Service Mesh (ASM) of Enterprise Edition or Ultimate Edition uses Intel Multi-Buffer to accelerate Transport Layer Security (TLS) processing in Envoy. This topic describes how to enable Multi-Buffer in different situations.
Prerequisites
An ASM instance is created. The instance type is Enterprise Edition or Ultimate Edition and the Istio version is 1.10 or later. For more information, see Create an ASM instance.
A Container Service for Kubernetes (ACK) cluster is created, and the instance families of nodes in the cluster support the Multi-Buffer CPU model of Intel Ice Lake. For more information, see Create an ACK managed cluster.
The following table describes the instance families that support Intel Ice Lake.
NoteFor more information about instance families, see Overview of instance families.
Instance family
Description
g7
g7se, storage-enhanced general-purpose instance family
g7, general-purpose instance family
g7t, security-enhanced general-purpose instance family
c7
c7, compute-optimized instance family
c7re, RDMA-enhanced instance family
c7se, storage-enhanced compute-optimized instance family
c7t, security-enhanced compute-optimized instance family
r7
r7p, memory-optimized instance family
r7se, storage-enhanced memory-optimized instance family
r7, memory-optimized instance family
r7t, security-enhanced memory-optimized instance family
Others
re7p, high-memory instance family
vgn7i-vws, vGPU-accelerated instance family
gn7i, GPU-accelerated compute-optimized instance family
ebmgn7i, GPU-accelerated compute-optimized ECS Bare Metal Instance family
sccc7, compute-optimized SCC instance family
sccg7, general-purpose SCC instance family
- The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
Background information
With the development of network security technologies, TLS has become the cornerstone of network communication. A TLS session is generally divided into the handshake phase and the data transmission phase. The most important task in the handshake phase is to use asymmetric encryption to negotiate a session key. In the data transmission phase, the session key is used to perform symmetric encryption on the data before data is transmitted.
In microservice scenarios, Envoy needs to process a large number of TLS requests, whether Envoy serves as an ingress gateway or as a proxy for microservices. Especially during the handshake phase, asymmetric encryption and decryption consume a large amount of CPU resources. This may become a bottleneck in large-scale microservice scenarios. ASM uses Intel Multi-Buffer to accelerate TLS processing in Envoy to alleviate the bottleneck.
Multi-Buffer uses Intel CPU AVX-512 to process multiple independent buffers at the same time. In other words, multiple encryption and decryption operations can be simultaneously executed in one execution cycle, which accelerates encryption and decryption. Multi-Buffer does not need additional hardware. The CPU package must contain the AVX-512 instruction set. Alibaba Cloud has included the latest AVX-512 instruction set in the Ice Lake processor.
Procedure
Enable Multi-Buffer for an ASM instance
To enable Multi-Buffer for an ASM instance, perform the following steps:
- Log on to the ASM console. In the left-side navigation pane, choose .
- On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
In the upper-right corner of the Basic Information page, click Settings.
In the Settings Update panel, select Enable MultiBuffer-based TLS encryption and decryption performance optimization, and then click OK.
If your cluster nodes are of the general-purpose instance family g7, Multi-Buffer increases the query per second (QPS) performance by 75%. If your cluster nodes are running on ECS bare metal instances, the performance is further improved.
Enable Multi-Buffer for an ingress gateway
Enable Multi-Buffer for a new ingress gateway:
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create.
In the lower part of the Create page, click Advanced Options, select Enable MultiBuffer-based TLS encryption and decryption performance optimization, and then configure the related parameters.
Parameter
Description
supported nodeaffinity
Select the label of the nodes on which Multi-Buffer takes effect.
Poll Delay(ms)
In most cases, you do not need to change the value of this parameter.
Multi-Buffer encrypts and decrypts multiple requests at the same time. Assume that Multi-Buffer can encrypt and decrypt eight requests at the same time. Multi-Buffer does not start to work until it receives eight requests. If the number of requests is large, Multi-Buffer receives eight requests within a short period of time. However, if the number of requests is small, Multi-Buffer may wait for a long time. In this case, if you specify a polling delay, Multi-Buffer encrypts and decrypts existing requests after the specified delay ends even if the number of requests is smaller than eight.
For more information about how to create an ingress gateway, see Create an ingress gateway service.
Enable Multi-Buffer for an existing ingress gateway:
On the details page of the ASM instance, choose in the left-side navigation pane. Click the ingress gateway for which you want to enable Multi-Buffer.
Choose . In the Advanced Options section, click the
icon next to Performance Optimization, select Enable MultiBuffer-based TLS encryption and decryption performance optimization, configure the related parameters, and then click Submit. 
To enable Multi-Buffer for a pod, the Istio version of your ASM instance must be 1.14.3 or later. For more information about how to update an ASM instance, see Update an ASM instance.
FAQ
What happens if Multi-Buffer is enabled on the control plane, but the nodes in the data-plane Kubernetes cluster do not support Intel Ice Lake?
Alert logs are generated from Envoy, and Multi-Buffer does not take effect. 
ASM instances whose type is the Enterprise Edition or Ultimate Edition and Istio version is 1.10 or later can automatically determine whether TLS acceleration takes effect when TLS acceleration is enabled. If the node to which the service or gateway pod is scheduled does not support Intel Ice Lake, ASM does not deliver the corresponding acceleration configuration to the node. In this case, TLS acceleration does not take effect.
How do I add a node that supports Multi-Buffer to a Kubernetes cluster and enable Multi-Buffer?
Add a node that supports Intel Ice Lake to the Kubernetes cluster. For more information, see Add existing ECS instances to an ACK cluster.
Add the
multibuffer-support:truelabel to the newly added node. For more information, see Manage node labels.Add the following content to the YAML file of the ingress gateway. For more information, see CRD fields for a gateway.
After you add the node affinity, the ingress gateway pod is scheduled to the newly-added node that supports Multi-Buffer.
affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: feature.node.kubernetes.io/mb-feature-enabled operator: In values: - 'true' weight: 1Enable Multi-Buffer for the ASM instance. For more information, see the Enable Multi-Buffer for an ASM instance section.
After you enable Multi-Buffer for the ASM instance, the newly-added node can use Multi-Buffer to accelerate TLS processing.