Enable the feature of keeping traffic in-cluster in multi-cluster scenarios - Alibaba Cloud Service Mesh

When you manage multiple clusters in a Service Mesh (ASM) instance, the workloads of a service may be deployed across the clusters. When you access the service, cross-cluster load balancing is implemented by default. If you want to ensure that traffic sent from a cluster reaches only destinations in the same cluster, you can use the feature of keeping traffic in-cluster. This topic describe how to use this feature. In the following example, the Bookinfo application is used.

Prerequisites

Two Container Service for Kubernetes (ACK) clusters are created in the same virtual private cloud (VPC). In this example, the two ACK clusters are named m1c1 and m1c2. For more information, see Create an ACK dedicated cluster.
An ASM instance of version 1.15.3.101 or later is created. In this example, the ASM instance is named mesh1. For more information, see Create an ASM instance.

Preparations

Step 1: Configure mutual access between the two clusters

(Optional) Change the security group names of the clusters

Change the security group name of each cluster so that you can deduce the corresponding cluster from the new security group name. In this example, change the security group names to m1c1-sg and m1c2-sg.

Show how to change the security group name of a cluster

Log on to the Elastic Compute Service (ECS) console. In the left-side navigation pane, choose Network & Security > Security Groups.
In the top navigation bar, select the region where the desired ECS instance resides.
On the a security group page, move the pointer over the name of the security group for which you want to change its name and click the icon. In the dialog box that appears, enter the new name and click Confirm.

Configure security group rules

Configure rules for the security groups so that the clusters can access each other. On the configuration page of the m1c1-sg security group, create a rule to allow the access from m1c2-sg. On the configuration page of the m1c2-sg security group, create a rule to allow the access from m1c1-sg. For more information, see Add a security group rule.

Step 2: Add the two clusters to the ASM instance and deploy an ingress gateway

The two clusters can access each other. After you add the two clusters to the ASM instance, you only need to deploy an ingress gateway for one of the clusters.

Add the two clusters to the ASM instance. For more information, see Add a cluster to an ASM instance.
Deploy an ingress gateway for the m1c1 cluster. For more information, see Create an ingress gateway.

Step 3: Deploy a Bookinfo application in each of the two clusters

In this example, Bookinfo applications are used to verify the feature that keeps traffic in-cluster. The Bookinfo applications in the two clusters have only one difference: The reviews microservice in the m1c1 cluster is of the v1 version and that in the m1c2 cluster is of the v2 version.

Use the bookinfo-with-reviews-v1.yaml file to deploy a Bookinfo application in the m1c1 cluster. The Bookinfo application contains the reviews-v1 deployment. For more information, see Deploy an application in an ASM instance.
Reviews-v1 does not call the ratings microservice to rate a book with one to five black stars.
Use the bookinfo-with-reviews-v2.yaml file to deploy a Bookinfo application in the m1c2 cluster. The Bookinfo application contains the reviews-v2 deployment.
Reviews-v2 calls the ratings microservice to rate a book with one to five black stars.

Step 4: Create an Istio gateway, a virtual service, and a destination rule in the ASM instance

Use the following YAML code to create an Istio gateway in the default namespace of the ASM instance. For more information, see Manage Istio gateways.

Show the YAML code of an Istio gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

Use the following YAML code to create a virtual service in the default namespace of the ASM instance. For more information, see Manage virtual services.

Show the YAML code of a virtual service

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo-cluster-local
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage1
    rewrite:
      uri: /productpage
    route:
    - destination:
        host: productpage
        port:
          number: 9080
        subset: m1c1
  - match:
    - uri:
        exact: /productpage2
    rewrite:
      uri: /productpage
    route:
    - destination:
        host: productpage
        port:
          number: 9080
        subset: m1c2
  - match:
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080

Use the following YAML code to create a destination rule in the default namespace of the ASM instance. For more information, see Manage destination rules.

Show the YAML code of a destination rule

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: productpage-cluster-local
spec:
  host: productpage
  subsets:
  - name: m1c1
    labels:
      cluster: m1c1
  - name: m1c2
    labels:
      cluster: m1c2

Use a browser to access http://{IP address of the ingress gateway}/productpage1 or http://{IP address of the ingress gateway}/productpage2 and refresh the web page.
For more information about how to obtain the IP address of an ingress gateway, see Create an ingress gateway.
If the reviews section of the web page displays star ratings in a round-robin style (black stars and no stars), the Bookinfo application is successfully deployed.

Procedure

The following steps show how to enable the feature to route traffic from a cluster to the reviews microservice in the same cluster. For more information about how to enable the feature to route global traffic or namespace-wide traffic from a cluster to destinations in the same cluster, see Related operations.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Instance > Base Information.
In the Config Info section of the page that appears, click Edit on the right of Keep traffic in cluster.
In the Configure services that keep traffic in cluster dialog box, turn on the Enable Keep traffic in cluster switch, select the Select Service option, and then click Select services.
In the Add services dialog box, select the Service option, select default from the Namespace drop-down list, select reviews in the Select services section, click the icon, and then click OK.
In the Configure services that keep traffic in cluster dialog box, click OK.
If configured is displayed next to Keep traffic in cluster in the Config Info section, the feature is enabled.
Verify that the feature takes effect.
1. Use a browser to access http://{IP address of the ingress gateway}/productpage1 and refresh the web page.
  The reviews section does not display star ratings.
2. Use a browser to access http://{IP address of the ingress gateway}/productpage2 and refresh the web page.
  The reviews section always displays star ratings.
The preceding results indicate that the feature takes effect.

Result analysis

The following figure shows the traffic flow in the mesh before and after the feature is enabled. 网格中流量的调用链路分析

Whether the feature is enabled

Description

Disabled

In the Bookinfo application, the productpage microservice calls the reviews microservice to obtain book reviews. When you enter http://{IP address of the ingress gateway}/productpage1 in the browser, you access the productpage microservice in the m1c1 cluster. When you enter http://{IP address of the ingress gateway}/productpage2 in the browser, you access the productpage microservice in the m1c2 cluster.

The reviews workload exists in both m1c1 and m1c2 clusters. By default, traffic to the reviews microservice is balanced between the two clusters, even if the traffic is sent to the productpage microservice in one of the clusters such as m1c1. As a result, you can notice that sometimes the book reviews have star ratings, but at other times the book reviews do not have star ratings.

Enabled

When you access the productpage microservice in one of the clusters such as m1c1, traffic to the reviews microservice is not distributed between the two clusters. As a result, the reviews section does not display star ratings.

Important

When the feature is enabled, if reviews-v1 in the m1c1 cluster goes offline due to a fault, the productpage microservice cannot call reviews-v2 in the m1c2 cluster to provide services.

Note

After you enable the feature for a service, a workload of another service can access this service only over the endpoints that reside within the same cluster of the workload. Even if the endpoints within the same cluster of the workload are unavailable, traffic destined for this service is not routed to endpoints in other clusters of this service.

If you want to keep traffic in-cluster and shift traffic for a service at the same time, you can use traffic rules to create traffic lanes for the service in different clusters and shift traffic. For more information, see Use traffic rules to configure traffic lanes and traffic shifting.

Related operations

Enable the feature to route all traffic from a cluster to destinations in the same cluster

In the Config Info section of the page that appears, click Edit on the right of Keep traffic in cluster.
In the Configure services that keep traffic in cluster dialog box, turn on the Enable Keep traffic in cluster switch, select All Services, and then click OK.
Then, all traffic from a cluster is routed to destinations in the same cluster.

Enable the feature to route traffic for services in a namespace from a cluster to destinations in the same cluster

In the Config Info section of the page that appears, click Edit on the right of Keep traffic in cluster.
In the Configure services that keep traffic in cluster dialog box, turn on the Enable Keep traffic in cluster switch, select the Select Service option, and then click Select services.
In the Add services dialog box, select the Namespace option, select the desired namespace in the Select services section, click the icon, and then click OK.
In the Configure services that keep traffic in cluster dialog box, click OK.
Then, traffic that requests to access services in the namespace from a cluster is routed to the same cluster.