Alibaba Cloud Service Mesh (ASM) gateways are standalone Envoy proxies that run at the edge of your mesh, separate from the sidecar proxies alongside your workloads. They serve as dedicated entry and exit points where you apply routing rules, security policies, and observability configuration -- all managed through a single control plane.
Unlike a standard Kubernetes Ingress controller, ASM gateways expose the full traffic management capabilities of the service mesh: Layer 4--7 load balancing, mTLS, fine-grained authorization, and protocol-aware routing. You define gateway behavior through Istio gateway resources or the Kubernetes Gateway API, then bind virtual services for Layer 7 routing.
ASM provides three gateway types:
| Gateway type | What it does | When to use it |
|---|---|---|
| Ingress gateway | Routes inbound traffic to services inside the mesh. Operates at Layer 7, distributing HTTP requests to different Kubernetes services based on paths, host headers, or other request attributes. | Expose services to the internet or an internal network through a single entry point with Layer 7 load balancing, TLS termination, and access control. |
| Egress gateway | Routes outbound traffic from mesh services to external endpoints through a centralized exit point. | Enforce security policies on outbound traffic and centrally manage routing of external service traffic. |
| Istio gateway | A configuration resource that defines how a load balancer at the mesh edge handles inbound or outbound HTTP and TCP connections. Bind a virtual service to it for Layer 7 routing. | Define port, protocol, and TLS settings for a load balancer, then attach routing rules through virtual services. |
Ingress gateway
An ingress gateway provides a unified entry point for inbound traffic at Layer 7. It routes HTTP requests from the same TCP port to different Kubernetes services based on URL paths, host headers, and other request attributes.
Deploy and manage ingress gateways
| Feature | Description | Reference |
|---|---|---|
| Create an ingress gateway | Deploy an ingress gateway in a Kubernetes cluster as a single entry point for internet or internal network access. Manage the gateway through the ASM console. | Create an ingress gateway |
| Serverless gateways | Deploy gateways in a serverless mode managed entirely by ASM. Serverless gateways handle traffic spikes with automatic scaling, without depending on Container Service for Kubernetes (ACK) clusters. Compared with standard ASM gateways running in ACK clusters, serverless gateways offer higher stability, better elasticity, and lower cost. | Use ASM serverless gateways |
| Network Load Balancer (NLB) support | Associate an NLB instance with an ingress gateway for Layer 4 load balancing with automatic scaling. By default, setting ServiceType to LoadBalancer associates a Classic Load Balancer (CLB) instance. | Associate an NLB instance with an ingress gateway |
Supported protocols
| Feature | Description | Reference |
|---|---|---|
| Traffic routing (GUI) | Create destination rules and virtual services through a graphical interface without writing YAML. | Configure traffic routing for an ASM gateway |
| TCP traffic migration | Migrate TCP traffic smoothly to maintain business continuity when optimizing network topology, scaling out application servers, or throttling traffic. | Use ASM to transfer TCP traffic |
| gRPC | Access gRPC services in your mesh through an ingress gateway with access control and service governance. | Use an ingress gateway to access a gRPC service |
| gRPC-JSON transcoding | Use ASMGrpcJsonTranscoder to transcode HTTP requests with JSON bodies into gRPC requests, allowing HTTP/JSON clients to access gRPC services. | Use ASMGrpcJsonTranscoder for HTTP/JSON-to-gRPC transcoding |
| WebSocket | Access WebSocket services through an ingress gateway. WebSocket provides full-duplex communication over a single TCP connection at the application layer. | Use an ingress gateway to access a WebSocket service |
Traffic management
| Feature | Description | Reference |
|---|---|---|
| Local throttling | Throttle traffic at the gateway or service level to protect your system from overload during traffic spikes. | Configure local throttling on an ingress gateway |
| Global throttling | Apply rate limits to specific routes on an ingress gateway to handle traffic bursts, prevent service overload, and defend against attacks. | Configure global throttling on an ingress gateway |
| Circuit breaking | Configure route-level circuit breaking through virtual services and destination rules for non-intrusive traffic governance. | Use route-level circuit breaking |
| Gateway API | Define routing rules using the Kubernetes Gateway API, an open source project by the SIG-NETWORK community for expressive, extensible, and role-oriented service networking. | Use Gateway API to define a routing rule |
| Ingress controller mode | Use an ASM gateway as a Kubernetes Ingress controller to expose services in a cluster. | Use an ASM gateway as an Ingress controller |
| Traffic mirroring | Mirror production traffic to a test cluster or service version to validate changes without affecting the production environment. | Use traffic mirroring across clusters |
| Session affinity | Route all requests from the same user or session to the same backend server. Useful for maintaining state in shopping carts, login sessions, and personalized settings. | Implement session affinity in an ASM ingress gateway |
TLS and certificate management
All data between an ingress gateway and a sidecar proxy travels through an mTLS tunnel. If sidecar proxies are injected into your application, configure TLS termination on the ingress gateway to maintain end-to-end encryption.
| Feature | Description | Reference |
|---|---|---|
| HTTPS with dynamic certificate loading | Enable HTTPS on an ingress gateway with real-time certificate updates. Configure private keys, server certificates, and root certificates without restarting gateways or mounting secret volumes. Manage multiple certificates and their private keys for different hosts. | Use an ingress gateway to enable HTTPS |
| TLS pass-through | Forward encrypted traffic directly to backend services without terminating TLS at the gateway. Use this when sidecar proxies are not injected or other circumstances require end-to-end encryption at the application level. | Enable TLS pass-through on an ingress gateway |
| HTTPS listener on CLB | Create an HTTPS listener by binding a certificate to the CLB instance of an ingress gateway. The listener decrypts HTTPS requests into HTTP and forwards them to the gateway pod. | Create an HTTPS listener for the CLB instance |
| Certificate management | Synchronize certificates across multiple clusters in an ASM instance. View certificate details and configure expiration alerts. | Use the certificate management feature |
| TLS version enforcement | Disable older TLS versions (1.0 and 1.1) and enforce TLS 1.2 or later to prevent man-in-the-middle attacks and data breaches. | Configure TLS versions on an ingress gateway |
| mTLS for gRPC | Configure Mutual TLS (mTLS) for gRPC services to enforce two-way authentication and end-to-end encryption. | Use an ingress gateway to configure mTLS-based gRPC |
| Certificate-to-domain binding | Bind a certificate to a domain name through the console, then access the domain over HTTPS through the ingress gateway. | Bind a certificate to a domain name |
| WAF integration | Connect an ingress gateway to a Web Application Firewall (WAF) instance and customize access log fields to view WAF-added headers. | Connect an ingress gateway to a WAF instance |
| cert-manager integration | Use cert-manager to issue and manage certificates for ASM gateways, enabling HTTPS access to services. | Use cert-manager to manage certificates for ASM gateways |
Authorization and access control
| Feature | Description | Reference |
|---|---|---|
| IP-based access control | Configure a blacklist or whitelist to allow or deny requests based on source IP addresses, domain names, ports, or remote IP blocks. | Configure a blacklist or whitelist for an ingress gateway |
| Custom authorization | Define access control policies based on domain names, paths, and HTTP methods to restrict access to specific services. | Implement custom authorization |
| OIDC-based single sign-on (SSO) | Configure OpenID Connect (OIDC) SSO using Alibaba Cloud IDaaS or other OIDC-compliant identity providers. Access multiple systems with a single identity, without modifying your applications. | Configure OIDC-based SSO on an ingress gateway |
| JWT authentication | Validate JSON Web Tokens (JWTs) in request headers to authenticate users at the gateway level. Only requests with a valid JWT are forwarded to backend services. | Configure JWT-based authentication on an ingress gateway |
| End-user JWT authentication | Authenticate the source of requests at the ingress gateway by verifying JWTs in request headers. | Configure JWT authentication for an ingress gateway in ASM |
| OPA integration | Integrate an Open Policy Agent (OPA) engine with an ingress gateway to define fine-grained authorization policies based on user identities or request content. | Integrate an OPA engine with an ingress gateway |
| SSO with IDaaS | Implement single sign-on for all applications in an ASM instance through Alibaba Cloud IDaaS, with zero code changes. | Integrate IDaaS with ASM for SSO |
| SSO with Keycloak | Use self-managed Keycloak as the identity provider to implement single sign-on for applications in an ASM instance. | Integrate Keycloak with ASM for SSO |
| CORS | Configure cross-origin resource sharing (CORS) policies in a virtual service to allow cross-domain access between clients and services. | Implement CORS in ASM |
| IP restriction with Layer 7 proxy | Restrict specific IP addresses from accessing applications, with or without a Layer 7 proxy between the client and the ASM gateway. | Restrict specific IP addresses from accessing applications |
Networking and configuration
| Feature | Description | Reference |
|---|---|---|
| Shared Istio gateway | Configure a single Istio gateway resource for multiple ingress gateways to simplify configuration. | Configure an Istio gateway for multiple ingress gateways |
| Multiple CLB instances | Associate multiple CLB instances with a single ingress gateway for additional load balancing capacity. | Access an ingress gateway using multiple CLB instances |
| Client IP extraction | Extract the originating client IP address from HTTP request headers to enable IP-based access control policies. | Obtain the originating IP address of a client |
| IPv6 support | Create an ingress gateway with an IPv6 address for higher security compared with IPv4. | Create an ingress gateway that uses an IPv6 address |
| CLB access from pods | If pods on the data plane cannot reach the CLB IP address of an ingress gateway, access it through the cluster IP or gateway name instead. | Resolve CLB access issues from data plane pods |
| Disable HTTP/2 | Disable HTTP/2 on an HTTPS-enabled ingress gateway when client-side HTTP/2 limitations cannot be resolved through configuration. | Disable HTTP/2 on an ingress gateway |
Egress gateway
An egress gateway provides a centralized exit point for traffic leaving the mesh. Route all outbound traffic through a dedicated gateway to gain visibility and control over external communications.
Manage egress gateways through the ASM console or the Kubernetes API.
| Feature | Description | Reference |
|---|---|---|
| Create an egress gateway | Deploy an egress gateway in a Kubernetes cluster as a centralized exit point for internet or internal network traffic. | Create an egress gateway |
| Route all outbound traffic | Configure an egress gateway to centrally manage all outbound traffic for security control and routing. | Configure an egress gateway to route all outbound traffic |
| Egress traffic policy (CRD) | Define egress traffic policies using CustomResourceDefinition (CRD) fields. Requires ASM version 1.16.4 or later. | Use an egress traffic policy to manage egress traffic |
Istio gateway
An Istio gateway is a configuration resource that defines a load balancer running at the edge of your mesh. It specifies which ports, protocols, and TLS settings the load balancer exposes. Bind a virtual service to an Istio gateway to add Layer 7 routing rules.
| Feature | Description | Reference |
|---|---|---|
| Manage Istio gateways | Create, modify, and delete Istio gateways in the ASM console. | Manage Istio gateways |
High availability
ASM supports several strategies to keep gateways highly available and minimize traffic loss during upgrades, scaling, and failures.
| Feature | Description | Reference |
|---|---|---|
| High-performance gateway configuration | Configure an ASM gateway for high performance and high availability. | Configure a high-performance and high-availability ASM gateway |
| Pod scheduling | Schedule gateway pods to specific nodes to isolate them from application pods and improve availability. | Schedule the pods of an ASM gateway to a specified node |
| Serverless gateway deployment | Deploy a serverless ASM gateway on virtual nodes with Elastic Container Instance for elastic workloads that do not require node maintenance. | Deploy a serverless ASM gateway |
| Pod anti-affinity | Spread gateway pods across different nodes or availability zones using pod anti-affinity policies. | Improve availability for the ingress gateway service |
| Graceful shutdown | Prevent traffic loss during scale-in or rolling restarts by allowing in-flight requests to complete within a configured time window. | Enable graceful shutdown |
| Multi-cluster ingress | Deploy services across multiple clusters and configure a unified ingress gateway to manage traffic to all clusters. | Configure a unified ingress gateway for multiple clusters |
| Canary upgrade | Upgrade an ASM gateway incrementally by starting a new version of a gateway pod, verifying traffic forwarding, and then completing the full upgrade. Roll back at any point if issues arise. | Perform a canary upgrade of an ASM gateway |
Observability
Monitor gateway traffic through access logs and metrics, with built-in integration to Alibaba Cloud observability services.
| Feature | Description | Reference |
|---|---|---|
| Access logs | Generate access logs on the gateway (printed to standard output with customizable fields) and collect them into Simple Log Service for storage, analysis, and visualization. | Configure access log generation and collection |
| Metrics | Generate customizable metrics on the gateway and collect them into Managed Service for Prometheus for storage, analysis, and visualization. | Configure metrics generation and collection |
Request processing
| Feature | Description | Reference |
|---|---|---|
| HTTP response headers | Add HTTP response headers for web applications using an Envoy filter to improve application security. | Add HTTP response headers using an Envoy filter |
| Data compression | Enable data compression on an ASM gateway to reduce response size and improve response time. | Enable data compression for the ingress gateway |
Migrate from existing gateways
If you currently use a self-managed Istio ingress gateway or NGINX Ingress Controller, migrate traffic to an ASM ingress gateway for centralized management through the ASM control plane.
| Migration path | Reference |
|---|---|
| Self-managed Istio ingress gateway to ASM | Migrate traffic from a self-managed Istio ingress gateway |
| NGINX Ingress Controller to ASM | Migrate traffic from NGINX Ingress Controller |
| NGINX configurations to ASM | Migrate common NGINX configurations |