All Products
Search

This Product

    Alibaba Cloud Service Mesh:Create an ASM instance

    Document Center

    Alibaba Cloud Service Mesh:Create an ASM instance

    Last Updated:Mar 11, 2026

    Service Mesh (ASM) manages traffic management, security management, fault recovery, observation, and monitoring across your microservices. Create an ASM instance to set up a managed Istio control plane for your clusters.

    Prerequisites

    Before you begin, make sure that you have:

    Resources created automatically

    When you create an ASM instance, the system provisions the following resources based on your configuration:

    ResourceDescription
    Security groupOpens all Internet Control Message Protocol (ICMP) ports for inbound traffic to the specified virtual private cloud (VPC). Each ASM instance requires a dedicated security group. You cannot reuse an existing security group or modify one after creation.
    Route entriesAdds entries to the VPC route table.
    Elastic IP Address (EIP)Creates an EIP for the ASM instance.
    RAM role and policiesCreates a RAM role with full permissions on Classic Load Balancer (CLB), CloudMonitor, VPC, and Simple Log Service. This role allows ASM to dynamically create CLB instances and manage VPC route entries.
    Internal-facing CLB instanceExposes ports 6443 and 15011 for control plane communication.
    Log collectionCollects logs from managed components to maintain instance stability.

    Create an instance in the ASM console

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click Create ASM Instance.

    3. Configure basic information and network settings.

      ParameterDescription
      EditionThe instance edition. Different editions provide different feature sets. For a comparison, see What is ASM?
      VPCThe VPC for the ASM instance. Select an existing VPC, or click Create VPC to create one. For more information, see Create and manage a VPC.
      vSwitchThe vSwitch within the selected VPC. Select an existing vSwitch, or click Create vSwitch to create one. For more information, see Create and manage a vSwitch.
      VersionThe Istio version for the control plane. V1.21 and V1.22 are available. To create an instance of a different version, submit a ticket.

      Basic information and network configurations

      Note

      • Configure the API server and optional settings.

        ParameterDescription
        Use EIP to expose API ServerWhen enabled, an EIP is created so the ASM API server is accessible over the internet. Leave this disabled if your workloads only need internal access.
        Ambient Mesh ModeEnables Ambient Mesh Mode. Mutually exclusive with ACMG Mode.
        ACMG ModeEnables ACMG Mode. Mutually exclusive with Ambient Mesh Mode.

        API server and optional configurations

      • Click OK. Instance creation takes approximately 2 to 3 minutes.

      Verify the instance

      After creation completes, the instance appears in the instance list on the Mesh Management page.

      1. Click Manage in the Actions column of the new instance.

      2. On the Base Information page, confirm the instance status is running.

      ASM creates five namespaces for each new instance: istio-system, kube-node-lease, kube-public, kube-system, and default. The ASM console displays only istio-system and default. To list all namespaces, run:

      kubectl get namespaces

      Expected output:

      NAME              STATUS   AGE
default           Active   3m
istio-system      Active   3m
kube-node-lease   Active   3m
kube-public       Active   3m
kube-system       Active   3m

      Manage the instance

      From the Actions column on the Mesh Management page, you can perform the following operations:

      OperationSteps
      View instance detailsClick Manage to open the Base Information page.
      Modify settingsClick Manage, then click Settings in the upper-right corner. Update the settings in the Settings Update panel and click OK.
      Change the editionClick Specification change. For more information, see Change the edition of an ASM instance.
      View logsClick Log. For more information, see Log Analysis.
      Delete the instanceClick the More icon More and select Delete. In the Delete ASM Instance dialog box, select the resources to retain and click OK.
      Important

      Deleting an ASM instance is irreversible. Be aware of these consequences:

      • All Service Mesh features of the instance become unavailable.

      • Deleting the CLB instance that exposes the API server removes access to the clusters and configurations managed by the mesh.

      • Deleting the CLB instance used by Istio Pilot removes access to the mesh instance and its configurations.