Create an ASM instance to get a managed Istio control plane that handles traffic, security, fault recovery, and observability for your Kubernetes workloads -- without installing or maintaining Istio yourself. This topic walks you through creating an ASM instance in the console.
Prerequisites
Before you begin, make sure that you have:
Activated Service Mesh (ASM), Auto Scaling (ESS), and Resource Access Management (RAM)
Granted the following RAM roles to the account that creates the instance:
AliyunServiceMeshDefaultRole,AliyunCSClusterRole, andAliyunCSManagedKubernetesRole. For details, see Grant permissions to RAM users and RAM roles
Resources that ASM creates automatically
When you create an instance, ASM provisions the following resources based on your configuration:
| Resource | Details |
|---|---|
| Security group | Allows inbound ICMP traffic on all ports within the VPC. ASM creates a new security group for each instance. You cannot reuse an existing security group or change it after creation. |
| VPC routing rules | Created to support network connectivity for the ASM instance. |
| Elastic IP addresses (EIPs) | Created only if you expose the API Server publicly. |
| RAM role and policies | Grants full permissions on Cloud Load Balancer (CLB), Cloud Monitor, Virtual Private Cloud (VPC), and Simple Log Service (SLS). ASM dynamically creates resources such as CLB instances and VPC routing rules based on your deployment configuration. |
| Internal-facing CLB instance | Exposes ports 6443 and 15011 for control plane communication. |
| Control plane logs | ASM collects logs from managed control plane components to maintain service stability. |
Create an ASM instance
The creation workflow has three stages: configure basic and network settings, configure optional observability and audit features, and activate billing.
Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click Create Mesh.
Configure the mesh parameters described in the following sections.
Basic settings
| Parameter | Description |
|---|---|
| Mesh Name | The name of the ASM instance. |
| Instance Type | You can select Enterprise Edition or Ultimate Edition. For a feature comparison, see What is ASM?. |
| Region | The region where the ASM instance runs. |
| Istio Version | One of the two latest major versions (for example, 1.22.\* or 1.23.\*). For version details, see Version mechanism. To request an older version, submit a ticket. |
Network settings
| Parameter | Description |
|---|---|
| Kubernetes Cluster | Select an existing ACK cluster. The VPC, VSwitch, and Cluster Domain fields populate automatically. To create a cluster, see Create an ACK managed cluster. |
| VPC | The VPC for the ASM instance. To create one, see Create and manage a VPC. |
| VSwitch | The vSwitch for the ASM instance. To create one, see Create and manage a vSwitch. |
| Istio Control Plane Access | The CLB instance used to access the Istio control plane. |
| API Server Access | The CLB instance used to access the API Server. Optionally select Expose the API Server using an EIP: |
| Expose -- Creates an EIP and attaches it to the internal-facing CLB instance. This enables connections to the ASM instance from the internet through a kubeconfig file. | |
| Do not expose -- No EIP is created. The ASM instance is accessible only from within the VPC through a kubeconfig file. |
Observability settings
| Parameter | Description |
|---|---|
| Enable Tracing Analysis | Integrates with Alibaba Cloud Tracing Analysis for distributed trace restoration, request statistics, topology analysis, and dependency analysis. Activate Tracing Analysis before enabling this option. For setup details, see Use Tracing Analysis for integrated tracing. |
| Enable Prometheus Monitoring | Collects Prometheus-based metrics for the mesh. For setup, see Integrate with Prometheus Service or Integrate a self-managed Prometheus system. |
| Enable ASM Mesh Topology to improve mesh observability | Provides a visual interface to view services and configurations. Available in ASM 1.7.5.25 and later. For details, see Enable mesh topology. |
| Collect access logs to Simple Log Service | Sends ingress gateway access logs to SLS. For details, see Collect access logs of an ASM gateway and Collect access logs of data plane clusters. |
| Enable control plane log collection | Collects control plane logs and supports log-based alerting (for example, logs about configurations pushed from the control plane to data plane sidecars). For details, see Enable control plane log collection (old version) or Enable control plane log collection (new version). |
Audit and resource settings
| Parameter | Description |
|---|---|
| Enable mesh audit | Records and traces operations performed by different users for security operations and maintenance. For details, see Use KubeAPI operation audit. |
| Enable historical versions for Istio resources | Records up to five recent versions when the spec field of an Istio resource is updated. For details, see Roll back an Istio resource to a historical version. |
| Enable access to Istio resources from data plane clusters using KubeAPI | Enables CRUD operations on Istio resources through the Kubernetes API of data plane clusters. For details, see Access Istio resources using the KubeAPI of a data plane cluster. |
| Cluster Domain | The cluster domain for the ASM instance. Defaults to cluster.local. Only Kubernetes clusters that use the same cluster domain can be added to the mesh. Custom cluster domains require ASM 1.6.4.5 or later. |
| Data Plane Mode | Select Enable the ambient mesh mode to use Ambient Mesh. Ambient Mesh supports both sidecar and sidecarless data plane architectures, either individually or together. For details, see Ambient mode. |
Activate billing and create the instance
If this is your first commercial ASM instance, activate the pay-as-you-go billing method:
In the Status column for Dependency Check, Not Passed is displayed.
In the Description column for Dependency Check, click Activate Now.
Select the Service Mesh (Pay-As-You-Go) Terms Of Service check box and click Activate Now.
Return to the Create Service Mesh page and click Recheck for ASM Service Activation Check. The status changes to Passed.
Read the Terms Of Service and click Create Service Mesh.
NoteInstance creation takes approximately 2 to 3 minutes.
Verify the instance
After creation completes, verify that the instance is running:
On the Mesh Management page, confirm that the new instance appears in the instance list.
Click Manage to open the Basic Information page and review the instance details.
ASM creates five namespaces by default: istio-system, kube-node-lease, kube-public, kube-system, and default. The console displays only istio-system and default. Use kubectl to view and manage all namespaces:
kubectl get namespaces --kubeconfig <path-to-asm-kubeconfig>Manage an existing instance
On the Mesh Management page, use the Actions column to perform the following operations:
| Operation | Steps |
|---|---|
| View instance details | Click Manage to open the Basic Information page. |
| Modify instance settings | Click Manage, then click Feature Settings in the upper-right corner of the Basic Information page. Update settings in the Feature Settings Update panel and click OK. |
| Change the instance type | Click Change Instance Type. For details, see Change the instance type of an ASM instance. |
| View logs | Click Logs. For details, see Log analysis. |
| Delete an instance | Click the more icon ( ) > Delete. In the Delete Mesh dialog box, review the deletion notes, select the resources to retain, and click OK. |
Before you delete an instance, note the following consequences:
The ASM instance and all its Service Mesh features are permanently removed.
If the CLB instance used by the API Server is deleted, mesh management and related configurations become inaccessible.
If the CLB instance used by Istio Pilot is deleted, mesh management and related configurations become inaccessible.