To use Alibaba Cloud Service Mesh (ASM), you must create an ASM instance. This topic describes how to create an ASM instance in the ASM console.

Prerequisites

Background information

Note When you create an ASM instance, ASM may perform the following operations based on your settings:
  • Creates a security group that allows access to a virtual private cloud (VPC) over Internet Control Message Protocol (ICMP).
  • Adds route entries to the VPC.
  • Creates an elastic IP address (EIP).
  • Creates a RAM role with attached policies that grant all permissions on Server Load Balancer (SLB), CloudMonitor, VPC, and Log Service. ASM dynamically creates SLB instances and adds route entries to the VPC based on your settings.
  • Creates an SLB instance in the VPC and exposes port 6443.
  • Creates an SLB instance in the VPC and exposes port 15011.
  • Collects the logs of the managed components on the control plane to ensure stability.

Procedure

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, click Create ASM Instance.
  4. In the Create ASM Instance panel, set the parameters as required.
    1. The following table describes the basic settings for an ASM instance.
      Parameter Description
      Name The name of the ASM instance.
      Edition The edition of the ASM instance. Valid values: Standard and Professional. Professional Edition is upgraded from Standard Edition to enhance multi-protocol support and dynamic scaling, provide fine-grained service governance, and improve the zero-trust security system.
      Istio Version The Istio version.
      Region The region in which the ASM instance resides.
      VPC The VPC of the ASM instance. You can click Create VPC to create a VPC. For more information, see Create and manage a VPC.
      vSwitch The vSwitch of the ASM instance. You can click Create vSwitch to create a vSwitch. For more information, see Work with vSwitches.
      Internet access Specifies whether to allow Internet access to the API server. An ASM instance runs on Kubernetes runtime. You can use the API server to define a variety of mesh resources, such as virtual services, destination rules, and Istio gateways.
      • If you allow Internet access to the API server, an EIP is created and bound to an SLB instance in the VPC. Port 6443 of the API server is exposed. You can use the kubeconfig file of a cluster to connect to and manage the cluster to define mesh resources over the Internet.
      • If you do not allow Internet access to the API server, no EIP is created. You can use the kubeconfig file to connect to and manage the cluster to define mesh resources only over the VPC in which the cluster resides.
      Observability Specifies whether to enable Tracing Analysis for the ASM instance.

      ASM integrates with Tracing Analysis. Tracing Analysis provides a wide range of tools to help you efficiently identify the performance bottlenecks of distributed applications. You can use these tools to map traces, display trace topologies, analyze application dependencies, and calculate the number of requests. This helps you improve the efficiency of developing and troubleshooting distributed applications. For more information about Tracing Analysis, see Use Tracing Analysis to trace applications inside and outside an ASM instance.

      Note Before you enable Tracing Analysis, make sure that you have activated Tracing Analysis in the Tracing Analysis console.
      Specifies whether to enable Prometheus for the ASM instance.

      For more information about Prometheus, see Monitor service meshes based on ARMS Prometheus and Deploy a custom Prometheus instance to monitor ASM instances.

      Specifies whether to enable Kiali for ASM.

      Kiali for ASM is a tool that is used to observe ASM instances. This tool provides a GUI that allows you to view related services and configurations. Kiali for ASM is a built-in tool for ASM instances whose Istio version is 1.7.5.25 or later. For more information, see Enable Kiali for ASM to observe an ASM instance in the ASM console.

      Specifies whether to enable self-managed SkyWalking. ASM integrates with SkyWalking. You can use SkyWalking to view the metrics of applications.

      For more information about the SkyWalking, see Integrate self-managed Skywalking to observe ASM instances.

      Specifies whether to enable access log query. You can use Log Service to view the access logs of ingress gateway services.

      For more information about access logs, see Use Log Service to collect logs of ingress gateways on the data plane and Use Log Service to collect access logs of the data plane.

      Specifies whether to enable control-plane log collection.

      ASM supports control-plane log collection and alarms. For example, if the control plane pushes configurations to the sidecar proxies, you can query the logs of the ASM instance for information about the operation. For more information, see Enable collection of control plane logs and control plane alerting.

      Policy Control Specifies whether to enable the Open Policy Agent (OPA) plug-in.

      ASM integrates with OPA to help you implement fine-grained access control on your applications. If you enable the OPA plug-in, OPA containers and Istio Envoy proxy containers are injected into the pods of applications. Then, you can use OPA to define access control policies. This out-of-box feature improves your efficiency in developing distributed applications. For more information about the OPA plug-in, see Use OPA to implement fine-grained access control in ASM.

      Mesh Audit Specifies whether to enable the mesh audit feature.

      You can enable the mesh audit feature to record and trace the operations of users. This is an important feature that ensures secure cluster O&M.

      For more information about the mesh audit feature, see Use the mesh audit feature in ASM.

      Service Mesh Resource Configuration Specifies whether to enable Istio custom resource version control.

      When you update fields in the spec block of an Istio resource, ASM records the resource version before the update. ASM stores up to five latest versions. For more information about how to roll back an Istio resource to a previous version, see Roll back an Istio resource to a historical version.

      Specifies whether to allow the Kubernetes API of clusters on the data plane to access Istio resources.

      You can use the Kubernetes API of clusters on the data plane to add, delete, modify, or query Istio resources. For more information, see Use the Kubernetes API of clusters on the data plane to access Istio resources.

    2. The following table describes the advanced settings of an ASM instance.
      Parameter Description
      Resource Settings for Injected Proxies The resources that are required by a sidecar.
      Note
      • Resource limits: By default, each sidecar can be allocated up to 2 CPU cores and 1,024 MiB of memory.
      • Resource requirements: By default, each sidecar is allocated 0.1 CPU cores and 128 MiB of memory.
      Cluster Domain Specifies the cluster domain for the ASM instance. Default value: cluster.local. You can add only Kubernetes clusters that share the same cluster domain with the ASM instance to the ASM instance.
      Note You can set this parameter only if the Istio version of the ASM instance is 1.6.4.5 or later. Otherwise, this parameter is hidden.
  5. Select I have read and agree to the ASM Service Level Agreement and ASM Service Terms.
  6. Click OK to create the ASM instance.
    Note It takes about 2 to 3 minutes to create an ASM instance.

Result

After the ASM instance is created, you can view the following information about the instance:
  • On the Mesh Management page, you can view the basic information about the ASM instance.
    To view the latest information about the ASM instance, click the Refresh icon on the right. Mesh Management
  • On the Mesh Management page, find the ASM instance that you want to view logs and click Log in the Actions column. In the ASM Instance Logs panel, you can view the logs of the ASM instance.
  • On the Mesh Management page, find the ASM instance that you want to view basic information and click Manage in the Actions column. On the Basic Information page, you can view the basic information of the instance, such as the instance ID and the security group. By default, the following Istio resources are created for a new ASM instance:
    • A namespace: default.
      Note By default, the system creates five namespaces for a new ASM instance, but only the namespace that is named default appears in the console. You can use the kubectl client to query and manage the other four namespaces, which are istio-system, kube-node-lease, kube-public, and kube-system.
    • Two destination rules: API-Server and default. For more information about the API-Server rule, visit the official website of Istio. The default rule defines the permissive mTLS policy for the ASM instance.