Alibaba Cloud Service Mesh (ASM) is a fully managed service mesh compatible with open-source Istio. ASM adjusts several Istio defaults to optimize startup ordering, resource efficiency, and graceful shutdown in managed environments.
The following tables compare default values in ASM against the Istio demo installation profile (version 1.17). Use these tables when migrating from self-managed Istio to ASM or troubleshooting unexpected workload behavior.
Note: Istio provides multiple installation profiles (default,demo,minimal,remote,empty), each with different parameter values. This comparison uses thedemoprofile: Profile files are in themanifests/profilesdirectory of each Istio release. If your Istio installation uses a different profile, some baseline values may differ.
./istioctl install --set profile=demo -yDifferences at a glance
The following parameters have different defaults in ASM compared to Istio 1.17 (demo profile). All other parameters retain the same defaults.
| Parameter | Component | Istio default | ASM default | Impact |
|---|---|---|---|---|
holdApplicationUntilProxyStarts | Proxy | false | true | The sidecar proxy starts before application containers, preventing startup race conditions. |
proxyMetadata | Proxy | {} | {EXIT_ON_ZERO_ACTIVE_CONNECTIONS: "true"} | Enables graceful sidecar shutdown when no active connections remain. |
proxyStatsMatcher | Proxy | N/A | inclusionRegexps: [.*adaptive_concurrency.*] | Reports adaptive concurrency metrics from Envoy. |
| Init container resources (requests) | Proxy | cpu: 100m, memory: 128Mi | cpu: 10m, memory: 10Mi | Reduces resource overhead for the sidecar init container. |
clusterDomain | Proxy | cluster.local | Specified at instance creation | Must match the Kubernetes cluster domain on the data plane. |
| Tracing (Zipkin address) | Proxy | zipkin.istio-system:9411 | N/A | ASM does not enable tracing by default. Configure Tracing Analysis separately in the ASM console. |
ISTIO_META_DNS_CAPTURE | MeshConfig | true | false | DNS proxy is disabled by default. |
BOOTSTRAP_XDS_AGENT | MeshConfig | true | false | The pilot-agent process does not dynamically fetch bootstrap configuration before starting Envoy. |
enablePrometheusMerge | MeshConfig | true | false | Istio Agent does not merge public metrics of an application with Envoy and agent metrics. |
extensionProviders | MeshConfig | Configured per installed addons | Configured in the ASM console | Configure providers for Log Service, Tracing Analysis, and metric monitoring through the ASM console. |
Configuration override levels
You can override ASM default parameters at three levels. A more specific level takes precedence over a broader one:
| Level | Scope | Method |
|---|---|---|
| Mesh-wide | All workloads in the mesh | MeshConfig in the ASM console |
| Namespace | All workloads in a namespace | ProxyConfig custom resource |
| Per-workload | A single workload | proxy.istio.io/config pod annotation |
When a ProxyConfig custom resource and a pod annotation both apply to the same workload, the pod annotation takes precedence for overlapping fields.
Proxy parameters
These parameters control sidecar proxy injection, traffic interception, resource allocation, and runtime behavior.
| Parameter | Istio default | ASM default | Description |
|---|---|---|---|
clusterDomain | cluster.local | Specified at instance creation | Cluster-local domain name. Must match the Kubernetes cluster domain on the data plane. |
enableCoreDump | false | Same as Istio | Enables core dumps for the injected sidecar proxy, used for debugging. |
excludeInboundPorts | "" | Same as Istio | Inbound ports excluded from redirection to the sidecar proxy. |
includeInboundPorts | "*" | Same as Istio | Inbound ports whose traffic is redirected to the sidecar proxy. |
includeIPRanges | "*" | Same as Istio | IP ranges (CIDR) whose traffic is redirected to the sidecar proxy. |
excludeIPRanges | "" | Same as Istio | IP ranges (CIDR) excluded from redirection to the sidecar proxy. |
includeOutboundPorts | "" | Same as Istio | Outbound ports whose traffic is redirected to the sidecar proxy. |
excludeOutboundPorts | "" | Same as Istio | Outbound ports excluded from redirection to the sidecar proxy. |
logLevel | warning | Same as Istio | Sidecar proxy log level. |
readinessFailureThreshold | 30 | Same as Istio | Consecutive probe failures before the sidecar is marked unready. |
readinessInitialDelaySeconds | 1 | Same as Istio | Seconds before the first readiness probe runs. |
readinessPeriodSeconds | 2 | Same as Istio | Interval between readiness probes, in seconds. |
resources | requests: cpu: 100m, memory: 128Mi; limits: cpu: 2000m, memory: 1024Mi | Same as Istio | Resource requests and limits for the sidecar proxy container. |
holdApplicationUntilProxyStarts | false | true | When true, the sidecar proxy container must be ready before application containers start. Prevents race conditions where the application sends traffic before the proxy is ready. |
concurrency | 2 | Same as Istio | Number of Envoy worker threads. If set to 0, Envoy uses all CPU cores regardless of resource limits, which may cause high CPU consumption. Leave this at the default unless you have a specific reason to change it. |
interceptionMode | REDIRECT | Same as Istio | Mode used by the sidecar proxy to intercept traffic. |
tracing | zipkin: {address: zipkin.istio-system:9411} | N/A | ASM does not enable Tracing Analysis by default. Configure tracing in the ASM console. |
proxyMetadata | {} | {EXIT_ON_ZERO_ACTIVE_CONNECTIONS: "true"} | Environment variables added to the sidecar proxy container. ASM enables graceful shutdown when all connections have drained. |
terminationDrainDuration | 5s | Same as Istio | Time allowed for existing connections to complete when the sidecar proxy terminates. |
proxyStatsMatcher | N/A | inclusionRegexps: [.*adaptive_concurrency.*] | Custom Envoy metrics to report. ASM enables adaptive concurrency metrics by default. |
| Init container resources | requests: cpu: 100m, memory: 128Mi; limits: cpu: 2, memory: 1Gi | requests: cpu: 10m, memory: 10Mi; limits: cpu: 2, memory: 1Gi | Resource requests and limits for the sidecar proxy init container. ASM uses lower resource requests to reduce scheduling overhead. |
OutboundTrafficPolicy | ALLOW_ANY | Same as Istio | Policy for outbound traffic to external services. ALLOW_ANY permits traffic to destinations outside the mesh. |
Pilot (control plane) parameters
| Parameter | Istio default | ASM default | Description |
|---|---|---|---|
jwtPolicy | third-party-jwt | Same as Istio | JWT-based authentication policy. Valid values: third-party-jwt, first-party-jwt. |
MeshConfig parameters
These parameters control mesh-wide settings including DNS proxy, access logging, metrics merging, and telemetry providers.
| Parameter | Sub-field | Istio default | ASM default | Description |
|---|---|---|---|---|
proxyMetadata | ISTIO_META_DNS_CAPTURE | true | false | Enables or disables DNS proxy. |
proxyMetadata | BOOTSTRAP_XDS_AGENT | true | false | When enabled, the pilot-agent process dynamically fetches the bootstrap configuration before starting Envoy. |
accessLogFile | - | /dev/stdout | Same as Istio | File path for access logs. |
enablePrometheusMerge | - | true | false | When enabled, Istio Agent merges public metrics of an application with Envoy and Istio Agent metrics. |
extensionProviders | - | Configured per installed addons | Configured in the ASM console | Telemetry backend providers. Configure providers for Log Service, Tracing Analysis, and metric monitoring through the ASM console. |
Telemetry parameters
| Parameter | Sub-field | Istio default | ASM default | Description |
|---|---|---|---|---|
prometheus | wasmEnabled | false | Same as Istio | Enables or disables WebAssembly (Wasm) runtimes for stats filters. |
metadataExchange | wasmEnabled | false | Same as Istio | Enables or disables Wasm runtimes for metadata exchange filters. |
Common misconfiguration warnings
| Parameter | Misconfiguration | Impact | Recommendation |
|---|---|---|---|
concurrency | Set to 0 | Envoy uses all CPU cores, ignoring resource limits. This can cause high CPU consumption and affect other workloads on the node. | Leave at the default value (2). |
holdApplicationUntilProxyStarts | Set to false in ASM | Application containers may start before the sidecar proxy is ready, causing failed requests during startup. | Keep the ASM default (true) unless startup latency is a specific concern. |
accessLogFile | Left at /dev/stdout in high-traffic environments | Access logs consume disk I/O and storage. In high-traffic environments, this may affect performance. | Disable access logging or route logs to a dedicated logging service when running at scale. |