Use ALIYUN::ASM::ServiceMesh to create an ASM instance - Resource Orchestration Service

ALIYUN::ASM::ServiceMesh is used to create an Alibaba Cloud Service Mesh (ASM) instance.

Syntax

{
  "Type": "ALIYUN::ASM::ServiceMesh",
  "Properties": {
    "EnableAudit": Boolean,
    "OPA": Map,
    "IstioVersion": String,
    "ApiServerPublicEip": Boolean,
    "LocalityLoadBalancing": Boolean,
    "Telemetry": Boolean,
    "OutboundTrafficPolicy": String,
    "AuditProject": String,
    "TraceSampling": Number,
    "Name": String,
    "Proxy": Map,
    "VpcId": String,
    "PilotPublicEip": Boolean,
    "IncludeIPRanges": String,
    "VSwitches": List,
    "Tracing": Boolean,
    "CustomizedZipkin": Boolean,
    "EnableACMG": Boolean,
    "CustomizedPrometheus": Boolean,
    "MSEEnabled": Boolean,
    "WebAssemblyFilterEnabled": Boolean,
    "CRAggregationEnabled": Boolean,
    "CertChain": String,
    "ConfigSourceNacosID": String,
    "ConfigSourceEnabled": Boolean,
    "EnableSDSServer": Boolean,
    "DNSProxyingEnabled": Boolean,
    "OpaEnabled": Boolean,
    "LocalityLBConf": String,
    "GuestCluster": String,
    "KialiEnabled": Boolean,
    "ControlPlaneLogEnabled": Boolean,
    "EnableAmbient": Boolean,
    "ExistingCaKey": String,
    "ApiServerLoadBalancerSpec": String,
    "ExcludeIPRanges": String,
    "FilterGatewayClusterConfig": Boolean,
    "PilotLoadBalancerSpec": String,
    "AutoRenew": Boolean,
    "AccessLogServiceEnabled": Boolean,
    "ExistingRootCaCert": String,
    "MysqlFilterEnabled": Boolean,
    "GatewayAPIEnabled": Boolean,
    "ControlPlaneLogProject": String,
    "Edition": String,
    "UseExistingCA": Boolean,
    "ChargeType": String,
    "ExistingCaType": String,
    "PlaygroundScene": String,
    "AccessLogEnabled": Boolean,
    "AccessLogProject": String,
    "ExistingRootCaKey": String,
    "ExistingCaCert": String,
    "Period": Number,
    "ExcludeInboundPorts": String,
    "ClusterSpec": String,
    "MultiBufferPollDelay": String,
    "AccessLogServicePort": Integer,
    "ExcludeOutboundPorts": String,
    "PrometheusUrl": String,
    "AccessLogFormat": String,
    "DubboFilterEnabled": Boolean,
    "AutoRenewPeriod": Integer,
    "AccessLogFile": String,
    "MultiBufferEnabled": Boolean,
    "EnableCRHistory": Boolean,
    "AccessLogServiceHost": String
  }
}

Properties

Property name	Type	Required	Allowed update	Description	Constraints
VpcId	String	Yes	No	The ID of the virtual private cloud (VPC) in which the instance resides.	None
VSwitches	List	Yes	No	The ID of the vSwitch.	None
ApiServerPublicEip	Boolean	No	No	Specifies whether to expose the API server to the Internet.	Valid values: true false (default value)
AuditProject	String	No	Yes	The name of the log project that is used for mesh audit.	Default value: mesh-log-{meshId}.
EnableACMG	Boolean	No	No	Specifies whether to enable ACMG mode.	None
CustomizedPrometheus	Boolean	No	No	Specifies whether to customize Prometheus.	Valid values: `true`: Customize Prometheus. `false`: Do not customize Prometheus. Default value: `false`.
MSEEnabled	Boolean	No	No	Specifies whether to enable MSE Microservices Engine.	Valid values: `true`: Enable MSE Microservices Engine. `false`: Do not enable MSE Microservices Engine. Default value: `false`.
WebAssemblyFilterEnabled	Boolean	No	No	Specifies whether to enable WebAssembly Filter.	Valid values: `true`: Enable WebAssembly Filter. `false`: Do not enable WebAssembly Filter. Default value: `false`.
CRAggregationEnabled	Boolean	No	No	Specifies whether to enable the data plane cluster Kubernetes API to access Istio resources.	Valid values: `true`: Enable the data plane cluster Kubernetes API to access Istio resources. `false`: Do not enable the data plane cluster Kubernetes API to access Istio resources. Default value: `false`.
CertChain	String	No	No	The certificate chain from CaCert to RootCert, which must contain at least two certificates.	None
ConfigSourceNacosID	String	No	No	The instance ID of the Nacos service registry.	None
ConfigSourceEnabled	Boolean	No	No	Specifies whether to enable an external service registry.	Valid values: `true`: Enable an external service registry. `false`: Do not enable an external service registry. Default value: `false`.
EnableSDSServer	Boolean	No	No	Specifies whether to enable the SDS service.	Valid values: `true`: Enable the SDS service. `false`: Do not enable the SDS service. Default value: `false`.
DNSProxyingEnabled	Boolean	No	No	Specifies whether to enable DNS proxying.	Valid values: `true`: Enable DNS proxying. `false`: Do not enable DNS proxying. Default value: `false`.
OpaEnabled	Boolean	No	No	Specifies whether to enable OPA.	Valid values: `true`: Enable OPA. `false`: Do not enable OPA. Default value: `false`.
LocalityLBConf	String	No	No	Configuration for routing traffic to the nearest instance.	None
GuestCluster	String	No	No	You can select a cluster to join the mesh when the mesh is created. If this parameter is empty, no cluster is added.	The cluster must be in the same VPC and vSwitch as the mesh, and the cluster domain name must be the same.
KialiEnabled	Boolean	No	No	Specifies whether to enable mesh topology.	Valid values: `true`: Enable mesh topology. `false`: Do not enable mesh topology. Default value: `false`.
ControlPlaneLogEnabled	Boolean	No	No	Specifies whether to enable control plane log collection.	Valid values: `true`: Enable control plane log collection. `false`: Do not enable control plane log collection. Default value: `false`.
EnableAmbient	Boolean	No	No	Specifies whether to enable Ambient Mesh mode for the service mesh instance.	None
ExistingCaKey	String	No	No	CA Key.	This parameter is generally used when migrating a self-managed Istio to ASM. It corresponds to the content of the ca-key.pem file in the secret named istio-ca-secret in the istio-system namespace of the self-managed Istio cluster.
ApiServerLoadBalancerSpec	String	No	No	The specifications of the CLB that is bound to the API server.	Valid values: small I (`slb.s1.small`), medium I (`slb.s2.small`), medium II (`slb.s2.medium`), large I (`slb.s3.small`), large II (`slb.s3.medium`), super large I (`slb.s3.large`).
ExcludeIPRanges	String	No	No	The IP address ranges blocked for external access.	None
FilterGatewayClusterConfig	Boolean	No	No	Specifies whether to enable Gateway configuration filtering.	Valid values: `true`: Enable Gateway configuration filtering. `false`: Do not enable Gateway configuration filtering. Default value: `false`.
PilotLoadBalancerSpec	String	No	No	The specifications of the CLB that is bound to the Istio Pilot of the service mesh control plane.	Valid values: small I (`slb.s1.small`), medium I (`slb.s2.small`), medium II (`slb.s2.medium`), large I (`slb.s3.small`), large II (`slb.s3.medium`), super large I (`slb.s3.large`).
AutoRenew	Boolean	No	No	Specifies whether to enable auto-renewal when the CLB is of the subscription type.	Valid values: `true`: Enable auto-renewal. `false`: Do not enable auto-renewal.
AccessLogServiceEnabled	Boolean	No	No	Specifies whether to enable the gRPC access log service (ALS) of Envoy.	Valid values: `true`: Enable the gRPC access log service of Envoy. `false`: Do not enable the gRPC access log service of Envoy. Default value: `false`.
ExistingRootCaCert	String	No	No	The existing root certificate.	None
MysqlFilterEnabled	Boolean	No	No	Specifies whether to enable MysqlFilter.	Valid values: `true`: Enable MysqlFilter. `false`: Do not enable MysqlFilter. Default value: `false`.
GatewayAPIEnabled	Boolean	No	No	Specifies whether to enable Gateway API.	Valid values: `true`: Enable Gateway API. `false`: Do not enable Gateway API. Default value: `false`.
ControlPlaneLogProject	String	No	No	The SLS project for control plane log collection.	None
Edition	String	No	No	The version of the ASM instance.	None
UseExistingCA	Boolean	No	No	Specifies whether to use an existing CA certificate and private key.	None
ChargeType	String	No	No	The billing method of the CLB.	Valid values: `PayOnDemand`: Pay-as-you-go. `PrePay`: Subscription.
ExistingCaType	String	No	No	The type of the existing certificate.	1: Istiod self-signed certificate. Corresponds to the secret named istio-ca-secret in the istio-system namespace. If you use this type, you must also provide the `ExistingCaCert` and `ExsitingCaKey` parameters. 2: Istiod external certificate. For more information, see plugin ca cert. Generally corresponds to the secret named cacerts in the istio-system namespace. If you use this type, you must also provide the `ExisingRootCaCert` and `ExisingRootCaKey` parameters.
PlaygroundScene	String	No	No	Playground scenario.	Optional values: ewmaLb: ewma load balancing scenario
AccessLogEnabled	Boolean	No	No	Specifies whether to enable access logs.	Valid values: `true`: Enable access logs. `false`: Do not enable access logs. Default value: `false`.
AccessLogProject	String	No	No	The SLS project for access log collection.	None
ExistingRootCaKey	String	No	No	The private key corresponding to the existing root certificate.	None
ExistingCaCert	String	No	No	CA certificate (Base64 Encode format).	This parameter is generally used when migrating a self-managed Istio to ASM. It corresponds to the content of the ca-cert.pem file in the secret named istio-ca-secret in the istio-system namespace of the self-managed Istio cluster.
Period	Number	No	No	Specifies the number of months for which the subscription-based CLB is purchased.	This parameter takes effect when `ChargeType` is set to `PrePay`. If the subscription duration is one year, enter 12.
ExcludeInboundPorts	String	No	No	A list of inbound ports separated by commas (,).	None
ClusterSpec	String	No	No	The instance type of the service mesh.	Valid values: `standard`: Standard Edition. `enterprise`: Enterprise Edition. `ultimate`: Ultimate.
MultiBufferPollDelay	String	No	No	The synchronization time for enabling MultiBuffer.	Default `30s`.
AccessLogServicePort	Integer	No	No	The port for enabling the gRPC access log service (ALS) of Envoy.	None
ExcludeOutboundPorts	String	No	No	A list of outbound ports separated by commas (,).	None
PrometheusUrl	String	No	No	The endpoint of the customized Prometheus service.	None
AccessLogFormat	String	No	No	The format of the customized access log.	This string must be in JSON format and must contain at least the following key-value pairs: authority_for, bytes_received, bytes_sent, downstream_local_address, downstream_remote_address, duration, istio_policy_status, method, path, protocol, requested_server_name, response_code, response_flags, route_name, start_time, trace_id, upstream_cluster, upstream_host, upstream_local_address, upstream_service_time, upstream_transport_failure_reason, user_agent, x_forwarded_for. Example: {"authority_for":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
DubboFilterEnabled	Boolean	No	No	Specifies whether to enable DubboFilter.	Valid values: `true`: Enable DubboFilter. `false`: Do not enable DubboFilter. Default value: `false`.
AutoRenewPeriod	Integer	No	No	Specifies the auto-renewal period when the subscription-based CLB is purchased.	This parameter takes effect when `ChargeType` is set to `PrePay`. If the subscription duration is less than one year, this parameter specifies the number of months for auto-renewal. If the subscription duration exceeds one year, this parameter specifies the number of years for auto-renewal.
AccessLogFile	String	No	No	Enables or disables access logs.	Valid values: “”: Disable access logs. `/dev/stdout`: Enable access logs.
MultiBufferEnabled	Boolean	No	No	Specifies whether to enable TLS performance optimization based on MultiBuffer.	Valid values: `true`: Enable. `false`: Do not enable. Default value: `true`.
EnableCRHistory	Boolean	No	No	Specifies whether to enable the history version management feature for Istio resources in ASM.	Valid values: `true`: Enable the history version management feature for Istio resources in ASM. `false`: Do not enable the history version management feature for Istio resources in ASM. Default value: `false`.
AccessLogServiceHost	String	No	No	The endpoint for enabling the gRPC access log service (ALS) of Envoy.	None
CustomizedZipkin	Boolean	No	Yes	Specifies whether to enable self-managed Zipkin.	Valid values: true false
EnableAudit	Boolean	No	Yes	Specifies whether to enable the mesh audit feature.	Valid values: true false (default value) Note To enable this feature, make sure that Log Service is activated.
IncludeIPRanges	String	No	Yes	The IP address ranges of external services to which traffic is intercepted.	None
IstioVersion	String	No	No	The Istio version of the instance.	None
LocalityLoadBalancing	Boolean	No	Yes	Specifies whether to route traffic to the nearest instance.	Valid values: true false (default value)
Name	String	No	No	The name of the instance.	None
OPA	Map	No	Yes	The configurations of the Open Policy Agent (OPA) plug-in.	For more information, see OPA properties.
OutboundTrafficPolicy	String	No	Yes	The outbound traffic policy.	Valid values: ALLOW_ANY REGISTRY_ONLY
PilotPublicEip	Boolean	No	No	Specifies whether to expose Istio Pilot to the Internet.	Valid values: true false (default value)
Proxy	Map	No	Yes	Proxy.	For more information, see Proxy properties.
Telemetry	Boolean	No	Yes	Specifies whether to enable Prometheus monitoring.	We recommend that you use Managed Service for Prometheus (Prometheus).
TraceSampling	Number	No	Yes	The sampling percentage of Managed Service for OpenTelemetry.	None
Tracing	Boolean	No	Yes	Specifies whether to enable the tracing analysis feature.	Valid values: true false (default value) Note To enable this feature, make sure that Tracing Analysis is activated.

Opa syntax

"OPA": {
  "OPARequestCPU": String,
  "OpenAgentPolicy": Boolean,
  "OPALogLevel": String,
  "OPALimitCPU": String,
  "OPALimitMemory": String,
  "OPARequestMemory": String
}

Opa properties

Property name	Type	Required	Allowed update	Description	Constraints
OPALimitCPU	String	No	Yes	The CPU limit of the OPA container.	None
OPALimitMemory	String	No	Yes	The memory limit of the OPA container.	None
OPALogLevel	String	No	Yes	The log level of the OPA container.	None
OPARequestCPU	String	No	Yes	The CPU request of the OPA container.	None
OPARequestMemory	String	No	Yes	The memory request of the OPA container.	None
OpenAgentPolicy	Boolean	No	Yes	Specifies whether to install the OPA plug-in.	Valid values: true false (default value)

Proxy syntax

"Proxy": {
  "ClusterDomain": String,
  "ProxyLimitCPU": String,
  "ProxyLimitMemory": String,
  "ProxyRequestCPU": String,
  "ProxyRequestMemory": String
}

Proxy properties

Property name	Type	Required	Allowed update	Description	Constraints
ClusterDomain	String	No	Yes	The domain name of the cluster.	None
ProxyLimitCPU	String	No	Yes	The CPU limit of the proxy.	None
ProxyLimitMemory	String	No	Yes	The memory limit of the proxy.	None
ProxyRequestCPU	String	No	Yes	The CPU request of the proxy.	None
ProxyRequestMemory	String	No	Yes	The memory request of the proxy.	None

Return values

Fn::GetAtt

ServiceMeshId: The ID of the instance.

Example

`Yaml` format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  ZoneId:
    Type: String
    Description: Create an Availability Zone for an instance to ensure that the Availability Zone supports the creation of Memcache resource specifications.
    AssociationProperty: ALIYUN::ECS::Instance::ZoneId
    Label: Zone ID
  VPC:
    AssociationProperty: ALIYUN::ECS::VPC::VPCId
    Type: String
    Description: Please search the ID starts with (vpc-xxx)from console-Virtual Private Cloud
    Label: Existing VPC Instance ID
  VSwitch:
    AssociationProperty: ALIYUN::ECS::VSwitch::VSwitchId
    Type: String
    Description: Please search the business VSwitch ID starts with(vsw-xxx)from console-Virtual Private Cloud-VSwitches
    Label: Existing VSwitch ID
    AssociationPropertyMetadata:
      VpcId: VPC
      ZoneId: ZoneId
Resources:
  ServiceMesh:
    Type: ALIYUN::ASM::ServiceMesh
    Properties:
      VpcId:
        Ref: VPC
      VSwitches:
        - Ref: VSwitch
Outputs:
  ServiceMeshId:
    Description: The ID of the ASM instance.
    Value:
      Fn::GetAtt:
        - ServiceMesh
        - ServiceMeshId

`JSON` format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "ZoneId": {
      "Type": "String",
      "Description": "Create an Availability Zone for an instance to ensure that the Availability Zone supports the creation of Memcache resource specifications.",
      "AssociationProperty": "ALIYUN::ECS::Instance::ZoneId",
      "Label": "Zone ID"
    },
    "VPC": {
      "AssociationProperty": "ALIYUN::ECS::VPC::VPCId",
      "Type": "String",
      "Description": "Please search the ID starts with (vpc-xxx)from console-Virtual Private Cloud",
      "Label": "Existing VPC Instance ID"
    },
    "VSwitch": {
      "AssociationProperty": "ALIYUN::ECS::VSwitch::VSwitchId",
      "Type": "String",
      "Description": "Please search the business VSwitch ID starts with(vsw-xxx)from console-Virtual Private Cloud-VSwitches",
      "Label": "Existing VSwitch ID",
      "AssociationPropertyMetadata": {
        "VpcId": "VPC",
        "ZoneId": "ZoneId"
      }
    }
  },
  "Resources": {
    "ServiceMesh": {
      "Type": "ALIYUN::ASM::ServiceMesh",
      "Properties": {
        "VpcId": {
          "Ref": "VPC"
        },
        "VSwitches": [
          {
            "Ref": "VSwitch"
          }
        ]
      }
    }
  },
  "Outputs": {
    "ServiceMeshId": {
      "Description": "The ID of the ASM instance.",
      "Value": {
        "Fn::GetAtt": [
          "ServiceMesh",
          "ServiceMeshId"
        ]
      }
    }
  }
}

Syntax

Properties

Opa syntax

Opa properties

Proxy syntax

Proxy properties

Return values

Example

Yaml format

JSON format

`Yaml` format

`JSON` format