CloudBox is a fully managed cloud service that integrates the hardware and software of Alibaba Cloud, including computing, storage, and networking resources, into your on-premises data center, giving you data security, on-premises data processing, and low-latency access. When you add an ACK cluster with a CloudBox node pool to Service Mesh (ASM), ASM manages traffic across both public cloud and CloudBox node pools with unified routing, security policies, and observability.
The following sections walk through deploying an ASM ingress gateway in a CloudBox zone and verifying end-to-end connectivity with a sample application.
Deployment overview
The setup consists of three steps:
Deploy an ingress gateway in the CloudBox zone -- Create an
IstioGatewayresource with zone annotations so that both the Classic Load Balancer (CLB) instance and the gateway pod are placed in the CloudBox zone.Deploy an application and configure routing -- Schedule the httpbin application on CloudBox nodes and route traffic through the ingress gateway.
Verify connectivity -- Send test requests through the gateway to confirm traffic reaches the application.
CloudBox networking constraints
CloudBox restricts how LoadBalancer-type Services work compared to public cloud zones. CLB instances in a CloudBox zone can only use CloudBox Elastic Compute Service (ECS) instances as backends, and CLB instances in a public cloud zone can only use public cloud ECS instances. CloudBox CLB instances do not support Elastic IP Address (EIP) attachment, so you cannot create a public-facing CLB in a CloudBox zone.
| Capability | Public cloud zone | CloudBox zone |
|---|---|---|
| LoadBalancer backend nodes | Public cloud ECS instances only | CloudBox ECS instances only |
| EIP attachment to CLB | Supported | Not supported |
| Public-facing CLB | Supported | Not supported |
Because of these constraints, the gateway CLB and gateway pod must reside in the same zone. A CLB in the public cloud zone cannot route traffic to pods in the CloudBox zone, and vice versa.
Prerequisites
Before you begin, make sure that you have:
An ACK cluster with a CloudBox node pool. For more information, see Use CloudBox resources in an ACK cluster
An ASM instance with the ACK cluster added. For more information, see Create an ASM instance and Add a cluster to an ASM instance
Deploy an ingress gateway in the CloudBox zone
To place the gateway in the CloudBox zone, configure two fields in the IstioGateway spec:
serviceAnnotations-- Pin the CLB instance to the CloudBox zone and virtual switch.nodeSelector-- Schedule the gateway pod onto nodes in the CloudBox zone. You can also use theaffinityfield for more advanced scheduling rules.
The following YAML creates an intranet-facing ingress gateway in the CloudBox zone:
apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
name: ingressgateway
namespace: "istio-system"
spec:
clusterIds:
- <your-ack-cluster-id>
externalTrafficPolicy: Local
gatewayType: ingress
ports:
- name: http
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
replicaCount: 2
resources:
limits:
cpu: '2'
memory: 2G
requests:
cpu: 200m
memory: 256Mi
serviceType: LoadBalancer
serviceAnnotations:
service.beta.kubernetes.io/alicloud-loadbalancer-address-type: intranet
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-vswitch-id: <cloudbox-vswitch-id>
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-master-zoneid: <cloudbox-zone-id>
nodeSelector:
topology.kubernetes.io/zone: <cloudbox-zone-id>
rollingMaxSurge: "100%"
rollingMaxUnavailable: "25%"Replace the following placeholders with your actual values:
| Placeholder | Description | Example |
|---|---|---|
<your-ack-cluster-id> | ACK cluster ID | c1a2b3c4d5e6f7890 |
<cloudbox-vswitch-id> | Virtual switch ID in the CloudBox zone | vsw-abc123def456 |
<cloudbox-zone-id> | Zone ID of the CloudBox resource | cn-hangzhou-cloudbox-a |
Apply the YAML using one of these methods:
kubectl with ASM kubeconfig: Save the YAML to a file and run
kubectl apply -f <file>.yamlusing the ASM instance kubeconfig.ASM console: Create the gateway through YAML in the ASM console. For more information, see Use KubeAPI to manage an ingress gateway.
Verify the gateway
After you apply the YAML, verify that the gateway pod is running and the CLB is provisioned:
# Check gateway pod status
kubectl get pods -n istio-system -l istio=ingressgateway
# Check the gateway Service and its external IP
kubectl get svc -n istio-system ingressgatewayThe gateway pod should be in Running state, and the Service should have an external IP assigned by the CLB in the CloudBox zone.
Deploy the application and configure routing
The gateway created in the previous step is intranet-only and not accessible from the public internet. Make sure your test environment has connectivity to the VPC network before you proceed.
Follow the steps in Deploy the httpbin application to:
Deploy the httpbin application to the ACK cluster on CloudBox nodes.
Create a
GatewayandVirtualServiceto route traffic through the ingress gateway.
Verify end-to-end connectivity
After you deploy the application and routing rules, send a test request through the gateway:
# Get the gateway IP
GATEWAY_IP=$(kubectl get svc -n istio-system ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
# Send a test request
curl -I http://$GATEWAY_IP/status/200A successful response returns HTTP 200, confirming that traffic flows from the gateway to the httpbin application on CloudBox nodes.
Troubleshooting
| Symptom | Possible cause | Resolution |
|---|---|---|
Gateway pod stays in Pending state | No nodes in the CloudBox zone match the nodeSelector | Verify that the CloudBox node pool is healthy and that the zone ID in nodeSelector matches the actual CloudBox zone |
| CLB is not provisioned | The virtual switch ID or zone ID in serviceAnnotations is incorrect | Check that alibaba-cloud-loadbalancer-vswitch-id and alibaba-cloud-loadbalancer-master-zoneid point to valid CloudBox resources |
curl request times out | No VPC connectivity from the test environment to the intranet CLB | Connect to the VPC through VPN, Express Connect, or a jump server within the VPC |
| HTTP 503 from the gateway | httpbin pod is not running or sidecar injection is not enabled | Check that the httpbin pod has a sidecar container and is in Running state |
Related topics
Configure traffic management policies for fine-grained routing between public cloud and CloudBox workloads
Enable observability to monitor cross-zone traffic
Set up mTLS to secure communication between services across zones