ID of a vSwitch in the ACK cluster's VPC	`vsw-bp1jsgsanpvxpj32yai50`
`<zone-matching-asm-vswitch>`	The zone ID of a vSwitch in the ASM instance's VPC (see the note below)	`cn-hangzhou-j`
`<asm-vswitch-id>`	The ID of a vSwitch in the ASM instance's VPC	`vsw-bp1l5hini55sstnwd2skf`
`<zone-matching-ack-vswitch>`	The zone ID of a vSwitch in the ACK cluster's VPC (see the note below)	`cn-hangzhou-i`

Field reference

Field	Description
`metadata.name`	Must be `default`. Other values are not supported.
`spec.ackVpcEndpoint`	An array of ACK cluster VPC endpoint configurations. Each entry includes a `clusterId` and a list of `vSwitches` available in the ACK cluster's VPC.
`spec.asmVpcEndpoint.vSwitches`	A list of vSwitch configurations in the ASM instance's VPC.

Important

The zoneId values use cross-VPC zone matching. PrivateLink requires that both sides of the connection share a common availability zone. Under ackVpcEndpoint, set zoneId to a zone where the ASM instance's vSwitch resides. Under asmVpcEndpoint, set zoneId to a zone where the ACK cluster's vSwitch resides. This cross-reference ensures that the PrivateLink endpoints are created in zones where both VPCs have available vSwitches.

Deploy the ASMPvlConfig resource

Use kubectl to connect to the ASM instance through its kubeconfig file, and then apply the configuration:

kubectl apply -f asmpvlconfig.yaml

Verify PrivateLink connectivity

Wait a few minutes for the PrivateLink resources to be provisioned, then check the status:

kubectl get asmpvlconfig default -o yaml

A successful configuration adds a status section to the resource. Expected output:

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMPvlConfig
metadata:
  name: default
spec:
  ackVpcEndpoint:
  - clusterId: cab9ace222210457a83f09fcd42****
    vSwitches:
    - vSwitchId: vsw-bp1jsgsanpvxpj32yai50
      zoneId: cn-hangzhou-j
  asmVpcEndpoint:
    vSwitches:
    - vSwitchId: vsw-bp1l5hini55sstnwd2skf
      zoneId: cn-hangzhou-i
status:
  clusters:
  - clusterId: cab9ace222210457a83f09fcd42****
    pvlEndpoint:
      connectionStatus: Connected
      domainName: ep-bp1i06bad79eb60c60cc.epsrv-bp1gqb8g1b8d7uactd.cn-hangzhou.privatelink.aliyuncs.com
      id: ep-bp1i06bad79eb60c60
      status: Active
    pvlEndpointService:
      id: epsrv-bp1gqb8g1b8d7uactd
      name: com.aliyuncs.privatelink.cn-hangzhou.epsrv-bp1gqb8g1b8d7uactd
      status: Active
  pilot:
    clusters:
    - clusterId: cab9ace222210457a83f09fcd42****
      pvlEndpoint:
        connectionStatus: Connected
        domainName: ep-bp1i52311b91a5a25e.epsrv-bp1cl4qwzkf747ug6tmy.cn-hangzhou.privatelink.aliyuncs.com
        id: ep-bp1i52311b91a5a25e
        status: Active
    pvlEndpointService:
      id: epsrv-bp1cl4qwzkf747ug6t
      name: com.aliyuncs.privatelink.cn-hangzhou.epsrv-bp1cl4qwzkf747ug6tmy
      status: Active
  status: Available

If the overall status field shows Available, connectivity is successfully configured.

Status field reference

The status section contains two main blocks:

clusters: Status of the PrivateLink connection from the ASM instance to the ACK cluster's API server.

Field	Description
`clusterId`	The ID of the ACK cluster.
`pvlEndpoint.connectionStatus`	The PrivateLink connection state. Expected value: Connected.
`pvlEndpoint.domainName`	The private domain name of the PrivateLink endpoint. Required in Add the PrivateLink domain to the ACK API server certificate.
`pvlEndpoint.id`	The PrivateLink endpoint ID.
`pvlEndpoint.status`	The PrivateLink endpoint state. Expected value: Active.
`pvlEndpointService.id`	The endpoint service ID for the Server Load Balancer (SLB) instance that exposes the ACK cluster's API server.
`pvlEndpointService.name`	The endpoint service name.
`pvlEndpointService.status`	The endpoint service state. Expected value: Active.

pilot: Status of the PrivateLink connection from the ACK cluster to the ASM control plane (Istio Pilot).

Field	Description
`clusters[].clusterId`	The ID of the ACK cluster.
`clusters[].pvlEndpoint.connectionStatus`	The PrivateLink connection state. Expected value: Connected.
`clusters[].pvlEndpoint.domainName`	The private domain name of the PrivateLink endpoint for Istio Pilot.
`clusters[].pvlEndpoint.id`	The PrivateLink endpoint ID.
`clusters[].pvlEndpoint.status`	The PrivateLink endpoint state. Expected value: Active.
`pvlEndpointService.id`	The endpoint service ID for the SLB instance that exposes Istio Pilot.
`pvlEndpointService.name`	The endpoint service name.
`pvlEndpointService.status`	The endpoint service state. Expected value: Active.

status: The overall availability status. Available indicates that connectivity is successfully configured. Any other value indicates a configuration failure.

Verify endpoint resources in the VPC console

Log on to the VPC console.
In the left-side navigation pane, click Endpoints Service.
In the top navigation bar, select the region where the endpoint service resides.
On the Endpoints Service page, click the instance ID of the endpoint service to view its details.
In the left-side navigation pane, click Endpoints. On the Endpoints page, click the instance ID of the endpoint to view its details.

Add the PrivateLink domain to the ACK API server certificate

The ASM control plane connects to the ACK cluster's API server through the PrivateLink endpoint domain name (pvlEndpoint.domainName in the clusters section of the Verify PrivateLink connectivity output). For TLS validation to succeed, this domain name must be included in the API server certificate's Subject Alternative Name (SAN) field.

Add the pvlEndpoint.domainName value to the custom SAN field of the ACK cluster's API server certificate. For example, use the domain name ep-bp1i06bad79eb60c60cc.epsrv-bp1gqb8g1b8d7uactdab.cn-hangzhou.privatelink.aliyuncs.com. For more information, see Customize the SAN of the API server certificate when you create an ACK cluster.

Confirm the ACK cluster status

Check the status of the ACK cluster. If the cluster is in the Running state, cross-VPC connectivity through PrivateLink is successfully established.

Troubleshooting

Symptom	Possible cause	Solution
`status` is not Available	The PrivateLink resources are still being provisioned.	Wait a few more minutes and run `kubectl get asmpvlconfig default -o yaml` again.
`connectionStatus` is not Connected	The vSwitch zone IDs may be misconfigured.	Verify that the `zoneId` values follow the cross-VPC zone matching requirement: `ackVpcEndpoint.zoneId` must match a zone in the ASM VPC, and `asmVpcEndpoint.zoneId` must match a zone in the ACK VPC.
`pvlEndpoint.status` or `pvlEndpointService.status` is not Active	The PrivateLink service may not be activated, or quota limits may be reached.	Verify that the PrivateLink service is activated in the region. Check your PrivateLink quota in the VPC console.
ACK cluster is not in the Running state after completing all steps	The SAN field of the API server certificate may not include the PrivateLink endpoint domain name.	Complete Add the PrivateLink domain to the ACK API server certificate and verify that the correct `pvlEndpoint.domainName` from the `clusters` section is added to the certificate SAN.