ALIYUN::ASM::ServiceMesh is used to create an Alibaba Cloud Service Mesh (ASM) instance.
Syntax
{
"Type": "ALIYUN::ASM::ServiceMesh",
"Properties": {
"EnableAudit": Boolean,
"OPA": Map,
"IstioVersion": String,
"ApiServerPublicEip": Boolean,
"LocalityLoadBalancing": Boolean,
"Telemetry": Boolean,
"OutboundTrafficPolicy": String,
"AuditProject": String,
"TraceSampling": Number,
"Name": String,
"Proxy": Map,
"VpcId": String,
"PilotPublicEip": Boolean,
"IncludeIPRanges": String,
"VSwitches": List,
"Tracing": Boolean,
"CustomizedZipkin": Boolean,
"EnableACMG": Boolean,
"CustomizedPrometheus": Boolean,
"MSEEnabled": Boolean,
"WebAssemblyFilterEnabled": Boolean,
"CRAggregationEnabled": Boolean,
"CertChain": String,
"ConfigSourceNacosID": String,
"ConfigSourceEnabled": Boolean,
"EnableSDSServer": Boolean,
"DNSProxyingEnabled": Boolean,
"OpaEnabled": Boolean,
"LocalityLBConf": String,
"GuestCluster": String,
"KialiEnabled": Boolean,
"ControlPlaneLogEnabled": Boolean,
"EnableAmbient": Boolean,
"ExistingCaKey": String,
"ApiServerLoadBalancerSpec": String,
"ExcludeIPRanges": String,
"FilterGatewayClusterConfig": Boolean,
"PilotLoadBalancerSpec": String,
"AutoRenew": Boolean,
"AccessLogServiceEnabled": Boolean,
"ExistingRootCaCert": String,
"MysqlFilterEnabled": Boolean,
"GatewayAPIEnabled": Boolean,
"ControlPlaneLogProject": String,
"Edition": String,
"UseExistingCA": Boolean,
"ChargeType": String,
"ExistingCaType": String,
"PlaygroundScene": String,
"AccessLogEnabled": Boolean,
"AccessLogProject": String,
"ExistingRootCaKey": String,
"ExistingCaCert": String,
"Period": Number,
"ExcludeInboundPorts": String,
"ClusterSpec": String,
"MultiBufferPollDelay": String,
"AccessLogServicePort": Integer,
"ExcludeOutboundPorts": String,
"PrometheusUrl": String,
"AccessLogFormat": String,
"DubboFilterEnabled": Boolean,
"AutoRenewPeriod": Integer,
"AccessLogFile": String,
"MultiBufferEnabled": Boolean,
"EnableCRHistory": Boolean,
"AccessLogServiceHost": String
}
}
Properties
Property name | Type | Required | Allowed update | Description | Constraints |
VpcId | String | Yes | No | The ID of the virtual private cloud (VPC) in which the instance resides. | None |
VSwitches | List | Yes | No | The ID of the vSwitch. | None |
ApiServerPublicEip | Boolean | No | No | Specifies whether to expose the API server to the Internet. | Valid values:
|
AuditProject | String | No | Yes | The name of the log project that is used for mesh audit. | Default value: mesh-log-{meshId}. |
EnableACMG | Boolean | No | No | Specifies whether to enable ACMG mode. | None |
CustomizedPrometheus | Boolean | No | No | Specifies whether to customize Prometheus. | Valid values:
Default value: |
MSEEnabled | Boolean | No | No | Specifies whether to enable MSE Microservices Engine. | Valid values:
Default value: |
WebAssemblyFilterEnabled | Boolean | No | No | Specifies whether to enable WebAssembly Filter. | Valid values:
Default value: |
CRAggregationEnabled | Boolean | No | No | Specifies whether to enable the data plane cluster Kubernetes API to access Istio resources. | Valid values:
Default value: |
CertChain | String | No | No | The certificate chain from CaCert to RootCert, which must contain at least two certificates. | None |
ConfigSourceNacosID | String | No | No | The instance ID of the Nacos service registry. | None |
ConfigSourceEnabled | Boolean | No | No | Specifies whether to enable an external service registry. | Valid values:
Default value: |
EnableSDSServer | Boolean | No | No | Specifies whether to enable the SDS service. | Valid values:
Default value: |
DNSProxyingEnabled | Boolean | No | No | Specifies whether to enable DNS proxying. | Valid values:
Default value: |
OpaEnabled | Boolean | No | No | Specifies whether to enable OPA. | Valid values:
Default value: |
LocalityLBConf | String | No | No | Configuration for routing traffic to the nearest instance. | None |
GuestCluster | String | No | No | You can select a cluster to join the mesh when the mesh is created. If this parameter is empty, no cluster is added. | The cluster must be in the same VPC and vSwitch as the mesh, and the cluster domain name must be the same. |
KialiEnabled | Boolean | No | No | Specifies whether to enable mesh topology. | Valid values:
Default value: |
ControlPlaneLogEnabled | Boolean | No | No | Specifies whether to enable control plane log collection. | Valid values:
Default value: |
EnableAmbient | Boolean | No | No | Specifies whether to enable Ambient Mesh mode for the service mesh instance. | None |
ExistingCaKey | String | No | No | CA Key. | This parameter is generally used when migrating a self-managed Istio to ASM. It corresponds to the content of the ca-key.pem file in the secret named istio-ca-secret in the istio-system namespace of the self-managed Istio cluster. |
ApiServerLoadBalancerSpec | String | No | No | The specifications of the CLB that is bound to the API server. | Valid values: small I ( |
ExcludeIPRanges | String | No | No | The IP address ranges blocked for external access. | None |
FilterGatewayClusterConfig | Boolean | No | No | Specifies whether to enable Gateway configuration filtering. | Valid values:
Default value: |
PilotLoadBalancerSpec | String | No | No | The specifications of the CLB that is bound to the Istio Pilot of the service mesh control plane. | Valid values: small I ( |
AutoRenew | Boolean | No | No | Specifies whether to enable auto-renewal when the CLB is of the subscription type. | Valid values:
|
AccessLogServiceEnabled | Boolean | No | No | Specifies whether to enable the gRPC access log service (ALS) of Envoy. | Valid values:
Default value: |
ExistingRootCaCert | String | No | No | The existing root certificate. | None |
MysqlFilterEnabled | Boolean | No | No | Specifies whether to enable MysqlFilter. | Valid values:
Default value: |
GatewayAPIEnabled | Boolean | No | No | Specifies whether to enable Gateway API. | Valid values:
Default value: |
ControlPlaneLogProject | String | No | No | The SLS project for control plane log collection. | None |
Edition | String | No | No | The version of the ASM instance. | None |
UseExistingCA | Boolean | No | No | Specifies whether to use an existing CA certificate and private key. | None |
ChargeType | String | No | No | The billing method of the CLB. | Valid values:
|
ExistingCaType | String | No | No | The type of the existing certificate. |
|
PlaygroundScene | String | No | No | Playground scenario. | Optional values:
|
AccessLogEnabled | Boolean | No | No | Specifies whether to enable access logs. | Valid values:
Default value: |
AccessLogProject | String | No | No | The SLS project for access log collection. | None |
ExistingRootCaKey | String | No | No | The private key corresponding to the existing root certificate. | None |
ExistingCaCert | String | No | No | CA certificate (Base64 Encode format). | This parameter is generally used when migrating a self-managed Istio to ASM. It corresponds to the content of the ca-cert.pem file in the secret named istio-ca-secret in the istio-system namespace of the self-managed Istio cluster. |
Period | Number | No | No | Specifies the number of months for which the subscription-based CLB is purchased. | This parameter takes effect when |
ExcludeInboundPorts | String | No | No | A list of inbound ports separated by commas (,). | None |
ClusterSpec | String | No | No | The instance type of the service mesh. | Valid values:
|
MultiBufferPollDelay | String | No | No | The synchronization time for enabling MultiBuffer. | Default |
AccessLogServicePort | Integer | No | No | The port for enabling the gRPC access log service (ALS) of Envoy. | None |
ExcludeOutboundPorts | String | No | No | A list of outbound ports separated by commas (,). | None |
PrometheusUrl | String | No | No | The endpoint of the customized Prometheus service. | None |
AccessLogFormat | String | No | No | The format of the customized access log. | This string must be in JSON format and must contain at least the following key-value pairs: authority_for, bytes_received, bytes_sent, downstream_local_address, downstream_remote_address, duration, istio_policy_status, method, path, protocol, requested_server_name, response_code, response_flags, route_name, start_time, trace_id, upstream_cluster, upstream_host, upstream_local_address, upstream_service_time, upstream_transport_failure_reason, user_agent, x_forwarded_for. Example:
|
DubboFilterEnabled | Boolean | No | No | Specifies whether to enable DubboFilter. | Valid values:
Default value: |
AutoRenewPeriod | Integer | No | No | Specifies the auto-renewal period when the subscription-based CLB is purchased. | This parameter takes effect when |
AccessLogFile | String | No | No | Enables or disables access logs. | Valid values:
|
MultiBufferEnabled | Boolean | No | No | Specifies whether to enable TLS performance optimization based on MultiBuffer. | Valid values:
Default value: |
EnableCRHistory | Boolean | No | No | Specifies whether to enable the history version management feature for Istio resources in ASM. | Valid values:
Default value: |
AccessLogServiceHost | String | No | No | The endpoint for enabling the gRPC access log service (ALS) of Envoy. | None |
CustomizedZipkin | Boolean | No | Yes | Specifies whether to enable self-managed Zipkin. | Valid values:
|
EnableAudit | Boolean | No | Yes | Specifies whether to enable the mesh audit feature. | Valid values:
Note To enable this feature, make sure that Log Service is activated. |
IncludeIPRanges | String | No | Yes | The IP address ranges of external services to which traffic is intercepted. | None |
IstioVersion | String | No | No | The Istio version of the instance. | None |
LocalityLoadBalancing | Boolean | No | Yes | Specifies whether to route traffic to the nearest instance. | Valid values:
|
Name | String | No | No | The name of the instance. | None |
OPA | Map | No | Yes | The configurations of the Open Policy Agent (OPA) plug-in. | For more information, see OPA properties. |
OutboundTrafficPolicy | String | No | Yes | The outbound traffic policy. | Valid values:
|
PilotPublicEip | Boolean | No | No | Specifies whether to expose Istio Pilot to the Internet. | Valid values:
|
Proxy | Map | No | Yes | Proxy. | For more information, see Proxy properties. |
Telemetry | Boolean | No | Yes | Specifies whether to enable Prometheus monitoring. | We recommend that you use Managed Service for Prometheus (Prometheus). |
TraceSampling | Number | No | Yes | The sampling percentage of Managed Service for OpenTelemetry. | None |
Tracing | Boolean | No | Yes | Specifies whether to enable the tracing analysis feature. | Valid values:
Note To enable this feature, make sure that Tracing Analysis is activated. |
Opa syntax
"OPA": {
"OPARequestCPU": String,
"OpenAgentPolicy": Boolean,
"OPALogLevel": String,
"OPALimitCPU": String,
"OPALimitMemory": String,
"OPARequestMemory": String
}
Opa properties
Property name | Type | Required | Allowed update | Description | Constraints |
OPALimitCPU | String | No | Yes | The CPU limit of the OPA container. | None |
OPALimitMemory | String | No | Yes | The memory limit of the OPA container. | None |
OPALogLevel | String | No | Yes | The log level of the OPA container. | None |
OPARequestCPU | String | No | Yes | The CPU request of the OPA container. | None |
OPARequestMemory | String | No | Yes | The memory request of the OPA container. | None |
OpenAgentPolicy | Boolean | No | Yes | Specifies whether to install the OPA plug-in. | Valid values:
|
Proxy syntax
"Proxy": {
"ClusterDomain": String,
"ProxyLimitCPU": String,
"ProxyLimitMemory": String,
"ProxyRequestCPU": String,
"ProxyRequestMemory": String
}
Proxy properties
Property name | Type | Required | Allowed update | Description | Constraints |
ClusterDomain | String | No | Yes | The domain name of the cluster. | None |
ProxyLimitCPU | String | No | Yes | The CPU limit of the proxy. | None |
ProxyLimitMemory | String | No | Yes | The memory limit of the proxy. | None |
ProxyRequestCPU | String | No | Yes | The CPU request of the proxy. | None |
ProxyRequestMemory | String | No | Yes | The memory request of the proxy. | None |
Return values
Fn::GetAtt
ServiceMeshId: The ID of the instance.
Example
Yaml
format
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
ZoneId:
Type: String
Description: Create an Availability Zone for an instance to ensure that the Availability Zone supports the creation of Memcache resource specifications.
AssociationProperty: ALIYUN::ECS::Instance::ZoneId
Label: Zone ID
VPC:
AssociationProperty: ALIYUN::ECS::VPC::VPCId
Type: String
Description: Please search the ID starts with (vpc-xxx)from console-Virtual Private Cloud
Label: Existing VPC Instance ID
VSwitch:
AssociationProperty: ALIYUN::ECS::VSwitch::VSwitchId
Type: String
Description: Please search the business VSwitch ID starts with(vsw-xxx)from console-Virtual Private Cloud-VSwitches
Label: Existing VSwitch ID
AssociationPropertyMetadata:
VpcId: VPC
ZoneId: ZoneId
Resources:
ServiceMesh:
Type: ALIYUN::ASM::ServiceMesh
Properties:
VpcId:
Ref: VPC
VSwitches:
- Ref: VSwitch
Outputs:
ServiceMeshId:
Description: The ID of the ASM instance.
Value:
Fn::GetAtt:
- ServiceMesh
- ServiceMeshId
JSON
format
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"ZoneId": {
"Type": "String",
"Description": "Create an Availability Zone for an instance to ensure that the Availability Zone supports the creation of Memcache resource specifications.",
"AssociationProperty": "ALIYUN::ECS::Instance::ZoneId",
"Label": "Zone ID"
},
"VPC": {
"AssociationProperty": "ALIYUN::ECS::VPC::VPCId",
"Type": "String",
"Description": "Please search the ID starts with (vpc-xxx)from console-Virtual Private Cloud",
"Label": "Existing VPC Instance ID"
},
"VSwitch": {
"AssociationProperty": "ALIYUN::ECS::VSwitch::VSwitchId",
"Type": "String",
"Description": "Please search the business VSwitch ID starts with(vsw-xxx)from console-Virtual Private Cloud-VSwitches",
"Label": "Existing VSwitch ID",
"AssociationPropertyMetadata": {
"VpcId": "VPC",
"ZoneId": "ZoneId"
}
}
},
"Resources": {
"ServiceMesh": {
"Type": "ALIYUN::ASM::ServiceMesh",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"VSwitches": [
{
"Ref": "VSwitch"
}
]
}
}
},
"Outputs": {
"ServiceMeshId": {
"Description": "The ID of the ASM instance.",
"Value": {
"Fn::GetAtt": [
"ServiceMesh",
"ServiceMeshId"
]
}
}
}
}