You can enable a microservice application to provide services for external systems by using cloud-native gateways. To achieve this purpose, you can create a cloud-native gateway for the microservice application, add the Microservices Engine (MSE) Nacos instance in which the microservice application is deployed as a service source or associate the microservice application with a Container Service for Kubernetes (ACK) cluster, and then create a routing rule in the cloud-native gateway for the microservice application. This topic describes how to get started with cloud-native gateways.
Procedure
If a microservice application is deployed in an ACK cluster or registered with an MSE Nacos instance, you can use a cloud-native gateway to directly associate the microservice application with the ACK cluster or add the MSE Nacos instance as a service source of the cloud-native gateway.
Create a cloud-native gateway.
Create a cloud-native gateway based on the existing environment in which microservice applications run.
Add a service source to the cloud-native gateway. Service sources include fixed IP addresses, ACK clusters, MSE Nacos instances, and Domain Name System (DNS) domain names.
NoteIf you select fixed IP addresses as service sources, you can select a service that you want to add from the service list without the need to add a service source.
The cloud-native gateway can obtain the namespace of a service from a service source, such as an ACK cluster or an MSE Nacos instance. This way, you can add an existing service to the cloud-native gateway as a backup service.
Configure a routing rule for the service and publish the routing rule.
Step 1: Create a cloud-native gateway
Procedure
Log on to the MSE console. In the top navigation bar, select a region.
In the left-side navigation pane, choose Cloud-native Gateway > Gateways.
In the upper-left corner of the Gateways page, click Create Gateway.
On the buy page, configure the parameters and click Buy Now.
Parameter
Description
Product Type
Select Subscription or Pay-as-you-go.
Region
Select the region in which you want to deploy the gateway.
Gateway Name
Enter a name for the gateway. The name must be 1 to 64 characters in length. We recommend that you configure the gateway name based on the environment or the type of your business, such as test or order-prod.
Gateway Engine Specifications
Select the specifications of the gateway engine. You can select one of the following specifications: 2 Cores, 4 GB, 4 Cores, 8 GB, 8 Cores, 16 GB, and 16 Cores, 32 GB.
Gateway Nodes
Specify the number of gateway nodes. If your gateway is deployed in a production environment, we recommend that you specify at least two nodes.
NoteA single-node gateway may result in business interruptions. We recommend that you do not configure a single-node gateway.
Resource Group
Select a resource group from the Resource Group drop-down list.
VPC
Select the virtual private cloud (VPC) in which the backend services are deployed.
vSwitch Location
Select the vSwitch location.
Zone
If you set vSwitch Location to Fixed Zone, you must configure Zone. Cloud-native gateways use the vSwitches in VPCs to communicate with backend services. We recommend that you select a vSwitch that is deployed in the same zone as the backend services.
vSwitch
If you set vSwitch Location to Custom Zone, you must select a vSwitch.
Internet-facing SLB Specifications
Select the specifications of an Internet-facing Server Load Balancer (SLB) instance, which can be accessed over the Internet.
Internal-facing SLB Specifications
Select the specifications of an internal-facing SLB instance.
Security Group Type
Select the security group type of your gateway. The default type is Advanced Security Group. We recommend that you select the same security group type as the Elastic Compute Service (ECS) instance on which backend services are deployed. For more information, see Overview.
Hardware Acceleration
Select Enable TLS Hardware Acceleration. If you enable Transport Layer Security (TLS) hardware acceleration, the handshake performance of TLS is doubled.
NoteTLS hardware acceleration is available only in the China (Beijing), China (Shanghai), China (Hangzhou), China (Shenzhen), and Singapore regions due to the limits on underlying hardware.
Gateway Monitoring
By default, Managed Service for Prometheus is activated. This service collects the metric data of gateways, displays data on dashboards, and manages alerts. You can use Managed Service for Prometheus free of charge.
Log Service
Select Use Log Service to activate Simple Log Service and enable log shipping to help you analyze logs and visualize data on dashboards. For more information, see Enable log shipping for a cloud-native gateway.
Tracing Analysis
Select Use Managed Service for OpenTelemetry to activate Alibaba Cloud Managed Service for OpenTelemetry and enable the gateway tracing analysis feature. For more information, see Enable Tracing Analysis for a cloud-native gateway.
Subscription Duration
If you select Subscription for Product Type, you must select a duration. You can select Auto-renewal to continue to use the gateway after the gateway expires.
NoteThe system may require 2 minutes to 3 minutes to create the cloud-native gateway.
Step 2: Add a service source
Log on to the MSE console. In the top navigation bar, select a region.
In the left-side navigation pane, choose Cloud-native Gateway > Gateways. On the Gateways page, click the name of the gateway.
In the left-side navigation pane, click Routes. On the page that appears, click the Sources tab.
On the Source tab, click Add Source. In the Add Source panel, configure the parameters and click OK.
You can set Source Type to Container Service, MSE Nacos, MSE ZooKeeper, SAE Built-in Registry, or EDAS Built-in Registry.
If you set Source Type to Container Service, you must configure the parameters that are described in the following table.
Parameter
Description
ACK/ACK Serverless Cluster
Select the cluster in which your backend service is deployed.
NoteWhen you create a gateway, you need to select the VPC in which the cluster is deployed. This way, when you add a service source, the cluster in this VPC is automatically obtained.
Listen to Kubernetes Ingress
If you turn on the Listen to Kubernetes Ingress switch, the cloud-native gateway automatically monitors the changes of Ingress resources, and the monitored configurations of domain names and routes of the Ingress resources take effect.
If you turn off the Listen to Kubernetes Ingress switch, the cloud-native gateway no longer monitors the changes of Ingress resources, and the previously monitored configurations of domain names and routes of the Ingress resources become invalid. Exercise caution when you perform this operation.
ImportantThe priorities of the domain names and routes that are manually configured in the MSE console are higher than the priorities of the domain names and routes of the Ingress resources monitored by the cloud-native gateway.
Ingress Class
The Ingress class with which Ingress resources are associated.
If you do not specify this parameter, the cloud-native gateway monitors all the Ingress resources in the cluster.
If you specify an Ingress class for this parameter, the cloud-native gateway monitors the Ingress resources that have the
class
annotation or whoseSpec.IngressClassName
value is the same as the configured value. You cannot specify multiple Ingress classes for this parameter. For example, if you set this parameter tonginx
, the cloud-native gateway monitors the Ingress resources whose IngressClass isnginx
or the Ingress resources that are not associated with any Ingress class.
Namespace
The namespace to which Ingress resources belong.
If you do not specify this parameter, the cloud-native gateway monitors all the Ingress resources in all the namespaces of the cluster.
If you specify a single namespace for this parameter, the cloud-native gateway monitors the Ingress resources in the specified namespace of the cluster. You cannot specify multiple namespaces for this parameter at a time.
Update Ingress Status
If you set this parameter to Open, the IP address of the monitored Ingress is changed to the IP address of the Server Load Balancer (SLB) instance associated with the cloud-native gateway.
NoteThis parameter is displayed when the gateway version is V1.2.9 or later.
Security Group Rules
Security groups are configured in the node pool of the container cluster. In most cases, if an external component wants to access a service in the cluster, you must open all ports required by the service in the security groups.
You can modify security groups. For more information, see Configure security group rules.
If you set Source Type to MSE Nacos, you must configure the parameter that are described in the following table.
Parameter
Description
Nacos Instance
Select an instance.
NoteOnly MSE Nacos instances whose MCPEnabled is set to true are displayed. You can change the parameter settings on the Parameter Settings page for the MSE Nacos instances.
If you set Source Type to MSE ZooKeeper, you must configure the parameter that are described in the following table.
Parameter
Description
Cluster Name
Select an instance.
If you set Source Type to SAE Built-in Registry, you must configure the parameters that are described in the following table.
Parameter
Description
Namespace
Select the namespace of the SAE registry where the service is deployed.
Service Group
If a special service group is specified for your service, click Add Service Group to add the service group.
If you set Source Type to EDAS Built-in Registry, you must configure the parameters that are described in the following table.
Parameter
Description
Microservices Space
Select the microservice space of the EDAS registry where the service is deployed.
Service Group
If a special service group is specified for your service, click Add Service Group to add the service group.
Step 3: Add a service
We recommend that you add a service from the service source that you specify. This way, a cloud-native gateway can dynamically obtain the list of backend services.
Log on to the MSE console. In the top navigation bar, select a region.
In the left-side navigation pane, choose Cloud-native Gateway > Gateways.
On the Gateways page, click the name of the gateway.
In the left-side navigation pane, click Routes. On the page that appears, click the Services tab.
On the Services tab, click Add Service. In the Add Service panel, configure the parameters and click OK.
NoteAdd a service from an ACK cluster: If you select Container Service from the Service Source drop-down list, the cloud-native gateway obtains the service list from an ACK cluster or ACK Serverless cluster and allows you to add the services in the list and their backend node endpoints to the gateway.
Add a service from a fixed endpoint: If the service discovery mechanism is not provided for the service that you want to add, you must manually add the backend node endpoints of the service to the gateway.
Add a service from a DNS domain name: If you select DNS Domain Name from the Service Source drop-down list, the cloud-native gateway allows you to use the resolution result of the DNS as the backend service endpoint.
If you select Container Service for Service Source, you must configure the parameters that are described in the following table.
Parameter
Description
Namespace
Select a namespace to which the cluster belongs.
By default, services in the arms-prom, kube-system, and mse-pilot namespaces are not displayed.
Services
Select one or more services in the Services section.
If you select MSE Nacos for Service Source, you must configure the parameters that are described in the following table.
Parameter
Description
Namespace
Select a namespace to which the MSE Nacos instance belongs.
Services
Select one or more services in the Services section.
By default, services whose names start with consumer are not displayed.
If you select MSE ZooKeeper for Service Source, you must configure the parameters that are described in the following table.
Parameter
Description
Services
Select one or more services in the Services section.
If you select EDAS Built-in Registry for Service Source, you must configure the parameters that are described in the following table.
Parameter
Description
Microservice Space
Select the microservices namespace to which the service belongs.
Services
Select one or more services in the Services section.
If you select SAE Registry for Service Source, you must configure the parameters that are described in the following table.
Parameter
Description
Namespace
Select the namespace to which the service belongs.
Services
Select one or more services in the Services section.
If you select Function Compute for Service Source, you must configure the parameters that are described in the following table.
Parameter
Description
Service Name
Select the name of the service to which the function belongs.
Version or Alias
Select the version or alias of the service to which the function belongs.
Functions
Select one or more functions.
If you select Fixed Address for Service Source, you must configure the parameters that are described in the following table.
Parameter
Description
Service Name
Enter a name of the service.
Service Address
The backend node endpoint of the service. The endpoint varies with service sources. The endpoint must be in the format of
<IP address of the backend node>:<Service port number>
. Separate endpoints with line feeds.TLS Mode
Select a TLS mode from the drop-down list. Default value: Disabled. Valid values:
Disabled: TLS is disabled for service access.
TLS: One-way TLS is enabled for HTTPS-based service access.
mTLS: mTLS is enabled for mutual authentication.
If you select DNS Domain Name for Service Source, you must configure the parameters that are described in the following table.
Parameter
Description
Service Name
Enter a name of the service.
Service Port
Enter a port on which the domain name provides services. Valid values: 1 to 65535.
Domain Names
Enter one or more domain names, such as www.aliyun.com. Separate multiple domain names with line feeds.
TLS Mode
Select a TLS mode from the drop-down list. Default value: Disabled. Valid values:
Disabled: TLS is disabled for service access.
TLS: One-way TLS is enabled for HTTPS-based service access.
mTLS: mTLS is enabled for mutual authentication.
Step 4: Configure a routing rule for the service
Log on to the MSE console. In the top navigation bar, select a region.
In the left-side navigation pane, choose Cloud-native Gateway > Gateways. On the Gateways page, click the name of the gateway.
In the left-side navigation pane, click the Routes tab. On the Routes tab, click Add Route.
On the Add Route page, configure the parameters and click Save.
NoteA route is matched when all conditions in the routing rule are met. If you specify more conditions, fewer requests can be matched.
A request matches routes based on the order that is displayed on the Routes page.
Parameter
Description
Route Name
The name of the route that you want to create. You can click Add Description and enter a description for the route in the Route Description field.
Domain name
Select one or more domain names that you want to match for the route.
If you want to create a domain name, click Add Domain Name below the Domain name drop-down list, and configure the parameters to create a domain name in the Add Domain Name panel.
Match Rule
Path
The Path parameter in the HTTP requests that you want to forward in the route.
If the path matching rules of multiple routes are the same, the longer the Path value of a route, the higher the priority of the route.
If the path matching rules of multiple routes are different, the priorities of the routes are sorted based on the following conditions from the highest to the lowest: Equal To > Prefix > Regular Expression Match.
Equal To: A complete path is used to match requests with a route. For example, you can set the Path parameter to
/user
.Prefix: A path prefix is used to match requests with a route. For example, you can specify the prefix as
/user
.Regular Expression Match: A regular expression is used to match requests with a route.
Method
The Method parameter that is used to match HTTP requests with a route. You can specify multiple values for the Method parameter to match more requests with a route. By default, ANY is selected.
Header
The Header parameter that is used to match HTTP requests with a route. If multiple routes have the same matching conditions aside from the number of specified Header parameters, a route that has a larger number of the Header parameters in the rule has a higher priority.
Query Parameters
The Query parameter that is used to match HTTP requests with a route. If multiple routes have the same matching conditions aside from the number of specified Query parameters, a route that has a larger number of the Query parameters in the rule has a higher priority.
Scenario
Select the type of the destination service for the route.
Basic Scenario: Single Service
Canary Release Scenario: Multiple Services and Tag-based Routing
Other Scenarios: Mock and Redirect
For more information about the types of destination services, see Routing modes.
NoteThe sum of the traffic percentages of the destination services for which you configure the weight must be 100%.
Backend Service
Select the associated backend service and port.
NoteYou can select Associate Service from the Service Name drop-down list and select a source and a service in the Associate Service panel.
The number of sources that can be added varies based on the source type.
If Source Type is set to Container Service, a maximum of five sources can be added.
If Source Type is set to MSE Nacos or MSE Zookeeper, only one source can be added.
If Source Type is set to EDAS Built-in Registry or SAE Built-in Registry, an unlimited number of sources can be added.
Fallback
Specify a fallback service based on your business requirements. If no node is available for the backend service to which the route points, the original request accesses the fallback service that you specified.
NoteOnly the fallback capability between HTTP services is supported.
Timeout Period (s)
Enter a timeout period. The default value is 60. If you set the value to 0, no timeout occurs.
Number of Retries (times)
Enter the number of retries. The default value is 2. If you set this value to 0, retry is not allowed.
Retry Condition
Select a retry condition.
Retry Status Code
Add one or more retry status codes.
What to do next
After you perform the preceding steps, you can manage the microservice applications that are deployed in your ACK cluster by using the cloud-native gateway. You can log on to the MSE console and perform service management for your applications by using the cloud-native gateway. You can also use the cloud-native gateway to perform operations such as testing requests, checking monitoring, configuring alerting, debugging policies, and integrating authentication. For more information, see Dive deeper into cloud-native gateways.