Implement session affinity in an ASM ingress gateway - Alibaba Cloud Service Mesh

Session affinity (also known as sticky session) is a feature available on load balancers that allows all requests from the same user or session to be passed to the same backend server. This feature applies to scenarios where the user state must be maintained, such as online shopping carts, logon sessions, and personalized settings.

Prerequisites

A Container Service for Kubernetes (ACK) cluster is added to your Service Mesh (ASM) instance. For more information, see Add a cluster to an ASM instance.
An ingress gateway is created and port 80 is exposed. For more information, see Create an ingress gateway.
An HTTPBin application is deployed. For more information, see Deploy the HTTPBin application.

Feature introduction

This topic describes session affinity implemented by using consistent hashing. Envoy currently supports HashRing and Maglev consistent hashing. Consistent hashing-based load balancing is used to provide soft session affinity. The affinity to a particular destination host may be lost when one or more hosts are added to or removed from the destination service. Consistent hashing-based session affinity can improve load balancing and perform well in distributed systems.

Step 1: Scale up the number of pods of the HTTPBin application

Use kubectl to connect to the data plane based on the information in the kubeconfig file, and run the following command to scale up the number of the pods of the HTTPBin application to three. The pods are used to test session affinity.

kubectl scale deployment/httpbin --replicas 3

Step 2: View the distribution of requests when session affinity is disabled

Enter http://${IP address of the ingress gateway}/status/418 in the address bar of your browser. After the access succeeds, refresh the page multiple times.
For more information about how to obtain the IP address of the ingress gateway, see substep 1 Obtain the IP address of the ingress gateway of Step 3 in the "Use Istio resources to route traffic to different versions of a service" topic.
View the ingress gateway logs.
1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
3. On the Ingress Gateway page, find the desired ingress gateway and click Log Center. On the Gateway Logs tab, add the and 418 search condition to the search box and click Search & Analyze. On the Raw Logs tab in the lower-left corner, expand the upstream_addr index.
  You can see that requests are almost evenly distributed to the three pods of the HTTPBin application.

Step 3: Create a destination rule

Use the following content to create a destination rule. For more information, see Manage destination rules.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: httpbin
  namespace: default
spec:
  host: httpbin.default.svc.cluster.local
  trafficPolicy:
    loadBalancer:
      consistentHash:
        httpCookie:
          name: sticky-session-key
          ttl: 0s

After the destination rule is deployed, if you initiate a request without the cookie specified in the destination rule to access the HTTPBin application through the ingress gateway, the ingress gateway generates a hash value based on the source and destination IP addresses and ports of the request, and adds the cookie in the request response. If subsequent requests carry this cookie, the ingress gateway does not regenerate this value. This cookie is used in the consistent hashing as the key input to the hash function, which in turn calculates the backend to be accessed.

The validity of session affinity is guaranteed by specific consistent hashing. In this example, no consistent hashing is specified. HashRing is used by default. ASM instances of version 1.16 or later support Maglev consistent hashing. You can use Maglev consistent hashing based on your business requirements.

Step 4: View the distribution of requests when session affinity is enabled

Enter http://${IP address of the ingress gateway}/status/333 in the address bar of your browser. After the access succeeds, refresh the page multiple times.
For more information about how to obtain the IP address of the ingress gateway, see substep 1 Obtain the IP address of the ingress gateway of Step 3 in the "Use Istio resources to route traffic to different versions of a service" topic.
View the ingress gateway logs.
1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
3. On the Ingress Gateway page, find the desired ingress gateway and click Log Center. On the Gateway Logs tab, add the and 333 search condition to the search box and click Search & Analyze. On the Raw Logs tab in the lower-left corner, expand the upstream_addr index.
  You can see that all requests are forwarded to the same backend pod of the HTTPBin application.
Open the developer tools of your browser, click Network, refresh the page, and click requests to view details.
The webpage shows that the website has a cookie whose name is the same as that specified in the destination rule. The ingress gateway implements session affinity based on this cookie.