All Products
Search

This Product

    Alibaba Cloud Service Mesh:Use an ingress gateway to access a gRPC service in an ASM instance

    Document Center

    Alibaba Cloud Service Mesh:Use an ingress gateway to access a gRPC service in an ASM instance

    Last Updated:May 13, 2025

    You can use a Service Mesh (ASM) ingress gateway to access Google Remote Procedure Call (gRPC) services in an ASM instance. This allows you to implement accurate access control on gRPC services, improve service governance, and ensure the security of service-to-service communication. This topic describes how to use an ingress gateway to access a gRPC service in an ASM instance and how to shift traffic between two versions of a gRPC service.

    Prerequisites

    Step 1: Deploy sample applications

    Deploy version 1 and version 2 of a gRPC service: istio-grpc-server-v1 and istio-grpc-server-v2.

    1. Create a file named app.yaml and copy the following content to the file:

      Click to view details

      apiVersion: apps/v1
kind: Deployment
metadata:
  name: grpc-helloworld-py-v1
  labels:
    app: grpc-helloworld-py
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grpc-helloworld-py
      version: v1
  template:
    metadata:
      labels:
        app: grpc-helloworld-py
        version: v1
    spec:
      containers:
        - name: grpc-helloworld-py
          image: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-grpc-server:grpc-helloworld-py-v1.0
          imagePullPolicy: Always
          env:
            - name: podname
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
          ports:
            - containerPort: 50051
              name: grpc-port
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grpc-helloworld-py-v2
  labels:
    app: grpc-helloworld-py
    version: v2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grpc-helloworld-py
      version: v2
  template:
    metadata:
      labels:
        app: grpc-helloworld-py
        version: v2
    spec:
      containers:
        - name: grpc-helloworld-py
          image: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-grpc-server:grpc-helloworld-py-v1.0
          imagePullPolicy: Always
          env:
            - name: podname
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
          ports:
            - containerPort: 50051
              name: grpc-port
---
apiVersion: v1
kind: Service
metadata:
  name: grpc-helloworld-py
  labels:
    app: grpc-helloworld-py
spec:
  ports:
    - port: 50051
      name: grpc-port
  selector:
    app: grpc-helloworld-py

    2. Run the following command to deploy the application:

      kubectl apply -f app.yaml

    Step 2: Configure a routing rule

    Create an Istio gateway, a virtual service, and a destination rule for the ASM instance to route all inbound traffic to istio-grpc-server-v1.

    1. Run the following command to create a file named rules.yaml and copy the following content to the file:

      apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: grpc-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 8080
      name: grpc
      protocol: GRPC
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: dr-istio-grpc-server
spec:
  host: grpc-helloworld-py
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
  subsets:
    - name: v1
      labels:
        version: "v1"
    - name: v2
      labels:
        version: "v2"    
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: grpc-vs
spec:
  hosts:
  - "*"
  gateways:
  - grpc-gateway
  http:
    - match:
        - port: 8080
      route:
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v1
          weight: 100
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v2
          weight: 0

    2. Run the following command to deploy the routing rule:

      kubectl apply -f rules.yaml

    Step 3: Create an ingress gateway or use an existing ingress gateway

    Create an ingress gateway

    Create an ingress gateway and set the Service Port of the ingress gateway to 8080.

    Add port 8080 to an existing ingress gateway

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    3. On the Ingress Gateway page, click the name of the desired gateway. In the Basic options section of the Gateway Details page, click the Dingtalk_20230104170049.jpg icon next to Port. In the Port Mapping dialog box, click Add Port, set Protocol to TCP, set Service Port to 8080, and then click Submit.

    Step 4: Start the gRPC client

    1. Install grpcurl command-line tool to run the following command:

      grpcurl -d '{"name": "Jack"}' -plaintext {IP address of the ingress gateway}:8080 helloworld.Greeter/SayHello

    2. The output indicates that all requests are routed to istio-grpc-server-v1.

       "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"

    Step 5: Route traffic to gRPC service v2 based on a specific ratio

    Route 40% of the traffic to istio-grpc-server-v2 and 60% of the traffic to istio-grpc-server-v1.

    1. Run the following command to edit virtual services:

      kubectl edit VirtualService grpc-vs

      Run the following command to modify route and save the rule:

      ....
      route:
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v1
          weight: 60
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v2
          weight: 40

    2. Run the following gRPCurl command to access the gRPC service that you deployed in the ASM instance:

      grpcurl -d '{"name": "Jack"}' -plaintext {IP address of the ingress gateway}:8080 helloworld.Greeter/SayHello

      The output indicates that 40% of the traffic is routed to istio-grpc-server-v2.

      Note

      The traffic may not be routed to istio-grpc-server-v1 and istio-grpc-server-v2 at an exact ratio of 60:40. However, the overall traffic distribution is always close to this ratio.

      "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"