All Products
Search
Document Center

Alibaba Cloud Service Mesh:Use an NLB for an ASM ingress gateway

Last Updated:Jun 21, 2026

Network Load Balancer (NLB) is a Layer 4 load balancer from Alibaba Cloud that provides high performance, auto-scaling, and high availability to improve the stability of your gateway traffic. ASM supports using NLB for its ingress gateways. When you set the Service type for an ASM ingress gateway to LoadBalancer, a Classic Load Balancer (CLB) is associated by default. This topic describes how to associate an NLB instead.

Prerequisites

An ACK cluster is added to an ASM instance, and the following conditions are met:

  • The Kubernetes cluster is version 1.24 or later and the Cloud Controller Manager (CCM) is version 2.5.0 or later.

  • The ASM instance is version 1.18 or later.

  • The ACK cluster's VPC has vSwitches in at least two zones.

Procedure

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

  3. You can create an ingress gateway by using the ASM console or a YAML template.

    Console

    On the Ingress Gateway page, click Create. This section describes only the NLB-specific parameters. For information about other parameters, see Create an ingress gateway.

    Parameter

    Description

    NLB

    This parameter is available only when Service Type is set to LoadBalancer.

    Supports Internet Access and Private Access.

    Create SLB Instance

    • The console defaults to Create SLB Instance, but you can select Use Existing CLB Instance as needed.

    • If you select this option, you must select vSwitches in at least two zones under Select Zones for NLB Instance.

    Use Existing CLB Instance

    If you select this option, you must select an existing NLB from the Select Existing Load Balancer Instance drop-down list.

    Important

    Assign a dedicated load balancer to each Kubernetes service. Reusing a load balancer across multiple services has the following risks and limitations:

    • Reusing an existing load balancer overwrites its listeners, which can cause application outages.

    • You cannot reuse a load balancer that was automatically created by Kubernetes through a Service. You can only reuse a load balancer created manually in the console or by calling an OpenAPI.

    • Multiple services that reuse the same load balancer cannot have the same frontend listener port. Otherwise, a port conflict occurs.

    • When you reuse a load balancer, Kubernetes uses the names of the listener and vServer group as unique identifiers. Do not modify these names.

    • You cannot reuse a load balancer across different clusters or regions.

    YAML

    On the Ingress Gateway page, click Create from YAML, set the gateway name to ingressgateway-nlb-test, and select istio-system as the Namespaces. Then, enter the following YAML.

    In the YAML file, you must set loadBalancerClass to alibabacloud.com/nlb. You do not need to specify an NLB specification, but you must specify at least two zones.

    YAML

    apiVersion: istio.alibabacloud.com/v1
    kind: IstioGateway
    metadata:
      name: ingressgateway-nlb-test
      namespace: istio-system
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: istio
                  operator: In
                  values:
                  - ingressgateway
              topologyKey: kubernetes.io/hostname
            weight: 1
      autoCreateGatewayYaml: false
      clusterIds:
      - ${YOUR_CLUSTER_ID}
      disableContainerPortExposed: true
      dnsPolicy: ClusterFirst
      externalTrafficPolicy: Local
      gatewayType: ingress
      hostNetwork: false
      ports:
      - name: http-0
        port: 80
        protocol: HTTP
        targetPort: 80
      - name: https-1
        port: 443
        protocol: HTTPS
        targetPort: 443
      replicaCount: 2
      resources:
        limits:
          cpu: "2"
          memory: 4G
        requests:
          cpu: 200m
          memory: 256Mi
      rollingMaxSurge: 25%
      rollingMaxUnavailable: 25%
      runAsRoot: true
      serviceAnnotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain: "on"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain-timeout: "10"
        service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: ${ZONE_ID_1}:${VSWITCH_ID_1},${ZONE_ID_2}:${VSWITCH_ID_2}	# For example: cn-hangzhou-g:vsw-bp1xxxxxxxxxx,cn-hangzhou-j:vsw-bp1xxxxxxxxxx
      serviceType: LoadBalancer
      loadBalancerClass: alibabacloud.com/nlb

    After you create the gateway, its details appear on the page. Unlike a CLB-based gateway, an NLB-based gateway uses a domain name for its Service address, not an IP address. Also, because two zones were specified when the ingress gateway was created, the domain name is bound to two IP addresses.

    After the gateway is created, you can view its instance information on the ingress gateway page. This information includes the gateway name (such as ingressgateway-nlb-test), status, version, cluster ID, service address (NLB domain name), and port mapping (such as HTTP | 80:80 and HTTPS | 443:443). The page also provides links to management operations such as Edit Gateway, View Details, View YAML, and Delete, and to advanced features and observability options such as Gateway Security, Log Center, and Gateway Monitoring.

    You can log on to the NLB console to view the NLB instance's status. For more information about NLB, see Configure an NLB instance by using annotations and NLB billing.