All Products
Search

This Product

    Alibaba Cloud Service Mesh:Improve high availability and elasticity with ASM Serverless gateways

    Document Center

    Alibaba Cloud Service Mesh:Improve high availability and elasticity with ASM Serverless gateways

    Last Updated:Mar 11, 2026

    When your services experience traffic spikes --- such as e-commerce promotions or online education surges --- fixed gateway resources may be insufficient or wasteful during off-peak hours. If your ASM gateways run inside ACK clusters, a cluster failure can also take down the gateway and disrupt ingress traffic.

    ASM serverless gateways solve both problems. They run outside your Container Service for Kubernetes (ACK) clusters in infrastructure fully managed by Service Mesh (ASM). ASM handles provisioning, scaling, and lifecycle management automatically. You do not manage gateway pods, and gateway availability does not depend on ACK clusters.

    How it works

    A serverless gateway is an IstioGateway custom resource with the annotation asm.alibabacloud.com/managed-by-asm: 'true'. Unlike standard ASM gateways that run as pods inside ACK clusters, ASM provisions serverless gateways in its own managed infrastructure. You do not specify an ACK cluster ID when creating the gateway.

    Traffic flows from clients through the serverless gateway to backend services in your ACK clusters:

    Client --> Serverless gateway (managed by ASM) --> Backend services (ACK clusters)

    Prerequisites

    Before you begin, make sure that you have:

    Create a serverless ingress gateway

    Apply a YAML definition in the ASM console to create a serverless ingress gateway. The only difference from a standard ASM gateway is the asm.alibabacloud.com/managed-by-asm: 'true' annotation --- you do not specify an ACK cluster ID.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    3. On the Ingress Gateway page, click Create from YAML, enter a name for the gateway, paste the following YAML, and click Create.

      apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
  annotations:
    asm.alibabacloud.com/managed-by-asm: 'true'
    # Optional: export gateway metrics to a specific ACK cluster
    asm.alibabacloud.com/export-metrics: '<ack-cluster-id>'
  name: ingressgateway
  namespace: istio-system
spec:
  gatewayType: ingress
  dnsPolicy: ClusterFirst
  externalTrafficPolicy: Local
  hostNetwork: false
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
    - name: https
      port: 443
      protocol: TCP
      targetPort: 443
  replicaCount: 1
  resources:
    limits:
      cpu: '2'
      memory: 2G
    requests:
      cpu: 200m
      memory: 256Mi
  rollingMaxSurge: 100%
  rollingMaxUnavailable: 25%
  runAsRoot: true
  serviceType: LoadBalancer

      Replace the following placeholder with your actual value:

      PlaceholderDescriptionExample
      <ack-cluster-id>ID of the ACK cluster to receive gateway metrics. This annotation is optional.c1a2b3c4d5e6f7g8h9i0j****
      Note The serverless gateway supports both LoadBalancer and ClusterIP service types. If you set serviceType to ClusterIP, the client and gateway pods must be able to reach each other --- for example, pods in the same virtual private cloud (VPC) connected through the Terway network plugin.

    Verify the gateway

    After the gateway is created, it appears on the Ingress Gateway page with a status of Running. Note the external IP address assigned to the gateway --- you need it to access backend services.

    Configure traffic routing

    To direct traffic through the serverless gateway, create an HTTP domain, import a backend service, and define a routing rule.

    Create an HTTP domain

    1. On the Ingress Gateway page, click the gateway name. In the left-side navigation pane, click Domain/Certificate. On the Domain tab, click Create.

    2. Configure the domain with the following settings and click Create.

      ParameterValue
      Domain Name*
      ProtocolHTTP
      Port Namehttp
      Port80

    Import the backend service

    1. In the left-side navigation pane on the gateway overview page, click Upstream Service. Click Import service.

    2. Select default from the Namespace drop-down list, select productpage in the service list, click the add icon to move it to the selected section, and click Submit.

    Create a routing rule

    1. In the left-side navigation pane, click Route management. Click Create.

    2. In the set route detail step, configure the following settings and click Next.

      ParameterValue
      route typehttp
      Namespacedefault
      Nameproductpage
      Method (under Matching Rule)Prefix
      Content (under Matching Rule)/

    3. In the set route destination step, set select upstream service to productpage and click Next.

    4. In the advanced config step, click Create.

    Verify traffic routing

    Open a browser and go to http://<gateway-ip>/productpage, replacing <gateway-ip> with the external IP address of your serverless gateway.

    To find the gateway IP address, see Obtain the IP address of the ingress gateway.

    The productpage of the Bookinfo sample application loads in your browser. If you get a connection timeout, confirm that the gateway status is Running and the routing rule is configured correctly.

    Configure HTTPS access

    Generate a TLS certificate, upload it to ASM, and create an HTTPS domain on the gateway.

    Generate a CA certificate

    Run the following commands to generate a self-signed certificate:

    # Generate the root CA key and certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
  -subj '/O=myexample Inc./CN=aliyun.com' \
  -keyout aliyun.root.key -out aliyun.root.crt

# Generate a certificate signing request (CSR) and private key
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes \
  -keyout aliyun.com.key \
  -subj "/CN=aliyun.com/O=myexample organization"

# Sign the certificate with the root CA
openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key \
  -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt

    Upload the certificate

    1. In the left-side navigation pane of the ASM instance, choose ASM Gateways > Certificate Management.

    2. On the Certificate Management page, click Create. In the Certificate Information panel, configure the following parameters and click OK.

      ParameterDescription
      NameEnter a certificate name, for example, myexample-credential
      Public Key CertificatePaste the content of the aliyun.com.crt file
      Private KeyPaste the content of the aliyun.com.key file

    Create an HTTPS domain

    1. In the left-side navigation pane, click Ingress Gateway. Click the gateway name, then click Domain/Certificate. On the Domain tab, click Create.

    2. Configure the domain with the following settings and click Create.

      ParameterValue
      Domain Name*
      ProtocolHTTPS
      Port Namehttps
      Port443
      credentialmyexample-credential
      TLS modeSecure connections with standard TLS semantics

    Verify HTTPS access

    Run the following curl command to verify HTTPS access:

    curl -k -I -H "Host:aliyun.com" \
  --resolve "aliyun.com:443:<gateway-ip>" \
  https://aliyun.com/productpage

    Replace <gateway-ip> with the external IP address of your serverless gateway. A successful response returns HTTP status 200:

    HTTP/1.1 200 OK
server: istio-envoy

    If the request fails, confirm that the certificate name matches the credential value in the HTTPS domain configuration.

    Collect access logs

    Collect gateway access logs to Simple Log Service (SLS) for traffic analysis and troubleshooting.

    Important

    Enabling access log collection restarts the gateway. Perform this operation during off-peak hours.

    Add the log collection annotation

    1. Log on to the ASM console. Navigate to Service Mesh > Mesh Management, and click your ASM instance name.

    2. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    3. On the Ingress Gateway page, find the serverless gateway and click YAML. Add the following annotation to the gateway YAML and click OK.

      asm.alibabacloud.com/aliyun-logs-project: k8s-log-****

      Replace k8s-log-**** with the SLS project name for your mesh logs (for example, mesh-log-c4e1bbed247634d0482000d94e947****).

      The updated YAML looks like this:

      Expand to view ingressgateway.yaml

      apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
  annotations:
    asm.alibabacloud.com/managed-by-asm: 'true'
    asm.alibabacloud.com/aliyun-logs-project: mesh-log-c4e1bbed247634d0482000d94e947****
  name: ingressgateway
  namespace: istio-system
spec:
  ....

    View access logs

    1. Log on to the Simple Log Service console.

    2. In the Projects section, click the log project name you configured in the previous step.

    3. In the left-side navigation pane, click the Log Storage icon. In the Logstores section, click mesh-ingress-log.

    4. Enter a search query (for example, productpage) in the search box and click Search & Analyze. The access logs for matching requests appear in the results.

    Export gateway metrics

    Export serverless gateway metrics to Managed Service for Prometheus for monitoring and alerting. This requires ASM version 1.18.0.147 or later.

    Enable metrics collection in ASM

    Enable metrics generation and collection for your ASM instance. Confirm that the metrics dashboard is accessible under Observability Management Center > Monitoring indicators. For details, see Collect metrics to Managed Service for Prometheus.

    Add the metrics export annotation

    In the serverless gateway YAML, add the following annotation:

    asm.alibabacloud.com/export-metrics: '<ack-cluster-id>'

    Replace <ack-cluster-id> with the ID of the ACK cluster where you want to export metrics. This synchronizes the gateway's services and endpoints to the specified ACK cluster, making them available for Prometheus to scrape.

    Configure Prometheus scrape targets

    1. Log on to the ARMS console.

    2. In the left-side navigation pane, choose Managed Service for Prometheus > Instances. Select the region of your Prometheus instance.

    3. Click the Prometheus instance name. In the left-side navigation pane, click Settings.

    4. On the Settings page, click Edit Prometheus.yaml. Add the following scrape configuration and click Save.

      Expand to view YAML

      scrape_configs:
- job_name: istio-system/managed-envoy
  honor_timestamps: true
  honor_labels: false
  scrape_interval: 30s
  scheme: http
  metrics_path: /stats/prometheus
  relabel_configs:
  - regex: 'true'
    action: keep
    source_labels:
    - __meta_kubernetes_service_labelpresent_asm_sync_target
    replacement: $1
    separator: ;
  - regex: http-envoy-prom
    action: keep
    source_labels:
    - __meta_kubernetes_endpoint_port_name
    replacement: $1
    separator: ;
  - regex: (.*)
    action: replace
    source_labels:
    - __meta_kubernetes_namespace
    replacement: $1
    separator: ;
    target_label: namespace
  metric_relabel_configs:
  - regex: envoy_.*
    action: drop
    source_labels:
    - __name__
    replacement: $1
    separator: ;
  kubernetes_sd_configs:
  - role: endpoints
    namespaces: {}
    follow_redirects: true
  scrape_timeout: 10s

    This configuration scrapes Istio service mesh metrics from the serverless gateway's Envoy proxy endpoint every 30 seconds. The relabel_configs filters target only gateway-synced endpoints, and the metric_relabel_configs drops low-level Envoy-internal metrics to reduce noise.

    Troubleshooting

    Cannot access a backend application through the serverless gateway

    If requests to the serverless gateway fail or return errors, check the following:

    1. Security group rules

    The security group of the data-plane ACK cluster must allow inbound traffic from the serverless gateway's network range. To verify:

    1. Find the vSwitch CIDR block of your ASM instance:

      • In the ASM console, navigate to Service Mesh > Mesh Management and click your instance name.

      • Choose ASM Instance > Base Information and click the link next to vSwitch to view the CIDR block.

    2. Check the security group of the ACK cluster:

      • In the ACK console, click Clusters and then click the cluster name.

      • Click Cluster Information, then the Cluster Resources tab, and click the link next to Security Group.

      • Verify that the inbound rules allow traffic from the ASM vSwitch CIDR block to the backend application pod port.

    2. HTTP error codes

    Error codePossible causeAction
    404Routing rule misconfigured or missingVerify the routing rule matches the request path and the upstream service is imported correctly
    503Backend application unavailableCheck that the backend pods are running and healthy in the ACK cluster

    What's next