An ingress gateway is the single entry point for external traffic into your service mesh. It uses Layer 7 load balancing to route requests to backend services based on HTTP attributes such as URL path and host header.
After the gateway is running, configure Istio routing rules to direct traffic to specific services.
Prerequisites
Create an ingress gateway in the ASM console
-
Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
-
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
-
On the Ingress Gateway page, click Create and configure the following parameters.
To use YAML instead, click Create from YAML. Manage the ingress gateway by using KubeAPI.
If your cluster on the data plane is a registered cluster and you select LoadBalancer, make sure the cluster supports LoadBalancer Services. Otherwise, the ingress gateway creation fails.
ImportantAssign a dedicated load balancer to each Kubernetes service. Sharing a load balancer introduces these risks: - Reusing an existing load balancer overwrites its listeners, which can make your application inaccessible. - Only load balancers manually created in the console or through API can be reused. Load balancers created by Kubernetes cannot be reused. - Services that share a load balancer cannot use the same frontend listening port. Port conflicts cause service failures. - Listener and vServer group names are unique identifiers for Kubernetes. Do not modify them. - Cross-cluster and cross-region load balancer reuse is not supported.
Parameter Description Name The name of the ingress gateway. Cluster The cluster in which to deploy the ingress gateway. Service Type The Kubernetes Service type. Valid values: LoadBalancer, ClusterIP, and NodePort. Service. CLB / NLB Required when Service Type is set to LoadBalancer. Valid values: Internet Access and Private Access. Create LoadBalancer Instance Required when Service Type is set to LoadBalancer. Create LoadBalancer Instance -- For CLB, select a specification from Select CLB Specifications. For NLB, select vSwitches in at least two zones from Select Zones for NLB Instance. Use Existing SLB Instance -- Select an existing load balancer. See the load balancer sharing risks below. Port Mapping Set Protocol and Service Port. Two default Istio ports are preconfigured. Modify as needed. Resources Limits The CPU and memory limits for the ingress gateway pod. Gateway instances The number of pod replicas for the ingress gateway. -
(Optional) Click Advanced Options to configure scaling, update, and availability settings.
Features marked (Enterprise/Ultimate Edition) require the Enterprise or Ultimate Edition.
Parameter Description External Traffic Policy Controls external traffic distribution. Local: routes traffic only to pods on the receiving node. Cluster: allows routing to pods on other nodes. HPA (Enterprise/Ultimate Edition) Enables Horizontal Pod Autoscaler (HPA). Set Monitoring items and Threshold for CPU or memory. Replicas scale up when either metric exceeds its threshold and scale down when both drop below. Set Maximum replicas and Minimum number of replicas to define the scaling range. Rolling Upgrade Configures rolling update behavior. Maximum number of unavailable instances: maximum pods that can be unavailable during a rolling update. Exceeding the desired number of instances: maximum extra pods created during a rolling update. For example, 25% means total replicas cannot exceed 125% of the desired count. Enable MultiBuffer-based TLS encryption and decryption performance optimization (Enterprise/Ultimate Edition) Accelerates TLS encryption and decryption with MultiBuffer. supported nodeaffinity: select node labels for the optimization scope. Poll Delay(ms): polling delay to reduce MultiBuffer wait time before processing requests. Parameter description. Deploy ASM Gateway replicas as widely as possible Uses podAntiAffinityto preferentially deploy gateway pods to different nodes, improving availability.Custom Deployment Policy Configures nodeSelector,tolerations, andaffinityfields for the gateway. ASM gateway CRD description.Graceful Shutdown (Enterprise/Ultimate Edition) Ensures in-flight requests complete before a pod is removed. Connection timeout (seconds): time the load balancer waits after removing a pod before disconnecting existing connections. The default gateway pod graceful shutdown time is 30 seconds. Set this value to 30 seconds or less. -
Click Create.
Verify the result
After creation, the gateway status changes to Running on the Ingress Gateway page. The Service address column shows the gateway IP address.
Manage the ingress gateway
Edit or view the gateway
On the Ingress Gateway page, find the target gateway and perform one of the following actions:
-
Click View Details to modify the gateway configuration.
-
Click Edit YAML to open the Edit dialog box. Modify the fields and click OK. ASM gateway CRD description.
Delete the gateway
On the Ingress Gateway page, find the target gateway and click Delete. In the Submit dialog box, click OK.
After an ingress gateway is deleted, external traffic can no longer reach services through that gateway. This action cannot be undone.
View the gateway in the ACK console
View basic information:
-
Log on to the ACK console. In the left-side navigation pane, click Clusters.
-
On the Clusters page, click the name of the target cluster. In the left-side navigation pane, choose Network > Services.
-
On the Services page, select istio-system from the Namespace drop-down list.
The External IP column displays the IP address of the ingress gateway.
View pod information:
-
Log on to the ACK console. In the left-side navigation pane, click Clusters.
-
On the Clusters page, click the name of the target cluster. In the left-side navigation pane, choose Workloads > Pods.
-
On the Pods page, select Istio-system from the Namespace drop-down list.
-
Click the target pod to view its details.
Next steps
-
To expose services through the gateway, configure routing rules. Use Istio resources to route traffic to different versions of a service.
-
For centralized outbound traffic, Create an egress gateway.
-
To monitor inter-service traffic, Use Mesh Topology to view the topology of an application.
-
To create the gateway programmatically, call CreateASMGateway.