All Products
Search

This Product

    Alibaba Cloud Service Mesh:Create an ingress gateway that uses an IPv6 address

    Document Center

    Alibaba Cloud Service Mesh:Create an ingress gateway that uses an IPv6 address

    Last Updated:Mar 11, 2026

    IPv6 provides a larger address space and higher security compared with IPv4. Service Mesh (ASM) supports IPv6 addresses on ingress gateways. You can either create a new ingress gateway with an IPv6 address, or add an IPv6 address to an existing IPv4 ingress gateway so the gateway serves traffic on both protocols.

    Prerequisites

    Create an ingress gateway with an IPv6 address

    To provision a Classic Load Balancer (CLB) instance with an IPv6 address, add the service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version: "ipv6" annotation to the ingress gateway YAML.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    3. On the Ingress Gateway page, click Create from YAML.

    4. On the Create page, set Namespace to istio-system, paste the following YAML into the code editor, and click Create.

      Replace <your-cluster-id> with the ID of your data plane cluster.

      Show the sample YAML code

      apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
  name: ingressgateway
  namespace: istio-system
spec:
  gatewayType: ingress
  clusterIds:
    - <your-cluster-id>
  ports:
    - name: http-0
      port: 80
      targetPort: 80
      protocol: HTTP
    - name: https-1
      port: 443
      targetPort: 443
      protocol: HTTPS
  serviceAnnotations:
    service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: slb.s1.small
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version: "ipv6"
  replicaCount: 1
  resources:
    limits:
      cpu: '2'
      memory: 4G
    requests:
      cpu: 200m
      memory: 256Mi
  serviceType: LoadBalancer
  autoCreateGatewayYaml: true

      The following table describes the CLB service annotations.

      AnnotationDescription
      service.beta.kubernetes.io/alicloud-loadbalancer-address-typeCLB address type. Valid values: internet (Internet-facing CLB instance) and intranet (internal-facing CLB instance).
      service.beta.kubernetes.io/alibaba-cloud-loadbalancer-specCLB instance specification. Valid values: slb.s1.small, slb.s2.small, slb.s2.medium, slb.s3.small, slb.s3.medium, and slb.s3.large.
      service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-versionIP version for the CLB instance. Set to ipv6 to assign an IPv6 address.

    5. Verify the result. On the Ingress Gateway page, confirm that the Service address of the new ingress gateway is an IPv6 address. You can also verify with kubectl: The EXTERNAL-IP column displays an IPv6 address, similar to:

      kubectl get svc -n istio-system ingressgateway
      NAME               TYPE           CLUSTER-IP     EXTERNAL-IP                  PORT(S)                      AGE
ingressgateway     LoadBalancer   172.16.x.x     2400:XXXX:1300::xxxx         80:3xxxx/TCP,443:3xxxx/TCP   2m

    Add an IPv6 address to an existing ingress gateway

    If your ingress gateway already uses an IPv4 address, you can create a CLB instance to add an IPv6 address to the ingress gateway. After that, the ingress gateway uses both the IPv4 and IPv6 addresses.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left-side navigation pane, choose Network > Services.

    3. On the Services page, set Namespace to istio-system and click Create from YAML in the upper-right corner.

    4. On the Create page, select Custom from the Sample Template drop-down list, paste the following YAML into the Template code editor, and click Create.

      Important

      The nodePort values must not conflict with any existing port numbers in the cluster.

      Show the sample YAML code

      apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: slb.s1.small
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version: "ipv6"
  labels:
    app: istio-ingressgateway
    asm-system: 'true'
    istio: ingressgateway
  name: istio-ingressgateway-2
  namespace: istio-system
spec:
  externalTrafficPolicy: Cluster
  ports:
    - name: http-0
      nodePort: 30544
      port: 80
      protocol: TCP
      targetPort: 80
    - name: https-2
      nodePort: 30682
      port: 443
      protocol: TCP
      targetPort: 443
  selector:
    app: istio-ingressgateway
    asm-system: 'true'
    istio: ingressgateway
    provider: asm
  sessionAffinity: None
  type: LoadBalancer

      The following table describes the CLB service annotations.

      AnnotationDescription
      service.beta.kubernetes.io/alicloud-loadbalancer-address-typeCLB address type. Valid values: internet (Internet-facing CLB instance) and intranet (internal-facing CLB instance).
      service.beta.kubernetes.io/alibaba-cloud-loadbalancer-specCLB instance specification. Valid values: slb.s1.small, slb.s2.small, slb.s2.medium, slb.s3.small, slb.s3.medium, and slb.s3.large.
      service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-versionIP version for the CLB instance. Set to ipv6 to assign an IPv6 address.

    5. Verify the result. On the Services page, check the External IP column. The original istio-ingressgateway Service shows the IPv4 address, and the new istio-ingressgateway-2 Service shows the IPv6 address. Both addresses route to the same ingress gateway. You can also verify with kubectl: Expected output:

      kubectl get svc -n istio-system istio-ingressgateway istio-ingressgateway-2
      NAME                       TYPE           CLUSTER-IP      EXTERNAL-IP                  PORT(S)                      AGE
istio-ingressgateway       LoadBalancer   172.16.x.x      47.xx.xx.xx                  80:3xxxx/TCP,443:3xxxx/TCP   30d
istio-ingressgateway-2     LoadBalancer   172.16.x.x      2400:XXXX:1300::xxxx         80:30544/TCP,443:30682/TCP   5m

      IPv4 and IPv6 addresses in the External IP column

    FAQ

    How do I get the original IPv6 address of a client?

    By default, the CLB instance replaces the client source IP with its own. To preserve the original client IPv6 address, enable PROXY protocol on the CLB listeners and apply an Envoy filter to the ingress gateway.

    This process has four steps:

    1. Enable PROXY protocol on the CLB instance.

    2. Create an EnvoyFilter template in ASM.

    3. Bind the template to the ingress gateway.

    4. Verify that the client IP is preserved.

    Step 1: Enable PROXY protocol on the CLB instance

    Enable PROXY protocol in Advanced Settings for the port 80 and port 443 listeners on the IPv6 CLB instance. For instructions, see Enable Layer 4 listeners to preserve client IP addresses.

    Step 2: Create an EnvoyFilter template

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose Plugin Extension Center > EnvoyFilter Template.

    3. Click Create EnvoyFilter Template.

    4. On the Create page, enter a template name, click Add an EnvoyFilter template for specific adapted istio version, select an Istio version, paste the following YAML, and click Create. This filter adds the proxy_protocol listener filter so that the ingress gateway extracts the original client IP from the PROXY protocol header.

      apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: proxy-protocol
  namespace: istio-system
spec:
  configPatches:
  - applyTo: LISTENER
    patch:
      operation: MERGE
      value:
        listener_filters:
        - name: envoy.listener.proxy_protocol
        - name: envoy.listener.tls_inspector
  workloadSelector:
    labels:
      istio: ingressgateway

    Step 3: Bind the template to the ingress gateway

    1. On the EnvoyFilter Template page, find the template you created and click Edit template in the Actions column.

    2. Click the Bind template to workloads tab, then click Bind EnvoyFilter to Workloads.

    3. In the Bind EnvoyFilter to Workloads dialog box, set Namespace to istio-system and Workload Type to Deployment. In the Not bound section, click Bind next to the ingress gateway, and click OK.

    Step 4: Verify client IP preservation

    Access a URL through the IPv6 ingress gateway and check the gateway logs. The downstream_remote_address field contains the original client IPv6 address.

    Sample log entry:

    {
  "downstream_remote_address": "[2402:XXXX:1800:af00:0:9671:f00f:314b]:58272",
  "downstream_local_address": "[2400:XXXX:1300::12d1]:80",
  "x_forwarded_for": "2402:XXXX:1800:af00:0:9671:f00f:314b",
  "method": "GET",
  "path": "/",
  "protocol": "HTTP/1.1",
  "response_code": 404,
  "authority": "[2400:XXXX:1300::12d1]"
}

    In this example, downstream_remote_address shows the client's original IPv6 address (2402:XXXX:1800:af00:0:9671:f00f:314b) and source port (58272).