Create an ingress gateway to centrally manage inbound traffic for a Kubernetes cluster - Alibaba Cloud Service Mesh

An ingress gateway serves as the single entry point for external traffic into your service mesh. It receives incoming connections over the Internet or an internal network and uses Layer 7 load balancing to route requests to backend services based on HTTP properties such as the URL path, host header, or custom headers.

After the gateway is running, configure Istio routing rules to direct traffic to specific services.

Prerequisites

The cluster is added to the ASM instance.

Create an ingress gateway in the ASM console

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

On the Ingress Gateway page, click Create and configure the following parameters.

To define the ingress gateway with YAML instead of the console form, click Create from YAML. For the full CRD specification, see Manage the ingress gateway by using KubeAPI.

If your cluster on the data plane is a registered cluster and you select LoadBalancer, make sure the cluster supports LoadBalancer Services. Otherwise, the ingress gateway creation fails.

Important

Assign a dedicated load balancer to each Kubernetes service. Sharing a load balancer across multiple services introduces the following risks: - Reusing an existing load balancer overwrites its listeners, which can make your application inaccessible. - Only load balancers that you manually create in the console or by calling API operations can be reused. Load balancers created by Kubernetes through the Service cannot be reused. - Services that share a load balancer cannot use the same frontend listening port. Port conflicts cause service failures. - Listener and vServer group names serve as unique identifiers for Kubernetes. Do not modify them. - Cross-cluster and cross-region load balancer reuse is not supported.

Parameter	Description
Name	The name of the ingress gateway.
Cluster	The cluster in which to deploy the ingress gateway.
Service Type	The Kubernetes Service type. Valid values: LoadBalancer, ClusterIP, and NodePort. For more information, see Service.
CLB / NLB	Required when Service Type is set to LoadBalancer. Valid values: Internet Access and Private Access.
Create LoadBalancer Instance	Required when Service Type is set to LoadBalancer. Select one of the following options: Create LoadBalancer Instance -- For CLB, select the load balancer specification from the Select CLB Specifications drop-down list. For NLB, select vSwitches in at least two zones from the Select Zones for NLB Instance drop-down list. Use Existing SLB Instance -- Select from the list of existing load balancers. See the load balancer sharing risks below.
Port Mapping	Set Protocol and Service Port. The console provides two default ports commonly used by Istio. Modify them as needed.
Resources Limits	The CPU and memory limits for the ingress gateway pod.
Gateway instances	The number of pod replicas for the ingress gateway.

(Optional) Click Advanced Options to configure scaling, update, and availability settings.

Features marked with (Enterprise/Ultimate Edition) require an ASM instance of Enterprise or Ultimate Edition.

Parameter	Description
External Traffic Policy	Controls how external traffic is distributed. Local: routes traffic only to pods on the node where the ingress gateway service is deployed. Cluster: allows traffic to be routed to pods on other nodes.
HPA (Enterprise/Ultimate Edition)	Enables Horizontal Pod Autoscaler (HPA). Configure Monitoring items and Threshold for CPU utilization or memory usage. When either metric exceeds its threshold, the number of pod replicas scales up. When both metrics drop below their thresholds, replicas scale down. Set Maximum replicas and Minimum number of replicas to define the scaling range.
Rolling Upgrade	Configures rolling update behavior. Maximum number of unavailable instances: the maximum number of pod replicas that can be unavailable during a rolling update. Exceeding the desired number of instances: the maximum number of extra pod replicas that can be created during a rolling update. For example, setting this to 25% means the total replicas during the update cannot exceed 125% of the desired count.
Enable MultiBuffer-based TLS encryption and decryption performance optimization (Enterprise/Ultimate Edition)	Accelerates TLS encryption and decryption using MultiBuffer. supported nodeaffinity: select the label of the nodes on which the optimization takes effect. Poll Delay(ms): specify a polling delay to reduce the time MultiBuffer waits before processing requests. For details, see Parameter description.
Deploy ASM Gateway replicas as widely as possible	Uses `podAntiAffinity` to preferentially deploy gateway pods to different nodes, improving availability.
Custom Deployment Policy	Configures `nodeSelector`, `tolerations`, and `affinity` fields for the gateway. For the full field reference, see ASM gateway CRD description.
Graceful Shutdown (Enterprise/Ultimate Edition)	Ensures in-flight requests complete before a gateway pod is removed. Connection timeout (seconds): the time the load balancer waits after removing a pod before disconnecting. During this period, the pod handles existing connections. The default graceful shutdown time for a gateway pod is 30 seconds. Set the load balancer-side timeout to 30 seconds or less.

Click Create.

Verify the result

After creation completes, the gateway status changes to Running on the Ingress Gateway page. The Service address column displays the IP address of the ingress gateway.

Manage the ingress gateway

Edit or view the gateway

On the Ingress Gateway page, find the target gateway and perform one of the following actions:

Click View Details to modify the gateway configuration through the console form.
Click Edit YAML to open the Edit dialog box. Modify the fields as needed and click OK. For the field reference, see ASM gateway CRD description.

Delete the gateway

On the Ingress Gateway page, find the target gateway and click Delete. In the Submit dialog box, click OK.

Important

After an ingress gateway is deleted, external services can no longer access services in the ASM instance through that gateway. Deleted gateways cannot be restored. Exercise caution when performing this operation.

View the gateway in the ACK console

View basic information:

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the target cluster. In the left-side navigation pane, choose Network > Services.
On the Services page, select istio-system from the Namespace drop-down list.

The External IP column displays the IP address of the ingress gateway.

View pod information:

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the target cluster. In the left-side navigation pane, choose Workloads > Pods.
On the Pods page, select Istio-system from the Namespace drop-down list.
Click the target pod to view its details.

Next steps

To expose services through the gateway, configure routing rules. See Use Istio resources to route traffic to different versions of a service.
To provide centralized traffic egress for applications in the mesh, see Create an egress gateway.
To monitor traffic flows between services, see Use Mesh Topology to view the topology of an application.
For a complete overview of gateway capabilities, see Overview of ASM gateways.
To create the gateway by using an API, see CreateASMGateway.