CreateServiceMesh - Alibaba Cloud Service Mesh - Alibaba Cloud Documentation Center

Creates a Service Mesh (ASM) instance.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
servicemesh:CreateServiceMesh	create	All Resources *	none	none

Request parameters

Parameter	Type	Required	Description	Example
RegionId	string	Yes	The ID of the region in which the ASM instance resides.	cn-hangzhou
IstioVersion	string	No	The Istio version of the ASM instance.	v1.5.4.1-g5960ec40-aliyun
VpcId	string	Yes	The ID of the virtual private cloud (VPC) in which the ASM instance resides.	vpc-xzelac2tw4ic7wz31****
ApiServerPublicEip	boolean	No	Specifies whether to expose the API server to the Internet. Valid values: `true` `false` Default value: `false`. Note If you set this parameter to `false`, the API server cannot be accessed over the Internet.	false
Tracing	boolean	No	Specifies whether to enable the Tracing Analysis feature. Valid values: `true` `false` Default value: `false`.	false
Name	string	No	The name of the ASM instance.	mesh1
VSwitches	string	Yes	The ID of the vSwitch to which the ASM instance is connected.	["vsw-xzegf5dndkbf4m6eg****"]
TraceSampling	float	No	The sampling percentage of Tracing Analysis.	100
CustomizedZipkin	boolean	No	Specifies whether to use a self-managed Zipkin system to collect tracing data. Valid values: `true`: uses a self-managed Zipkin system to collect tracing data. `false`: uses Alibaba Cloud Tracing Analysis to collect tracing data. Default value: `false`.	false
LocalityLoadBalancing	boolean	No	Specifies whether to route traffic to the nearest instance. Valid values: `true` `false` Default value: `false`.	false
LocalityLBConf	string	No	The configurations for the access to the nearest instance.	{"failover":[{"from":"cn-hangzhou","to":"cn-shanghai"}]}
Telemetry	boolean	No	Specifies whether to enable Prometheus monitoring. We recommend that you use Prometheus Service of Application Real-Time Monitoring Service (ARMS). Valid values: `true` `false` Default value: `false`.	false
OpenAgentPolicy	boolean	No	Specifies whether to install the Open Policy Agent (OPA) plug-in. Valid values: `true` `false` Default value: `false`.	false
OPALogLevel	string	No	The log level of the OPA container.	info
OPARequestCPU	string	No	The minimum number of CPU cores that are required by the OPA container. You can specify the parameter value in the standard representation form of CPUs in Kubernetes. For example, if you set the value to 1, one CPU core is required.	1
OPARequestMemory	string	No	The minimum size of the memory that is required by the OPA container. You can specify the parameter value in the standard quantity representation form used by Kubernetes. 1 Mi equals 1,024 KB.	512Mi
OPALimitCPU	string	No	The maximum number of CPU cores that are available to the OPA container.	2
OPALimitMemory	string	No	The maximum size of the memory that is available to the OPA container. You can specify the parameter value in the standard quantity representation form used by Kubernetes. 1 Mi equals 1,024 KB.	1024Mi
EnableAudit	boolean	No	Specifies whether to enable the mesh audit feature. To enable this feature, make sure that you have activated Log Service. Valid values: `true` `false` Default value: `false`.	false
AuditProject	string	No	The name of the Log Service project that is used for mesh audit. Default value: mesh-log-{ASM instance ID}.	mesh-log-xxxx
ClusterDomain	string	No	ASM cluster domain.	cluster.local
ProxyRequestCPU	string	No	The minimum number of CPU cores that are required by the proxy container.	100m
ProxyRequestMemory	string	No	The minimum size of the memory that is required by the proxy container.	128Mi
ProxyLimitCPU	string	No	The maximum number of CPU cores that are available to the proxy container.	2000m
ProxyLimitMemory	string	No	The maximum size of the memory that is available to the proxy container.	1024Mi
IncludeIPRanges	string	No	The IP ranges in CIDR form for which traffic is to be redirected to the sidecar proxy in the ASM instance.	*
ExcludeIPRanges	string	No	The IP ranges in CIDR form to be excluded from redirection to the sidecar proxy in the ASM instance.	100.100.10.**
ExcludeOutboundPorts	string	No	The outbound ports to be excluded from redirection to the sidecar proxy in the ASM instance. Separate multiple port numbers with commas (,).	80,81
ExcludeInboundPorts	string	No	The inbound ports to be excluded from redirection to the sidecar proxy in the ASM instance. Separate multiple port numbers with commas (,).	80,81
OpaEnabled	boolean	No	Specifies whether to enable the OPA plug-in. Valid values: `true` `false` Default value: `false`.	false
KialiEnabled	boolean	No	Specifies whether to enable the mesh topology feature. To enable this feature, make sure that you have enabled Prometheus monitoring. If Prometheus monitoring is disabled, you must set this parameter to `false`.`` Valid values: `true` `false` Default value: `false`.	false
AccessLogEnabled	boolean	No	Specifies whether to enable access log collection. Valid values: `true` `false` Default value: `false`.	false
CustomizedPrometheus	boolean	No	Specifies whether to use a custom Prometheus instance. Valid values: `true` `false` Default value: `false`.	false
PrometheusUrl	string	No	The endpoint of the custom Prometheus instance.	http://prometheus:9090
RedisFilterEnabled	boolean	No	Specifies whether to enable Redis Filter. Valid values: `true` `false` Default value: `false`.	true
MysqlFilterEnabled	boolean	No	Specifies whether to enable MySQL Filter. Valid values: `true` `false` Default value: `false`.	false
ThriftFilterEnabled	boolean	No	Specifies whether to enable Thrift Filter. Valid values: `true` `false` Default value: `false`.	false
WebAssemblyFilterEnabled	boolean	No	Specifies whether to enable WebAssembly Filter. Valid values: `true` `false` Default value: `false`.	false
MSEEnabled	boolean	No	Specifies whether to enable Microservices Engine (MSE). Valid values: `true` `false` Default value: `false`.	false
DNSProxyingEnabled	boolean	No	Specifies whether to enable the DNS proxy feature. Valid values: `true` `false` Default value: `false`.	false
Edition	string	No	The edition of the ASM instance.	Pro
ConfigSourceEnabled	boolean	No	Specifies whether to enable the external service registry. Valid values: `true` `false` Default value: `false`.	false
ConfigSourceNacosID	string	No	The instance ID of the Nacos registry.	mse-cn-tl326******
DubboFilterEnabled	boolean	No	Specifies whether to enable Dubbo Filter. Valid values: `true` `false` Default value: `false`.	false
FilterGatewayClusterConfig	boolean	No	Specifies whether to enable gateway configuration filtering. Valid values: `true` `false` Default value: `false`.	false
EnableSDSServer	boolean	No	Specifies whether to enable Secret Discovery Service (SDS). Valid values: `true` `false` Default value: `false`.	false
AccessLogServiceEnabled	boolean	No	Specifies whether to enable gRPC Access Log Service (ALS) of Envoy. gRPC is short for Google Remote Procedure Call. Valid values: `true` `false` Default value: `false`.	false
AccessLogServiceHost	string	No	The endpoint of Envoy's gRPC ALS.	0.0.0.0
AccessLogServicePort	integer	No	The port of Envoy's gRPC ALS.	9999
GatewayAPIEnabled	boolean	No	Specifies whether to enable Gateway API. Valid values: `true` `false` Default value: `false`.	false
ControlPlaneLogEnabled	boolean	No	Specifies whether to enable the collection of control plane logs. Valid values: `true` `false` Default value: `false`.	false
ControlPlaneLogProject	string	No	The name of the Log Service project that is used to collect the logs of the control plane.	mesh-log-cf245a429b6ff4b6e97f20797758*****
AccessLogFormat	string	No	Custom fields of access logs. To set this parameter, you must enable access log collection. Otherwise, you cannot set this parameter. The value must be a JSON string. The following key values must be contained: authority_for, bytes_received, bytes_sent, downstream_local_address, downstream_remote_address, duration, istio_policy_status, method, path, protocol, requested_server_name, response_code, response_flags, route_name, start_time, trace_id, upstream_cluster, upstream_host, upstream_local_address, upstream_service_time, upstream_transport_failure_reason, user_agent, and x_forwarded_for.	{"authority_for":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
AccessLogFile	string	No	Specifies whether to enable access log collection. Valid values: "": disables access log collection. `/dev/stdout`: enables access log collection. Access logs are written to /dev/stdout.	/dev/stdout
AccessLogProject	string	No	The SLS project from which access logs are collected.	mesh-log-cf245a429b6ff4b6e97f20797758*****
EnableCRHistory	boolean	No	Specifies whether to enable the rollback feature for Istio resources. Valid values: `true` `false` Default value: `false`.	false
CRAggregationEnabled	boolean	No	Specifies whether to allow the Kubernetes API of clusters on the data plane to access Istio resources. The version of the ASM instance must be V1.9.7.93 or later. Valid values: `true` `false` Default value: `false`.	false
ApiServerLoadBalancerSpec	string	No	The type of the Classic Load Balancer (CLB) instance that is bound to the API server. Valid values: `slb.s1.small`, `slb.s2.small`, `slb.s2.medium`, `slb.s3.small`, `slb.s3.medium`, and `slb.s3.large`.	slb.s1.small
PilotLoadBalancerSpec	string	No	The type of the CLB instance that is bound to Istio Pilot. Valid values: `slb.s1.small`, `slb.s2.small`, `slb.s2.medium`, `slb.s3.small`, `slb.s3.medium`, and `slb.s3.large`.	slb.s1.small
ChargeType	string	No	The billing method of the CLB instance. Valid values: `PayOnDemand`: pay-as-you-go `PrePay`: subscription	PrePay
Period	integer	No	The subscription period of the CLB instance. This parameter is valid only if `ChargeType` is set to `PrePay`. The value of this parameter indicates the subscription period of the CLB instance. Unit: month. For example, if the subscription period is one year, set this parameter to 12.	3
AutoRenew	boolean	No	Specifies whether to enable auto-renewal for the CLB instance if the CLB instance uses the subscription billing method. Valid values: `true` `false`	true
AutoRenewPeriod	integer	No	The auto-renewal period of the subscription CLB instance. This parameter is valid only if `ChargeType` is set to `PrePay`. If the original subscription period of the CLB instance is less than one year, the value of this parameter indicates the number of months for auto-renewal. If the original subscription period of the CLB instance is more than one year, the value of this parameter indicates the number of years for auto-renewal.	3
ClusterSpec	string	No	The edition of the ASM instance. Valid values: `standard`: Standard Edition `enterprise`: Enterprise Edition `ultimate`: Ultimate Edition	standard
MultiBufferEnabled	boolean	No	Specifies whether to enable MultiBuffer-based Transport Layer Security (TLS) acceleration. Valid values: `true` `false` Default value: `true`	true
MultiBufferPollDelay	string	No	The pull-request latency. Default value: 30. Unit: seconds.	30s
UseExistingCA	boolean	No	Specifies whether to use an existing CA certificate and private key.	false
ExistingCaCert	string	No	The existing CA certificate, which is encoded in Base64. This parameter is used in scenarios where you migrate open source Istio to ASM. It specifies the content of the ca-cert.pem file in the istio-ca-secret secret. The secret is in the istio-system namespace of the Kubernetes cluster where the open source Istio is installed.	CA cert content, base64 encoded format.
ExistingCaKey	string	No	The existing CA key, which is encoded in Base64. This parameter is used in scenarios where you migrate open source Istio to ASM. It specifies the content of the ca-key.pem file in the istio-ca-secret secret. The secret is in the istio-system namespace of the Kubernetes cluster where the open source Istio is installed.	CA key content, base64 encoded format.
ExistingCaType`deprecated`	string	No	The type of the existing CA certificate. Valid values: 1: Self-signed certificate generated by istiod. The certificate corresponds to the secret named istio-ca-secret in the istio-system namespace. If you use this type of certificate, you must set the `ExistingCaCert` and `ExsitingCaKey` parameters. 2: Administrator-specified certificate. For more information, see plugin ca cert. In most cases, the certificate corresponds to the secret named cacerts in the istio-system namespace. If you use this type of certificate, you must set the `ExisingRootCaCert` and `ExisingRootCaKey` parameters.	1
ExistingRootCaCert	string	No	The existing root certificate, which is encoded in Base64.	Existing CA cert content, base64 encoded format.
ExistingRootCaKey`deprecated`	string	No	The private key that corresponds to the root certificate, which is encoded in Base64.	Existing CA key content, base64 encoded format.
CertChain	string	No	The certificate chain from the CA certificate to the root certificate. At least two certificates are included in the chain.	Base64 encoded PEM certificate chain.
GuestCluster	string	No	When you create an ASM instance, you can add a cluster to the ASM instance. If you do not specify this parameter, no cluster is added to the ASM instance. The cluster and the ASM instance must be in the same vSwitch of the same VPC and have the same domain name.	ACK cluster id
Tag	array<object>	No	Tag of the ASM instance. A tag contains the following information: key: the name of the tag value: the value of the tag
	object	No
Key	string	No	The name of the tag.	env
Value	string	No	The value of the tag.	prod
EnableAmbient	boolean	No	Specifies whether to enable the Ambient Mesh mode for the ASM instance.	false
PlaygroundScene	string	No	The playground scenario. If you specify this parameter, an ASM playground instance is created. Valid values: ewmaLb: the exponentially weighted moving average (EWMA) load balancing algorithm.	ewmaLb
EnableACMG	boolean	No	Specifies whether to enable the ACMG mode for the ASM instance.	false

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The request ID.	BD65C0AD-D3C6-48D3-8D93-38D2015C****
ServiceMeshId	string	The ID of the ASM instance.	c08ba3fd1e6484b0f8cc1ad8fe10d****

Examples

Sample success responses

JSONformat

{
  "RequestId": "BD65C0AD-D3C6-48D3-8D93-38D2015C****",
  "ServiceMeshId": "c08ba3fd1e6484b0f8cc1ad8fe10d****"
}

Error codes

HTTP status code	Error code	Error message
404	ERR404	Not found

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2024-08-12	The Error code has changed. The request parameters of the API has changed	View Change Details
2024-07-12	The Error code has changed. The request parameters of the API has changed	View Change Details
2024-02-04	The Error code has changed. The request parameters of the API has changed	View Change Details
2023-11-13	The Error code has changed. The request parameters of the API has changed	View Change Details
2023-08-15	The Error code has changed. The request parameters of the API has changed	View Change Details
2023-08-10	The Error code has changed. The request parameters of the API has changed	View Change Details
2023-08-09	The Error code has changed. The request parameters of the API has changed	View Change Details
2023-04-13	The Error code has changed. The request parameters of the API has changed	View Change Details
2022-11-15	The Error code has changed. The request parameters of the API has changed	View Change Details
2021-12-31	The Error code has changed. The request parameters of the API has changed	View Change Details
2021-10-28	The Error code has changed. The request parameters of the API has changed	View Change Details
2021-09-06	The Error code has changed. The request parameters of the API has changed	View Change Details