All Products
Search
Document Center

Resource Orchestration Service:Aliyun::ASM::ServiceMesh

Last Updated:Mar 24, 2025

ALIYUN::ASM::ServiceMesh is used to create an Alibaba Cloud Service Mesh (ASM) instance.

Syntax

{
  "Type": "ALIYUN::ASM::ServiceMesh",
  "Properties": {
    "EnableAudit": Boolean,
    "OPA": Map,
    "IstioVersion": String,
    "ApiServerPublicEip": Boolean,
    "LocalityLoadBalancing": Boolean,
    "Telemetry": Boolean,
    "OutboundTrafficPolicy": String,
    "AuditProject": String,
    "TraceSampling": Number,
    "Name": String,
    "Proxy": Map,
    "VpcId": String,
    "PilotPublicEip": Boolean,
    "IncludeIPRanges": String,
    "VSwitches": List,
    "Tracing": Boolean,
    "CustomizedZipkin": Boolean,
    "EnableACMG": Boolean,
    "CustomizedPrometheus": Boolean,
    "MSEEnabled": Boolean,
    "WebAssemblyFilterEnabled": Boolean,
    "CRAggregationEnabled": Boolean,
    "CertChain": String,
    "ConfigSourceNacosID": String,
    "ConfigSourceEnabled": Boolean,
    "EnableSDSServer": Boolean,
    "DNSProxyingEnabled": Boolean,
    "OpaEnabled": Boolean,
    "LocalityLBConf": String,
    "GuestCluster": String,
    "KialiEnabled": Boolean,
    "ControlPlaneLogEnabled": Boolean,
    "EnableAmbient": Boolean,
    "ExistingCaKey": String,
    "ApiServerLoadBalancerSpec": String,
    "ExcludeIPRanges": String,
    "FilterGatewayClusterConfig": Boolean,
    "PilotLoadBalancerSpec": String,
    "AutoRenew": Boolean,
    "AccessLogServiceEnabled": Boolean,
    "ExistingRootCaCert": String,
    "MysqlFilterEnabled": Boolean,
    "GatewayAPIEnabled": Boolean,
    "ControlPlaneLogProject": String,
    "Edition": String,
    "UseExistingCA": Boolean,
    "ChargeType": String,
    "ExistingCaType": String,
    "PlaygroundScene": String,
    "AccessLogEnabled": Boolean,
    "AccessLogProject": String,
    "ExistingRootCaKey": String,
    "ExistingCaCert": String,
    "Period": Number,
    "ExcludeInboundPorts": String,
    "ClusterSpec": String,
    "MultiBufferPollDelay": String,
    "AccessLogServicePort": Integer,
    "ExcludeOutboundPorts": String,
    "PrometheusUrl": String,
    "AccessLogFormat": String,
    "DubboFilterEnabled": Boolean,
    "AutoRenewPeriod": Integer,
    "AccessLogFile": String,
    "MultiBufferEnabled": Boolean,
    "EnableCRHistory": Boolean,
    "AccessLogServiceHost": String
  }
}

Properties

Property name

Type

Required

Allowed update

Description

Constraints

VpcId

String

Yes

No

The ID of the virtual private cloud (VPC) in which the instance resides.

None

VSwitches

List

Yes

No

The ID of the vSwitch.

None

ApiServerPublicEip

Boolean

No

No

Specifies whether to expose the API server to the Internet.

Valid values:

  • true

  • false (default value)

AuditProject

String

No

Yes

The name of the log project that is used for mesh audit.

Default value: mesh-log-{meshId}.

EnableACMG

Boolean

No

No

Specifies whether to enable ACMG mode.

None

CustomizedPrometheus

Boolean

No

No

Specifies whether to customize Prometheus.

Valid values:

  • true: Customize Prometheus.

  • false: Do not customize Prometheus.

Default value: false.

MSEEnabled

Boolean

No

No

Specifies whether to enable MSE Microservices Engine.

Valid values:

  • true: Enable MSE Microservices Engine.

  • false: Do not enable MSE Microservices Engine.

Default value: false.

WebAssemblyFilterEnabled

Boolean

No

No

Specifies whether to enable WebAssembly Filter.

Valid values:

  • true: Enable WebAssembly Filter.

  • false: Do not enable WebAssembly Filter.

Default value: false.

CRAggregationEnabled

Boolean

No

No

Specifies whether to enable the data plane cluster Kubernetes API to access Istio resources.

Valid values:

  • true: Enable the data plane cluster Kubernetes API to access Istio resources.

  • false: Do not enable the data plane cluster Kubernetes API to access Istio resources.

Default value: false.

CertChain

String

No

No

The certificate chain from CaCert to RootCert, which must contain at least two certificates.

None

ConfigSourceNacosID

String

No

No

The instance ID of the Nacos service registry.

None

ConfigSourceEnabled

Boolean

No

No

Specifies whether to enable an external service registry.

Valid values:

  • true: Enable an external service registry.

  • false: Do not enable an external service registry.

Default value: false.

EnableSDSServer

Boolean

No

No

Specifies whether to enable the SDS service.

Valid values:

  • true: Enable the SDS service.

  • false: Do not enable the SDS service.

Default value: false.

DNSProxyingEnabled

Boolean

No

No

Specifies whether to enable DNS proxying.

Valid values:

  • true: Enable DNS proxying.

  • false: Do not enable DNS proxying.

Default value: false.

OpaEnabled

Boolean

No

No

Specifies whether to enable OPA.

Valid values:

  • true: Enable OPA.

  • false: Do not enable OPA.

Default value: false.

LocalityLBConf

String

No

No

Configuration for routing traffic to the nearest instance.

None

GuestCluster

String

No

No

You can select a cluster to join the mesh when the mesh is created. If this parameter is empty, no cluster is added.

The cluster must be in the same VPC and vSwitch as the mesh, and the cluster domain name must be the same.

KialiEnabled

Boolean

No

No

Specifies whether to enable mesh topology.

Valid values:

  • true: Enable mesh topology.

  • false: Do not enable mesh topology.

Default value: false.

ControlPlaneLogEnabled

Boolean

No

No

Specifies whether to enable control plane log collection.

Valid values:

  • true: Enable control plane log collection.

  • false: Do not enable control plane log collection.

Default value: false.

EnableAmbient

Boolean

No

No

Specifies whether to enable Ambient Mesh mode for the service mesh instance.

None

ExistingCaKey

String

No

No

CA Key.

This parameter is generally used when migrating a self-managed Istio to ASM. It corresponds to the content of the ca-key.pem file in the secret named istio-ca-secret in the istio-system namespace of the self-managed Istio cluster.

ApiServerLoadBalancerSpec

String

No

No

The specifications of the CLB that is bound to the API server.

Valid values: small I (slb.s1.small), medium I (slb.s2.small), medium II (slb.s2.medium), large I (slb.s3.small), large II (slb.s3.medium), super large I (slb.s3.large).

ExcludeIPRanges

String

No

No

The IP address ranges blocked for external access.

None

FilterGatewayClusterConfig

Boolean

No

No

Specifies whether to enable Gateway configuration filtering.

Valid values:

  • true: Enable Gateway configuration filtering.

  • false: Do not enable Gateway configuration filtering.

Default value: false.

PilotLoadBalancerSpec

String

No

No

The specifications of the CLB that is bound to the Istio Pilot of the service mesh control plane.

Valid values: small I (slb.s1.small), medium I (slb.s2.small), medium II (slb.s2.medium), large I (slb.s3.small), large II (slb.s3.medium), super large I (slb.s3.large).

AutoRenew

Boolean

No

No

Specifies whether to enable auto-renewal when the CLB is of the subscription type.

Valid values:

  • true: Enable auto-renewal.

  • false: Do not enable auto-renewal.

AccessLogServiceEnabled

Boolean

No

No

Specifies whether to enable the gRPC access log service (ALS) of Envoy.

Valid values:

  • true: Enable the gRPC access log service of Envoy.

  • false: Do not enable the gRPC access log service of Envoy.

Default value: false.

ExistingRootCaCert

String

No

No

The existing root certificate.

None

MysqlFilterEnabled

Boolean

No

No

Specifies whether to enable MysqlFilter.

Valid values:

  • true: Enable MysqlFilter.

  • false: Do not enable MysqlFilter.

Default value: false.

GatewayAPIEnabled

Boolean

No

No

Specifies whether to enable Gateway API.

Valid values:

  • true: Enable Gateway API.

  • false: Do not enable Gateway API.

Default value: false.

ControlPlaneLogProject

String

No

No

The SLS project for control plane log collection.

None

Edition

String

No

No

The version of the ASM instance.

None

UseExistingCA

Boolean

No

No

Specifies whether to use an existing CA certificate and private key.

None

ChargeType

String

No

No

The billing method of the CLB.

Valid values:

  • PayOnDemand: Pay-as-you-go.

  • PrePay: Subscription.

ExistingCaType

String

No

No

The type of the existing certificate.

  • 1: Istiod self-signed certificate. Corresponds to the secret named istio-ca-secret in the istio-system namespace. If you use this type, you must also provide the ExistingCaCert and ExsitingCaKey parameters.

  • 2: Istiod external certificate. For more information, see plugin ca cert. Generally corresponds to the secret named cacerts in the istio-system namespace. If you use this type, you must also provide the ExisingRootCaCert and ExisingRootCaKey parameters.

PlaygroundScene

String

No

No

Playground scenario.

Optional values:

  • ewmaLb: ewma load balancing scenario

AccessLogEnabled

Boolean

No

No

Specifies whether to enable access logs.

Valid values:

  • true: Enable access logs.

  • false: Do not enable access logs.

Default value: false.

AccessLogProject

String

No

No

The SLS project for access log collection.

None

ExistingRootCaKey

String

No

No

The private key corresponding to the existing root certificate.

None

ExistingCaCert

String

No

No

CA certificate (Base64 Encode format).

This parameter is generally used when migrating a self-managed Istio to ASM. It corresponds to the content of the ca-cert.pem file in the secret named istio-ca-secret in the istio-system namespace of the self-managed Istio cluster.

Period

Number

No

No

Specifies the number of months for which the subscription-based CLB is purchased.

This parameter takes effect when ChargeType is set to PrePay. If the subscription duration is one year, enter 12.

ExcludeInboundPorts

String

No

No

A list of inbound ports separated by commas (,).

None

ClusterSpec

String

No

No

The instance type of the service mesh.

Valid values:

  • standard: Standard Edition.

  • enterprise: Enterprise Edition.

  • ultimate: Ultimate.

MultiBufferPollDelay

String

No

No

The synchronization time for enabling MultiBuffer.

Default 30s.

AccessLogServicePort

Integer

No

No

The port for enabling the gRPC access log service (ALS) of Envoy.

None

ExcludeOutboundPorts

String

No

No

A list of outbound ports separated by commas (,).

None

PrometheusUrl

String

No

No

The endpoint of the customized Prometheus service.

None

AccessLogFormat

String

No

No

The format of the customized access log.

This string must be in JSON format and must contain at least the following key-value pairs: authority_for, bytes_received, bytes_sent, downstream_local_address, downstream_remote_address, duration, istio_policy_status, method, path, protocol, requested_server_name, response_code, response_flags, route_name, start_time, trace_id, upstream_cluster, upstream_host, upstream_local_address, upstream_service_time, upstream_transport_failure_reason, user_agent, x_forwarded_for.

Example:

{"authority_for":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}

DubboFilterEnabled

Boolean

No

No

Specifies whether to enable DubboFilter.

Valid values:

  • true: Enable DubboFilter.

  • false: Do not enable DubboFilter.

Default value: false.

AutoRenewPeriod

Integer

No

No

Specifies the auto-renewal period when the subscription-based CLB is purchased.

This parameter takes effect when ChargeType is set to PrePay. If the subscription duration is less than one year, this parameter specifies the number of months for auto-renewal. If the subscription duration exceeds one year, this parameter specifies the number of years for auto-renewal.

AccessLogFile

String

No

No

Enables or disables access logs.

Valid values:

  • “”: Disable access logs.

  • /dev/stdout: Enable access logs.

MultiBufferEnabled

Boolean

No

No

Specifies whether to enable TLS performance optimization based on MultiBuffer.

Valid values:

  • true: Enable.

  • false: Do not enable.

Default value: true.

EnableCRHistory

Boolean

No

No

Specifies whether to enable the history version management feature for Istio resources in ASM.

Valid values:

  • true: Enable the history version management feature for Istio resources in ASM.

  • false: Do not enable the history version management feature for Istio resources in ASM.

Default value: false.

AccessLogServiceHost

String

No

No

The endpoint for enabling the gRPC access log service (ALS) of Envoy.

None

CustomizedZipkin

Boolean

No

Yes

Specifies whether to enable self-managed Zipkin.

Valid values:

  • true

  • false

EnableAudit

Boolean

No

Yes

Specifies whether to enable the mesh audit feature.

Valid values:

  • true

  • false (default value)

Note

To enable this feature, make sure that Log Service is activated.

IncludeIPRanges

String

No

Yes

The IP address ranges of external services to which traffic is intercepted.

None

IstioVersion

String

No

No

The Istio version of the instance.

None

LocalityLoadBalancing

Boolean

No

Yes

Specifies whether to route traffic to the nearest instance.

Valid values:

  • true

  • false (default value)

Name

String

No

No

The name of the instance.

None

OPA

Map

No

Yes

The configurations of the Open Policy Agent (OPA) plug-in.

For more information, see OPA properties.

OutboundTrafficPolicy

String

No

Yes

The outbound traffic policy.

Valid values:

  • ALLOW_ANY

  • REGISTRY_ONLY

PilotPublicEip

Boolean

No

No

Specifies whether to expose Istio Pilot to the Internet.

Valid values:

  • true

  • false (default value)

Proxy

Map

No

Yes

Proxy.

For more information, see Proxy properties.

Telemetry

Boolean

No

Yes

Specifies whether to enable Prometheus monitoring.

We recommend that you use Managed Service for Prometheus (Prometheus).

TraceSampling

Number

No

Yes

The sampling percentage of Managed Service for OpenTelemetry.

None

Tracing

Boolean

No

Yes

Specifies whether to enable the tracing analysis feature.

Valid values:

  • true

  • false (default value)

Note

To enable this feature, make sure that Tracing Analysis is activated.

Opa syntax

"OPA": {
  "OPARequestCPU": String,
  "OpenAgentPolicy": Boolean,
  "OPALogLevel": String,
  "OPALimitCPU": String,
  "OPALimitMemory": String,
  "OPARequestMemory": String
}

Opa properties

Property name

Type

Required

Allowed update

Description

Constraints

OPALimitCPU

String

No

Yes

The CPU limit of the OPA container.

None

OPALimitMemory

String

No

Yes

The memory limit of the OPA container.

None

OPALogLevel

String

No

Yes

The log level of the OPA container.

None

OPARequestCPU

String

No

Yes

The CPU request of the OPA container.

None

OPARequestMemory

String

No

Yes

The memory request of the OPA container.

None

OpenAgentPolicy

Boolean

No

Yes

Specifies whether to install the OPA plug-in.

Valid values:

  • true

  • false (default value)

Proxy syntax

"Proxy": {
  "ClusterDomain": String,
  "ProxyLimitCPU": String,
  "ProxyLimitMemory": String,
  "ProxyRequestCPU": String,
  "ProxyRequestMemory": String
}

Proxy properties

Property name

Type

Required

Allowed update

Description

Constraints

ClusterDomain

String

No

Yes

The domain name of the cluster.

None

ProxyLimitCPU

String

No

Yes

The CPU limit of the proxy.

None

ProxyLimitMemory

String

No

Yes

The memory limit of the proxy.

None

ProxyRequestCPU

String

No

Yes

The CPU request of the proxy.

None

ProxyRequestMemory

String

No

Yes

The memory request of the proxy.

None

Return values

Fn::GetAtt

ServiceMeshId: The ID of the instance.

Example

Yaml format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  ZoneId:
    Type: String
    Description: Create an Availability Zone for an instance to ensure that the Availability Zone supports the creation of Memcache resource specifications.
    AssociationProperty: ALIYUN::ECS::Instance::ZoneId
    Label: Zone ID
  VPC:
    AssociationProperty: ALIYUN::ECS::VPC::VPCId
    Type: String
    Description: Please search the ID starts with (vpc-xxx)from console-Virtual Private Cloud
    Label: Existing VPC Instance ID
  VSwitch:
    AssociationProperty: ALIYUN::ECS::VSwitch::VSwitchId
    Type: String
    Description: Please search the business VSwitch ID starts with(vsw-xxx)from console-Virtual Private Cloud-VSwitches
    Label: Existing VSwitch ID
    AssociationPropertyMetadata:
      VpcId: VPC
      ZoneId: ZoneId
Resources:
  ServiceMesh:
    Type: ALIYUN::ASM::ServiceMesh
    Properties:
      VpcId:
        Ref: VPC
      VSwitches:
        - Ref: VSwitch
Outputs:
  ServiceMeshId:
    Description: The ID of the ASM instance.
    Value:
      Fn::GetAtt:
        - ServiceMesh
        - ServiceMeshId

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "ZoneId": {
      "Type": "String",
      "Description": "Create an Availability Zone for an instance to ensure that the Availability Zone supports the creation of Memcache resource specifications.",
      "AssociationProperty": "ALIYUN::ECS::Instance::ZoneId",
      "Label": "Zone ID"
    },
    "VPC": {
      "AssociationProperty": "ALIYUN::ECS::VPC::VPCId",
      "Type": "String",
      "Description": "Please search the ID starts with (vpc-xxx)from console-Virtual Private Cloud",
      "Label": "Existing VPC Instance ID"
    },
    "VSwitch": {
      "AssociationProperty": "ALIYUN::ECS::VSwitch::VSwitchId",
      "Type": "String",
      "Description": "Please search the business VSwitch ID starts with(vsw-xxx)from console-Virtual Private Cloud-VSwitches",
      "Label": "Existing VSwitch ID",
      "AssociationPropertyMetadata": {
        "VpcId": "VPC",
        "ZoneId": "ZoneId"
      }
    }
  },
  "Resources": {
    "ServiceMesh": {
      "Type": "ALIYUN::ASM::ServiceMesh",
      "Properties": {
        "VpcId": {
          "Ref": "VPC"
        },
        "VSwitches": [
          {
            "Ref": "VSwitch"
          }
        ]
      }
    }
  },
  "Outputs": {
    "ServiceMeshId": {
      "Description": "The ID of the ASM instance.",
      "Value": {
        "Fn::GetAtt": [
          "ServiceMesh",
          "ServiceMeshId"
        ]
      }
    }
  }
}