All Products
Search

This Product

    Alibaba Cloud Service Mesh:Enable mesh topology to improve observability

    Document Center

    Alibaba Cloud Service Mesh:Enable mesh topology to improve observability

    Last Updated:Jun 21, 2026

    Enable mesh topology when you need to visualize and monitor interactions between services. The mesh topology graph lets you monitor service health in real time, analyze latency and communication issues between services, and understand how traffic flows and distributes across services. This helps you quickly identify and resolve problems to ensure service reliability and high performance.

    Function introduction

    Mesh topology is an observability tool for Service Mesh. It provides powerful visualization of mesh traffic by combining real-time request traffic with mesh configuration data. This gives you immediate insight into service invocation behavior and health status, helping you quickly pinpoint issues. Mesh topology offers the following capabilities:

    • Traffic call topology graph: Mesh topology visualizes real-time request traffic as a topology graph.

    • Mesh configuration visualization: Mesh topology uses configurations from your Service Mesh to annotate nodes on the topology graph. This helps you instantly understand which configurations are active. These include peer authentication, virtual services, destination rules, and ASM circuit breaking and rate limiting.

    • Health status visualization: Mesh topology uses node or edge colors to represent service or request health status, helping you quickly locate problematic nodes or requests.

    • Traffic replay: Traffic replay lets you replay traffic from a selected past time period, enabling thorough inspection of application traffic during that interval.

    Step 1: Enable mesh topology

    Method 1: Create a new ASM instance

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click Create ASM Instance.

    3. In the Observability section, select Enable Prometheus Metrics. Then, choose a Prometheus type as needed and perform the related operations.

      Prometheus type

      Operation

      Managed Service for Prometheus

      Select Use Managed Service for Prometheus to collect monitoring metrics, then select Enable ASM Mesh Topology to Enhance Mesh Observability. For details about integrating Managed Service for Prometheus and billing information, see Integrate Managed Service for Prometheus for mesh monitoring and Billing.

      Self-managed Prometheus

      Select Integrate Self-Hosted Prometheus for Monitoring, then select Enable ASM Mesh Topology to Enhance Mesh Observability. Enter the Prometheus service endpoint used by ASM mesh topology (that is, the access endpoint of your self-managed Prometheus service). For details about integrating self-managed Prometheus, see Integrate self-managed Prometheus for mesh monitoring.
      Note

      • Selecting Enable Prometheus Metrics enables metric collection for your Service Mesh instance. This does not automatically create an ARMS instance or a self-managed Prometheus instance.

      • Clearing both Enable Prometheus Metrics and Enable ASM Mesh Topology to Enhance Mesh Observability disables mesh topology.

    4. Configure the required information, carefully read, and select Service Agreement. Then, at the bottom of the page, click Create Service Mesh.

      For details about configuration items, see Create an ASM instance.

    5. Add an ACK cluster to the newly created ASM instance. For details, see Add a cluster to an ASM instance.

    Method 2: Use an existing ASM instance

    Ensure that your ASM instance already has an ACK cluster added. For details, see Add a cluster to an ASM instance.

    ASM version earlier than 1.12.4.50

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the target instance name. In the navigation pane on the left, choose Instance Information > Base Information. On the right side of the page, click Settings.

    3. In the Settings Update panel, select Enable Prometheus Metrics. Then, choose a Prometheus type as needed and perform the related operations.

      Prometheus type

      Operation

      Managed Service for Prometheus

      Select Use Managed Service for Prometheus to collect monitoring metrics, then select Enable ASM Mesh Topology to Enhance Mesh Observability. For details about integrating Managed Service for Prometheus and billing information, see Integrate Managed Service for Prometheus for mesh monitoring and Billing.

      Self-managed Prometheus

      Select Integrate Self-Hosted Prometheus for Monitoring, then select Enable ASM Mesh Topology to Enhance Mesh Observability. Enter the Prometheus service endpoint used by ASM mesh topology (that is, the access endpoint of your self-managed Prometheus service). For details about integrating self-managed Prometheus, see Integrate self-managed Prometheus for mesh monitoring.

    4. After completing the configuration, at the bottom of the Settings Update panel, click OK.

    ASM version 1.12.4.50 or later

    Note

    Mesh topology depends on Service Mesh integration with Prometheus metrics. If you have not yet integrated Prometheus for mesh monitoring, integrate it first. For details, see Integrate Managed Service for Prometheus for mesh monitoring and Integrate self-managed Prometheus for mesh monitoring. For billing information about Managed Service for Prometheus, see Billing.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the target instance name. In the navigation pane on the left, choose Observability Management Center > Mesh Topology. In the Activate ASM mesh topology section, perform the following operations based on your ASM version.

      • ASM version earlier than 1.18.2.112: Click Activate.

      • ASM version 1.18.2.112 or later: Choose one of the following deployment modes. For differences between the two modes and how to configure managed mode, see Enable mesh topology in managed mode.

        • Click In-Kubernetes-cluster Mode, enter the Prometheus service endpoint used by ASM mesh topology, and click Activate.

        • Click Managed Mode, click Activate, configure the required information in the dialog box that appears, and click OK.

    Step 2: Access mesh topology

    You can access mesh topology in three ways. Direct access requires ASM version 1.12.4.50 or later. Custom access requires ASM version 1.16.4.5 or later.

    Method 1: Directly access mesh topology

    If your ASM version is 1.12.4.50 or later, you can choose to automatically create a Classic Load Balancer (CLB) to access ASM mesh topology and directly access the mesh topology service.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the target instance name. In the navigation pane on the left, choose Observability Management Center > Mesh Topology.

    3. In the Access section, perform the following operations based on your ASM instance version.

      • ASM version earlier than 1.15.3.120: Select Automatically Create Internet-facing CLB Instance to Access ASM Mesh Topology.

      • ASM version 1.15.3.120 or later but earlier than 1.17.2.19: Turn on the switch next to Automatically Create Internet-facing CLB Instance to Access ASM Mesh Topology. In the dialog box that appears, click OK.

      • ASM version 1.17.2.19 or later: Turn on the switch next to Create CLB Instance to Access ASM Mesh Topology. In the dialog box that appears, configure the required settings as needed, then click OK.

      After enabling mesh topology access, your Service Mesh enters a brief update state.

    4. Check whether your Service Mesh update is complete.

      1. In the navigation pane on the left, choose Instance Information > Base Information.

      2. In the Basic Information section, check the Status of your Service Mesh.

        If the Status is Updating, the update is in progress. If the Status is Running, the update is complete.

    5. On the Mesh Topology page, in the Access section, click Click here to access ASM Mesh Topology or Copy token and open in new window to go to the mesh topology login page.

    Method 2: Use ASM gateway to access mesh topology

    1. Create an ingress gateway and add a port configuration that supports mesh topology access to the ingress gateway. For details, see Create an ingress gateway service or Manage ingress gateways using KubeAPI.

      The following YAML shows a sample port configuration.

      - name: http-kiali
  port: 20001
  protocol: TCP
  targetPort: 20001
      spec:
  clusterIds:
    - c729bdf9ef09b4a259e693f76axxx
  cpu: {}
  externalTrafficPolicy: Local
  maxReplicas: 5
  minReplicas: 2
  ports:
    - name: status-port
      port: 15020
      targetPort: 15020
    - name: http2
      port: 80
      targetPort: 80
    - name: https
      port: 443
      targetPort: 443
    - name: tls
      port: 15443
      targetPort: 15443
    - name: http-kiali
      port: 20001
      protocol: TCP
      targetPort: 20001

    2. Use the following YAML to create a gateway rule. For details, see Manage gateway rules.

      apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: kiali-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - '*'
      port:
        name: http
        number: 20001
        protocol: HTTP

    3. Use the following YAML to create a virtual service. For details, see Manage virtual services.

      apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: kiali-vs
  namespace: istio-system
spec:
  gateways:
    - kiali-gateway
  hosts:
    - '*'
  http:
    - route:
        - destination:
            host: kiali
            port:
              number: 20001

    4. Log on to mesh topology.

      1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

      2. On the Mesh Management page, click the target instance name. In the navigation pane on the left, choose Instance Information > Base Information.

      3. In the Config Info section, click Access from Ingress Gateway next to Activate ASM mesh topology to go to the mesh topology login page.

    Method 3: Custom access to mesh topology

    After enabling mesh topology, a Service named Kiali is created in the istio-system namespace of your Kubernetes cluster. You can access mesh topology by creating a proxy service for this Service. For example, create an Nginx reverse proxy for the Kiali Service and access mesh topology through Nginx. You can use Custom Access Configuration to define how to access the Kiali Service. This method requires ASM version 1.16.4.5 or later. For details about upgrading your ASM version, see Upgrade an ASM instance.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Observability Management Center > Mesh Topology.

    3. Below the Authentication section, click Expand advanced options. In the Customize Access Modes section, configure the required information and click Save configuration of Mesh Topology.

      Configuration item

      Description

      Customize a Domain Name

      Define the custom domain name served by mesh topology. If you use a custom domain name to access mesh topology, configure this setting. Otherwise, the OIDC login flow might be affected. When you log on to mesh topology using OIDC, mesh topology replaces the domain name in the Redirect URI with your custom domain name to ensure proper integration with the OIDC application.

      Customize a Port

      Define the port on which the mesh topology service listens. The default is 20001. When you set this, the mesh topology service listens on your specified custom port.

      Customize a Service Root Path

      Define the root path served by mesh topology. The default is /. When you set this, mesh topology serves content from your specified path. When accessing mesh topology, append your custom root path to the original access address.

      Select a Protocol (https/http)

      Define the protocol served by mesh topology. Only http or https is supported. If you access mesh topology using HTTPS, configure this setting. Otherwise, the OIDC login flow might be affected. When you log on to mesh topology using OIDC, mesh topology replaces the protocol part in the Redirect URI with your custom protocol to ensure proper integration with the OIDC application.

    Step 3: Log on to mesh topology

    You can log on to mesh topology in three ways. OIDC login requires ASM version 1.15.3.120 or later. Alibaba Cloud account identity login requires ASM version 1.16.4.5 or later.

    Method 1: Log on to mesh topology using a token

    ASM version earlier than 1.12.4.50

    Obtain a token from the ACK console and use it to log on to mesh topology.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Configurations > Secrets.

    3. On the Secret page, select istio-system for Namespaces, click kiali-service-account-token-****, and then click the token icon next to the token row to copy the token.

    4. On the mesh topology login page, paste the token and click Log in to access the mesh topology console.

    ASM version 1.12.4.50 or later

    Obtain a token from the ASM console and use it to log on to mesh topology.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the target instance name. In the navigation pane on the left, choose Observability Management Center > Mesh Topology.

    3. On the Mesh Topology page, in the Access section, click Copy token and open in new window.

    4. On the mesh topology login page, paste the token and click Log in to access the mesh topology console.

    Method 2: Log on to mesh topology using OIDC

    OIDC (OpenID Connect) is an identity authentication and authorization protocol commonly used to implement single sign-on (SSO). You can integrate with an identity provider (IdP) using the OIDC protocol to log on to mesh topology. This method requires ASM version 1.15.3.120 or later. For details about upgrading your ASM version, see Upgrade an ASM instance.

    1. Configure your IdP. For details, see steps 1 and 2 in Integrate ASM with Alibaba Cloud IDaaS for SSO in mesh applications.

      Set the Login Redirect URI to the IP address of the mesh topology's CLB (for direct CLB access) or the ASM gateway address (for ASM gateway access). Examples:

      • If accessing mesh topology via CLB and the CLB IP is xxx.xxx.xxx.xxx, set the Login Redirect URI to http://xxx.xxx.xxx.xxx:20001. Do not append / or paths such as /xxx to 20001.

      • If accessing mesh topology via ASM gateway and the gateway IP is yyy.yyy.yyy.yyy, set the Login Redirect URI to http://yyy.yyy.yyy.yyy:20001. Do not append / or paths such as /xxx to 20001.

    2. Log on to mesh topology using OIDC.

      1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

      2. On the Mesh Management page, click the target instance name. In the navigation pane on the left, choose Observability Management Center > Mesh Topology.

      3. In the Authentication section, select Login with OIDC. Configure the required information, click Save configuration of Mesh Topology, then click Open ASM mesh topology in a new page.

      4. On the mesh topology login page, click Log In with OpenID to go to the OIDC application login page.

    Method 3: Log on to mesh topology using Alibaba Cloud account identity

    You can integrate with an Alibaba Cloud RAM OAuth application using the OIDC protocol to log on to mesh topology with your Alibaba Cloud account identity. For more information, see Web application logon to Alibaba Cloud.

    When you use this method, Service Mesh ASM automatically creates an Alibaba Cloud RAM OAuth application named with the prefix asm-kiali and integrates it with mesh topology. This method requires ASM version 1.16.4.5 or later. For details about upgrading your ASM version, see Upgrade an ASM instance.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Observability Management Center > Mesh Topology.

    3. In the Login authentication method section, select Alibaba Cloud account identity logon. In the dialog box that appears, click Add callback address, enter the callback address, then click OK.

      The mesh will undergo a brief update. Wait until the update completes before proceeding.

      Note

      • For the callback address format, see Login Redirect URI in Method 2: Log on to mesh topology using OIDC.

      • If you use direct access to mesh topology, the callback address is filled in automatically.

    4. On the mesh topology login page, click Log In with OpenID to log on with your Alibaba Cloud account identity.

    FAQ

    Why can't mesh topology load when using ARMS Prometheus to collect metrics?

    If your Service Mesh ASM selects Use ARMS Prometheus to collect metrics and you have enabled authentication token for your ARMS Prometheus instance, mesh topology cannot access your ARMS Prometheus instance, causing mesh topology to fail to load. Choose one of the following solutions. For more information, see Connect Prometheus monitoring data to local Grafana.

    • Solution 1: In the ARMS console, disable the token on the Setting page. For more information, see Connect Prometheus data to Grafana or self-managed applications using HTTP API endpoints.

    • Solution 2: Configure the ARMS Prometheus authentication token in mesh topology to connect to your ARMS Prometheus instance.

      Note

      This operation requires ASM version 1.15.3.120 or later.

      1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

      2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Observability Management Center > Mesh Topology.

      3. In the text box in the Connection with ARMS Prometheus section, enter the authentication token configured for ARMS Prometheus. Then click Save configuration of Mesh Topology to configure the authentication token for mesh topology to access your ARMS Prometheus instance.

    Why does mesh topology show only partial traffic?

    Follow these steps to troubleshoot.

    1. Configuration issue

      Confirm that mesh topology observation has selected the correct traffic types (such as gRPC, HTTP, or TCP) in traffic display settings. Not selecting these options may prevent viewing all traffic information.

    2. Namespace limitation

      In mesh topology, confirm that you have selected the correct namespaces. Some traffic might reside in unselected namespaces.

    3. Data collection and updates

      • Confirm that your Prometheus instance is collecting metrics properly. ASM displays only successfully collected data. Some traffic data might not appear promptly on the topology graph due to delays, packet loss, or other issues.

      • Confirm that all workloads in your cluster have mesh proxies injected. Only workloads with injected mesh proxies report traffic monitoring metrics.

      • Confirm that the mesh topology page refreshes in real time, or manually refresh to get the latest traffic data.

    4. Sidecar proxy and traffic configuration effects

      Some traffic might be affected by Sidecar proxy configurations or Sidecar traffic settings in ASM, causing it to bypass the mesh proxy and become unobservable. Check if your Sidecar proxy configuration disables the proxy by port or address, or if your Sidecar traffic configuration specifies correct inbound and outbound traffic destinations.

    References