Create an ASM ingress gateway to provide a unified access entry point for a Kubernetes cluster - Alibaba Cloud Service Mesh

You can deploy an ASM ingress gateway in a Kubernetes cluster to serve as a unified entry point for accessing your applications over the Internet or an internal network. The ingress gateway simplifies traffic management and routing and uses Layer 7 load balancing to intelligently distribute traffic to backend services based on properties such as the HTTP request URL or host header.

Prerequisites

The cluster is added to the ASM instance..

Procedure

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

On the Ingress Gateway page, click Create and configure the gateway's basic information.

The following table describes the parameters. You can also click Create from YAML on the Ingress Gateway page to define the ingress gateway. For more information, see Manage the ingress gateway using KubeAPI.

Parameter	Description
Name	The name of the ingress gateway.
Cluster	The cluster in which you want to deploy the gateway.
Service Type	The service type. Valid values are LoadBalancer, ClusterIP, and NodePort. For more information about these types, see Service. Note If your data plane cluster is a registered cluster and you select LoadBalancer, ensure that the cluster supports LoadBalancer services to prevent gateway creation from failing.
NLB/CLB	This parameter is required when you set Service Type to LoadBalancer. Provides Internet Access and Private Access.
Create LoadBalancer Instance	This parameter is required when you set Service Type to LoadBalancer. Create A New Server Load Balancer Instance: If you select CLB, select a load balancing specification from the Select CLB Specifications drop-down list. If you select NLB, select virtual switches that are deployed in at least two zones from the Select Zones for NLB Instance drop-down list. Use Existing LoadBalancer Instance: Select an instance from the list of existing Server Load Balancer instances. Important We recommend that you assign a unique Server Load Balancer instance to each Kubernetes service. If multiple Kubernetes services share a Server Load Balancer instance, the following risks and limitations apply: Using an existing Server Load Balancer instance overwrites existing listeners, which may cause your application to become inaccessible. Server Load Balancer instances that are created by Kubernetes through a Service cannot be reused. Only Server Load Balancer instances that you create manually in the console or by calling an OpenAPI operation can be reused. Multiple Services that share the same Server Load Balancer instance cannot use the same frontend listener port. Otherwise, port conflicts may occur. When you reuse a Server Load Balancer instance, Kubernetes uses the names of listeners and vServer groups as unique identifiers. Do not modify the names of listeners or vServer groups. You cannot reuse a Server Load Balancer instance across clusters or regions.
Port Mapping	Set the Protocol and Service Port. Note The ASM console provides two default ports that are commonly used by Istio. You can also customize the parameters.
Resources Limits	The CPU and memory specifications for the gateway pod.
Gateway instances	Set the number of gateway replicas.

Optional: Click Advanced Options and configure the parameters.

Parameter	Description
External Traffic Policy	The policy for distributing external traffic. Local: Traffic is routed only to pods on the node where the ingress gateway service is deployed. Cluster: Traffic can be routed to pods on other nodes in the cluster.
HPA	Select HPA and set the following parameters: metrics: Set the Monitoring items and Threshold. If a metric value exceeds the specified threshold, the number of gateway replicas increases. If a metric value is below the specified threshold, the number of gateway replicas decreases. If you specify thresholds for both CPU and memory, both thresholds take effect. In this case, if either the CPU or memory usage exceeds or falls below the specified threshold, the gateway is scaled out or in accordingly. Maximum replicas: The maximum number of replicas to which the gateway can be scaled out. Minimum number of replicas: The minimum number of replicas to which the gateway can be scaled in. Note This feature is available only for Enterprise and Ultimate editions of ASM.
Rolling Upgrade	Select Rolling Upgrade and set the following parameters: Maximum number of unavailable: The maximum number of replicas that can be unavailable during a rolling upgrade. Exceeding the desired number of instances: The maximum number of replicas that can be created over the desired number of replicas during a rolling upgrade. For example, if you set this parameter to 25%, the number of replicas during a rolling upgrade cannot exceed 125% of the desired number of replicas.
Enable MultiBuffer-based TLS encryption and decryption performance optimization	Select Enable MultiBuffer-based TLS encryption and decryption performance optimization to accelerate TLS encryption and decryption. supported nodeaffinity: Select the label of the nodes on which you want the performance optimization feature to take effect. Poll Delay(ms): A specified polling delay reduces the time that Multi-Buffer waits before it processes requests. For more information, see Configuration item description. Note This feature is available only for Enterprise and Ultimate editions of ASM.
Deploy ASM Gateway replicas as widely as possible	When `podAntiAffinity` is set, pods are preferentially deployed to different nodes.
Custom Deployment Policy	You can configure the `nodeSelector`, `tolerations`, and `affinity` fields for the gateway. For more information about these fields, see ASM gateway CRD description.
Graceful Shutdown	After you select Graceful Shutdown, the gateway service is not affected when the pod is removed from the load balancer's backend server group. Connection timeout (seconds): After a gateway pod is removed from the load balancer, the load balancer waits for the configured connection timeout period before it disconnects from the pod. This parameter provides a buffer time for the gateway pod to process existing connections. The default graceful shutdown time for a gateway pod is 30s. The timeout period that is configured on the load balancer must not exceed 30s. Note This feature is available only for Enterprise and Ultimate editions of ASM.

After the configuration is complete, click Create.
If the gateway status is Running, the gateway is created. The Service address is the IP address of the ingress gateway.

Related operations

After you create the ingress gateway, you can manage it in the ASM console or view it in the ACK console.

Manage the ingress gateway in the ASM console

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

On the Ingress Gateway page, manage the ingress gateway.

Operation	Description
View or edit an ingress gateway	Method 1: Find the gateway that you want to view or edit and click View Details. Then, you can modify the information as needed. Method 2: Find the gateway that you want to view or edit and click Edit YAML. In the Edit dialog box, modify the related fields as needed, and click OK. For more information about the fields, see ASM gateway CRD description.
Delete an ingress gateway	Find the gateway that you want to delete and click Delete. In the Submit dialog box, click OK. Important After an ingress gateway is deleted, external services cannot access services in the ASM instance using the ingress gateway. A deleted ingress gateway cannot be recovered. You can only create another one. Exercise caution when you perform this operation.

View the ingress gateway in the ACK console

View the basic information about the new ingress gateway.
1. Log on to the ACK console. In the navigation pane on the left, click Clusters.
2. On the Clusters page, click the name of the target cluster. In the navigation pane on the left, choose Network > Services.
3. In the upper part of the Services page, select istio-system from the Namespace drop-down list.
  You can view the basic information about the target gateway. The IP address in the External IP column is the IP address of the ingress gateway.
View the pod information about the new ingress gateway.
1. Log on to the ACK console. In the navigation pane on the left, click Clusters.
2. On the Clusters page, click the name of the target cluster. In the navigation pane on the left, choose Workloads > Pods.
3. In the upper part of the Pods page, select istio-system from the Namespace drop-down list.
4. Click the target pod to view detailed information about the ingress gateway pod.

References

To create an ingress gateway using an API, see CreateASMGateway.
To provide a centralized traffic egress for applications in a mesh, see Create an egress gateway.
To distribute traffic to different versions of a service based on a specified ratio for scenarios such as phased releases and A/B testing, see Use Istio resources to route traffic to different versions of a service.
To view the call relationships and traffic flows among applications, services, and application versions, you can use the ASM Mesh Topology feature. For more information, see View the mesh topology of an application.
For more information about gateway features, see Overview of ASM gateways.