Mesh Topology in managed mode allows you to monitor the traffic topology of multiple clusters. In managed mode, a Mesh Topology service instance is deployed as an elastic container instance to enhance service reliability and ease of use. In managed mode, you need to deploy only one Mesh Topology service for the entire Service Mesh (ASM) instance. This reduces the configuration workload.
Prerequisites
A Kubernetes cluster is created. For more information, see Create an ACK managed cluster.
The Kubernetes cluster is added to an ASM instance of v1.18.2.112 or later. For more information, see Add a cluster to an ASM instance.
A self-managed Prometheus instance is created or Managed Service for Prometheus is integrated to monitor ASM instances. For more information, see Monitor ASM instances by using a self-managed Prometheus instance or Integrate Managed Service for Prometheus to monitor ASM instances.
Feature description
As an observability tool of ASM, Mesh Topology provides a visual interface for you to view related services and configurations. This helps you quickly evaluate the health status of services. Mesh Topology provides powerful visualization of ASM traffic. It combines real-time request traffic with ASM configuration information to provide instant insights into ASM behavior and help you quickly pinpoint issues.
ASM instances of v1.18.2.112 and later support Mesh Topology in managed mode. In earlier versions, Mesh Topology can only be deployed in Kubernetes clusters on the data plane. Mesh Topology in managed mode has greater advantages in terms of unified observation across multiple clusters, easy configuration, and service reliability.
Mesh Topology can be deployed in the following two modes. These two modes differ in configuration complexity and service reliability.
In-Kubernetes-cluster mode
In this mode, a Mesh Topology service instance must be deployed in each data-plane cluster of an ASM instance. This deployment mode has the following characteristics:
A Mesh Topology service instance is deployed in each data plane cluster. Each Mesh Topology service instance is connected to the Prometheus instance of the homing cluster to observe the traffic topology of services in the cluster.
The Mesh Topology service instance in each data plane cluster must be configured separately. In the case of multiple data plane clusters, multiple IP addresses must be configured. The configuration is complicated.
The availability of a Mesh Topology service instance is affected by its data plane cluster. The Mesh Topology service instance may be unavailable due to insufficient resources in the data plane cluster.
Managed mode
ASM instances of v1.18.2.112 and later support Mesh Topology in managed mode. In managed mode, a Mesh Topology service instance is deployed as an elastic container instance to provide higher service reliability and ease of use. The managed mode has the following characteristics:
Only one Mesh Topology service instance is deployed in an ASM instance and it uniformly observes the traffic topology of multiple clusters.
You do not need to configure the Mesh Topology service instance separately for each cluster. This reduces the configuration workload.
The workloads of the Mesh Topology service instance are deployed as ECIs to provide higher service reliability.
Step 1: Enable Mesh Topology in managed mode
You can select the managed mode only when you enable Mesh Topology. If you have enabled the Mesh Topology service, disable the service and then enable it again.
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Mesh Topology page, click Managed Mode and then click To enable.
In the Enable Mesh Topology in Managed Mode dialog box, configure related parameters and click OK.
Parameter
Description
Clusters to observe
Select the data-plane cluster to be observed by the Mesh Topology service. You can select multiple clusters. In managed mode, an ASM instance has only one Mesh Topology service instance.
ImportantAfter you configure data-plane clusters to be observed by the Mesh Topology service, the workloads of the Mesh Topology service instance have read-only permissions on the Service, Pod, Namespace, Deployment, Replicaset, Endpoints, and Node resources in the data-plane clusters. In addition, the workloads have read-only permissions on the Istio and Istio-sidecar-injector ConfigMap resources in the istio-system namespaces of the data-plane clusters.
The workloads of the Mesh Topology service instance are deployed as elastic container instances on the control plane. This indicates that these elastic container instances may have read-only permissions on the preceding resources of multiple clusters. Select the clusters to be observed with caution after you fully understand this note.
Configure Prometheus address
Configure the HTTP API address of the Prometheus instance on which the Mesh Topology service instance depends.
If you choose to observe a single cluster, you can use the HTTP API address of the Prometheus instance that is integrated with the cluster. If you use a Managed Service for Prometheus instance, you can obtain the HTTP API address of the instance by performing the related steps in HTTP API URLs.
If you choose to observe multiple clusters, ensure that the dependent Prometheus instance has collected the Envoy metrics of these clusters. You can create an aggregation Prometheus instance for the Managed Service for Prometheus instances of multiple clusters and obtain the HTTP API address of the aggregation Prometheus instance. For more information, see Create a global aggregation instance by using Managed Service for Prometheus.
Access
In the managed mode, you can create a Classic Load Balancer (CLB) instance for accessing the Mesh Topology service. You can also use an ASM gateway to access the Mesh Topology service. You can choose whether to create a CLB instance for accessing the Mesh Topology service.
If you do not turn on Create a CLB Instance to Access ASM Mesh Topology,
before you enable Mesh Topology in the ASM console, you need to complete configurations for using an ASM gateway to access the Mesh Topology service. For more information, see Method 2: Use an ASM gateway to access Mesh Topology in Step 2: Open the logon page of Mesh Topology of Enable Mesh Topology to improve observability. Then, record the IP address of the ASM gateway.
Authentication
You can log on to Mesh Topology in managed mode only by using an Alibaba Cloud account or by using OpenID Connect (OIDC).
To log on by using an Alibaba Cloud account, you must specify The address to access Mesh Topology if you do not turn on Create a CLB Instance to Access ASM Mesh Topology in the Access step of the configuration wizard. This address is the IP address of the ASM gateway configured in the Access step of the configuration wizard.
To log on by using OIDC, you must configure the ClientID, ClientSecret, and IssuerUri fields of the identity provider (IdP). For more information about how to configure an IdP, see "Step 2: Add and configure an OIDC application" in Integrate Alibaba Cloud IDaaS with ASM to implement single sign-on.
Step 2: Access the Mesh Topology service
In managed mode, you can use a CLB instance or an ASM gateway to access the Mesh Topology service. For more information, see Method 1: Directly access Mesh Topology and Method 2: Use an ASM gateway to access Mesh Topology of Step 2: Open the logon page of Mesh Topology in Enable Mesh Topology to improve observability.
References
If you find that some requests experience high response latency, you can use access logs to locate the cause of high latency. For more information, see Locate the cause of high response latency by using access logs in ASM.
If you want to obtain the lowest service call latency, you can use the zone aware routing feature to allow a client to call a destination service deployed in the same zone first. For more information, see Verify the zone aware routing feature on the topology of an ASM instance.
You can view the call information and the topology generated based on the call information in the Managed Service for OpenTelemetry console. Such data helps you quickly analyze and diagnose performance bottlenecks and improve diagnostics efficiency. For more information, see Collect ASM tracing data to Managed Service for OpenTelemetry.
You can enable the mesh audit feature to record or trace the daily operations of different users. You can also configure audit alerts for operations on ASM resources and send alert notifications to alert contacts in a timely manner when important resources change. For more information, see Use the KubeAPI operation audit feature in ASM and Configure audit alerts for operations on ASM resources.
ASM reduces the attack surface in the cloud-native environment and provides a basic framework for building a zero-trust application network. ASM adopts end-to-end encryption, service-level identity authentication, and fine-grained authorization policies to secure service-to-service communication. For more information, see Overview of zero trust security.