This topic describes the latest updates related to Service Mesh ASM.
October 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Support a multi-primary control plane architecture | Supports multi-primary control plane mode, which is an architecture where multiple Service Mesh instances jointly manage multiple Kubernetes clusters. Compared to adding multiple Kubernetes clusters to a single ASM instance, the multi-primary control plane architecture offers significant advantages in isolating configurations and reducing configuration push latency, making it more suitable for building multi-cluster disaster recovery solutions for business peer deployments. | All | 1.22 and above | All | Implement multi-cluster disaster recovery with ASM multi-primary control plane architecture |
Deploying mesh proxy using native sidecar mode | Kubernetes of version 1.28 and later supports the native sidecar mode in ASM to address the known issues with its lifecycle and pod lifecycle. ASM of version 1.22 and later supports deploying mesh proxies for applications in the cluster using native sidecar mode, allowing you to add the mesh proxy container to the pod. | All | 1.22 and above | All | |
Collection of monitoring metrics from ASM traffic scheduling suite | If your Kubernetes cluster is integrated with Alibaba Cloud Managed Service for Prometheus or a self-managed Prometheus instance, you can configure the collection of monitoring metrics from the ASM request scheduling agent to monitor the traffic scheduling behavior of each policy in the ASM traffic scheduling suite. | All | 1.21 and above | All | Use ASM traffic scheduling suite for distributed system traffic control |
Extending dimension information of ASM monitoring metrics using WASM plug-in | ASM comes with multiple built-in monitoring metrics and rich metric dimensions to help you better understand the operation of your applications. Additionally, ASM provides a powerful extension mechanism that allows you to write your own processing logic based on request or response information and add the processed results to the dimensions of monitoring metrics. This topic describes how to use the Wasm plug-in to add custom dimensions to existing monitoring metrics in ASM. | All | 1.18 and above | All | Extend dimension information of ASM monitoring metrics using Wasm plugin |
New periodic cleanup of ASM monitoring metrics | ASM generates metrics for all incoming, outgoing, and internal mesh traffic to monitor service behavior. These metrics include information such as total traffic, error rate, and request response time. However, long-term operation generates a large amount of metric data, significantly increasing resource consumption of Envoy and Prometheus. Therefore, ASM provides a configuration for regular cleanup of monitoring metrics, supporting the periodic cleanup of metrics cached in Envoy that have not been used for a period of time, to reduce Envoy memory consumption and decrease the network load when Prometheus pulls metrics. | All | 1.18 and above | All |
September 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Support for deploying and using ASM on CloudBox | You can create a CloudBox node pool in an ACK cluster and schedule application pods to CloudBox nodes to use CloudBox resources. After adding the ACK cluster to ASM, ASM will manage both public cloud and CloudBox node pools, providing rich, unified routing, security, and observability capabilities for traffic between applications. | All | 1.22 and later | All | |
Support for importing Kubeconfig for cluster management | ASM supports importing any type of Kubernetes cluster using kubeconfig with cluster administrator permissions and managing applications on it. | All | 1.22 and later | All | |
Best practices: End-to-end security capabilities | In TLS communication, the client verifies the server's certificate, but the client itself does not need to provide a certificate, meaning the server cannot verify the client's identity. In scenarios requiring higher security configurations, the server also needs to verify the client's identity, which requires mTLS communication. mTLS communication requires both the client and server to provide certificates and verify each other before encrypted communication can occur. | All | 1.22 and later | All | |
Best practices: Custom error page | In certain situations, ASM gateways or mesh proxies may directly return an HTTP response with a specific response code to downstream without proxying the request to upstream services. The | All | All | All | |
Description of ASMSwimLaneGroup and ASMSwimLane fields | Traffic lanes support custom destination traffic policies and HTTP routing operations on services within a lane group. | All | 1.22 and later | All | |
Support for remote control plane mode | When the data plane cluster is located in other cloud services or on-premises data centers and connected to the ASM control plane via the Internet or other special methods, and the connected network environment is unstable or bandwidth is limited, it is recommended to use the ASM remote control plane to reduce push latency. | All | 1.22 and later | All | |
Develop Wasm plug-ins using Rust | ASM supports deploying Wasm plug-ins in mesh proxies to implement custom processing logic. The proxy-wasm community provides a Rust SDK for Wasm. | All | 1.18 and later | All |
August 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Istio 1.22 | Istio 1.22 is supported and the following important updates are implemented:
| All regions | 1.22 and later | All | N/A |
Support for the ACMG mode | The Alibaba Centralized Mesh Gateway (ACMG) mode is designed for large-scale network architectures to improve scalability, flexibility, and management efficiency of networks. | All regions | 1.22 and later | All | |
Security protection for egress traffic | ASMEgressTrafficPolicy custom resources and egress gateways are used to ensure the security of traffic transmitted from an ASM instance to external services. | All regions | 1.22 and later | All | |
Enhanced capabilities in multi-cluster scenarios | The capabilities of east-west gateways are enhanced. Complete Layer 7 load balancing, authorization policies, and CIDR conflict handling are supported for cross-cluster calls through east-west gateways. If cross-network communication cannot be established for multiple clusters at the underlying layer, you can use east-west gateways of ASM to connect the clusters. | All regions | 1.22 and later | Enterprise and Ultimate | Use ASM cross-cluster mesh proxy to implement cross-network communication among multiple clusters |
Use of the new integration center by ARMS (extended metrics) | ASM allows you to enable metrics on the data plane. After the metrics are enabled, gateways and sidecar proxies generate metrics related to their running status and the metrics are collected to Managed Service for Prometheus. | All regions | 1.17.2.35 and later | All | |
Best Practices - Support for registration of custom authorization services | ASM can be associated with custom authorization services based on HTTP and gRPC. This allows you to register existing or custom authorization services. | All regions | 1.20 and later | All | |
Metric monitoring and alerting for throttling and circuit breaking | Metrics related to throttling and circuit breaking capabilities, such as local throttling, global throttling, service-level circuit breaking, host-level circuit breaking, and connection pool-level circuit breaking, can be collected to Managed Service for Prometheus. In addition, you can configure alerts to be reported when throttling and circuit breaking occur based on the metrics. | All regions | All | All |
July 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Support for HTTP/3 that adopts the UDP-based Quick UDP Internet Connection (QUIC) protocol | ASM gateways support HTTP/3. HTTP/3 has the following advantages over HTTP/2: reduced handshake latency, new multiplexing mechanism, connection migration, and higher security. HTTP/3 that adopts the UDP-based QUIC protocol allows you to enable TCP and UDP listeners on the same port. These listeners do not conflict with existing HTTP/2 and HTTP/1 listeners. | All regions | 1.16 and later | All | |
Support for the configuration of Limits on Downstream Connections | You can configure the maximum number of downstream connections allowed by a sidecar proxy based on your business requirements. You can specify an appropriate value for the Limits on Downstream Connections parameter to prevent sidecar proxies from being maliciously attacked. | All regions | 1.21 and later | All | |
Support for the configuration of a path normalization policy in an ASM instance | You can configure a path normalization policy to ensure that the paths of HTTP requests in ASM are always standardized. This reduces security risks. | All regions | 1.21 and later | All | |
Support for LoadRampingPolicy, ConcurrencyLimitingPolicy, ConcurrencySchedulingPolicy, and QuotaSchedulingPolicy provided by the ASM traffic scheduling suite | The ASM traffic scheduling suite supports the following policies:
| All regions | 1.21 and later | All | Use the ASM traffic scheduling suite to control traffic for a distributed system |
Playground features | ASM Playground allows you to build a complete environment for a specific scenario with a few clicks. The environment includes workloads and all declarative API resources (custom resources). Each ASM playground instance represents a specific scenario and automatically deploys the required resources, allowing you to have a certain degree of control over the scenario. The specific degree of control depends on the scenario. This way, you can quickly build a scenario-specific environment and experience the powerful features of ASM with a few clicks. | All regions | 1.21 and later | All |
June 2024
Feature | Description | Region | Supported Istio version | Edition | References |
ASM network packet inspection | For the traffic in an ASM instance, a packet inspection task can quickly capture the traffic information about workloads and assist in the rapid diagnostics of complex traffic issues. | All regions | 1.21 and later | All | Use packet inspection tasks to diagnose the traffic in an ASM instance |
ASM traffic scheduling suite | The ASM traffic scheduling suite is an ASM-based centralized traffic scheduling architecture model, and a collective name for various traffic scheduling policies developed based on this architecture model. It supports advanced traffic scheduling features, such as user-specific throttling and priority-based request scheduling. | All regions | 1.21 and later | All | Use the ASM traffic scheduling suite to control traffic for a distributed system |
Peak EWMA load balancing algorithm | The peak exponentially weighted moving average (peak EWMA) load balancing algorithm calculates the moving average of static weights, latencies, error rates, and other factors to obtain the scores of nodes and then selects suitable nodes for load balancing. This algorithm can intelligently ignore pods with deteriorated performance and route traffic to other idle pods in scenarios such as occasional latency increases and errors, thereby reducing the overall error rates and the response latencies of applications. | All regions | 1.21 and later | All | |
Enhanced Knative integration | Knative on ASM V1.12.4 is released. The integration of Knative on ASM with Container Service for Kubernetes (ACK) Knative is optimized to support quick deployment of Knative on ASM. | All regions | 1.21 and later | All | |
Improved Terraform support |
| All regions | 1.21 and later | All |
May 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Istio 1.21 | Istio 1.21 is officially released and available in all the regions. The latest features of the open source Istio 1.21 series are supported.
Important In Istio 1.21, the Load Bootstrap Configurations Before Sidecar Proxy Is Started feature is deprecated. For more information, see Configure sidecar proxies. | All regions | 1.21 and later | All | |
Traffic lane | Traffic lanes support transparent transmitting of baggage headers and percentage-based routing. | All regions | 1.21 and later | All | |
Enhanced capabilities in multi-cluster scenarios | A new networking solution is provided for multi-cluster scenarios. East-west ASM gateways can be used to establish Internet connections between clusters that reside in different regions. A new document Multi-cluster management overview is added to describe the scenarios and methods of multi-cluster management in ASM. | All regions | 1.21 and later | All | Use ASM cross-cluster mesh proxy to implement cross-network communication among multiple clusters |
Application-specific topology in Mesh Topology | You can select a namespace and an application in the namespace to view the topology of the services directly connected to the application. This optimizes the service topology display and user experience in scenarios with a large number of services. | All regions | 1.21 and later | All | |
Route-level configurations in ASMCompressor | ASMCompressor supports route-level configurations. You can enable compression by default and disable compression on a specific route. This simplifies configurations, reducing the risk of incorrect configurations. | All regions | 1.21 and later | All | Use ASMCompressor to define compression configurations for calls between application services |
April 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Istio 1.21 | Istio 1.21 is available only to whitelisted users. The latest features of the open source Istio 1.21 series are supported.
Important In Istio 1.21, the Load Bootstrap Configurations Before Sidecar Proxy Is Started feature is deprecated. For more information, see Configure sidecar proxies. | All regions | 1.21 and later | All | |
Automatic Certificate Management Environment (ACME) protocol for automatically issuing certificates for ASM gateways | ACME is a protocol for automating issuance of X.509 certificates. With the ACME protocol, a certificate authority (CA) automatically verifies that a certificate applicant has ownership of a domain and then issues a certificate for the applicant. ASM gateways can connect to multiple CAs over the ACME protocol to dynamically obtain domain name certificates. This way, the workload of certificate maintenance is reduced. | All regions | All | All | |
Data plane performance optimization based on eRDMA and SMC | You can enable Shared Memory Communication (SMC) in an ASM instance to optimize ASM data plane communication performance on Alibaba Cloud 8th-generation ECS instances that support elastic Remote Direct Memory Access (eRDMA) and run Alibaba Cloud Linux 3. | All regions | 1.21 and later | All | |
Use of PrivateLink to manage network connectivity between a control plane and a data plane cluster across VPCs | If an ASM instance and a Container Service for Kubernetes (ACK) cluster on the data plane reside in different virtual private clouds (VPCs) in the same region, you can use PrivateLink to connect the ASM instance to the ACK cluster on the data plane. ASM allows you to use CustomResourceDefinitions (CRDs) to simplify network connectivity. | All regions | 1.21 and later | All | |
Use of dynamic subset load balancing to accelerate the inference process of Model Service Mesh | You can use the dynamic subset load balancing feature of ASM to route requests to the correct runtime environment to accelerate the inference process of Model Service Mesh. | All regions | 1.21 and later | All | Use dynamic subset load balancing to accelerate model service mesh inference |
Use of ASMCircuitBreaker to configure circuit breaking rules for inter-service call traffic | You can use the ASMCircuitBreaker CRD to configure circuit breaking rules for east-west call traffic. | All regions | 1.19 and later | All | Use ASMCircuitBreaker to configure circuit breaking rules for inter-service call traffic |
March 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Support for outputting access logs in plain text strings and JSON strings | Access logs can be output to the corresponding container as plain text strings. The plain text form is more information-dense and space-saving than the JSON form. | All regions | 1.20 and later | All | |
Support for maintenance windows | You can configure a maintenance window of an ASM instance to specify the automatic maintenance time of the managed control plane of the ASM instance. | All regions | All | All | |
Support for the development of WebAssembly (Wasm) extensions for an Envoy proxy in Go | You can develop a Wasm extension in Go and insert it into the filter chain of an Envoy proxy. This helps you meet requirements in specific scenarios. For example, Wasm extensions allow you to dynamically add or modify HTTP headers based on specific rules, adjust route destinations, and access external custom authorization services. | All regions | 1.18 and later | All | |
Support for managed security groups | When you create an ASM instance, you can create a security group to provide a higher level of security protection for the ASM control plane. | All regions | 1.20 and later | All |
February 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Istio 1.20 | The latest features of the open source Istio 1.20 series are supported. | All regions | 1.20 and later | All | |
Support for canary upgrades of ASM gateways | To ensure business continuity after an upgrade of an ASM gateway, you can perform a canary upgrade of the ASM gateway. You can start a new version of a gateway pod to verify that traffic can be properly forwarded. Then, you can fully upgrade the ASM gateway. If an issue is found during the verification, you can delete the new version of the pod at any time. After the issue is resolved, you can proceed with the upgrade. | All regions | 1.20 and later | All | |
Support for configuring a Prometheus instance to collect metrics of applications in ASM over mutual Transport Layer Security (mTLS) | For critical services, it is essential to have encryption mechanisms in place not only for the communication among services but also for the collection of metrics. ASM allows you to configure a Prometheus instance to collect metrics of applications in an ASM instance over mTLS. | All regions | All | All | Configure a Prometheus instance to collect metrics of applications in an ASM instance over mTLS |
Optimization of the plug-in center and Envoy filters |
| All regions | 1.18 and later | All | |
Support for managing Envoy filter templates and traffic lanes in a declarative manner |
| All regions | 1.20 and later | All |
January 2024
Feature | Description | Region | Supported Istio version | Edition | References |
Intelligent diagnostics added to the mesh diagnostics feature of ASM | AI assistant is integrated for intelligent diagnostics. After diagnosis results are generated, the Large Language Model (LLM) technology is used to explain the causes of the results of the diagnostics items and provide solutions. | All regions | All | All | |
Enhanced features of Mesh Topology | Mesh Topology provides more powerful observability features and improved ease of use.
| All regions | All | All | |
Support for custom request headers and response headers | ASM allows you to use the VirtualService and EnvoyFilter CRDs to customize request headers and response headers. | All regions | All | All | |
Support for scenario-based throttling | Best practices are provided for using the throttling feature in the following scenarios:
| All regions | 1.11.5 and later | Enterprise and Ultimate |
December 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Istio 1.19 and 1.18 patch versions |
| All regions | All | All | None |
Pay-as-you-go billing method for the CLB instances that are created for a new ASM instance | When you create an ASM instance, internal-facing CLB instances that use the pay-as-you-go billing method are created by default to access the API server and the Istio control plane. | All regions | All | All | |
Support for use of Common Expression Language (CEL) to configure rules for filtering access logs | ASM allows you to use CEL to configure rules for filtering logs. In business scenarios with a large number of access requests, you can filter logs based on specific conditions to reduce the resource overhead of sidecar proxies and focus on key log content. | All regions | 1.18 and later | All | |
Simplified management of local throttling | The local throttling feature is enhanced to meet requirements in common throttling scenarios. In addition, a graphical user interface (GUI) is provided to simplify the configuration process and reduce operation errors. This improves the overall ease of use. | All regions | 1.18 and later | All |
November 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Model Service Mesh | Model Service Mesh is used to deploy and manage machine learning model services. In addition, Model Service Mesh provides some features, such as traffic splitting, A/B testing, and canary release, to help you better control and manage the traffic destined for model services. You can use these features to easily switch traffic among different model versions and roll back to specific model versions. Model Service Mesh also supports the dynamic routing feature. This feature allows you to route requests to appropriate model services based on their attributes, such as model type, data format, or other metadata. Model Service Mesh allows developers to deploy, manage, and scale machine learning models more easily while providing high availability, resiliency, and flexibility to meet different business needs. | All regions | 1.18 and later | All | |
Support for the deployment of ASM serverless gateways | ASM serverless gateways can be deployed on virtual nodes and elastic container instances. ASM serverless gateways are applicable to service scenarios that require elastic resources and do not require node maintenance. | All regions | 1.18 and later | All | Use ASM serverless gateways to improve your system availability and elasticity |
Support for accessing applications in an ASM instance by using a CLB instance | Mesh Topology in managed mode allows you to access applications deployed in an ASM instance by using a CLB instance. This simplifies the access configurations of Mesh Topology. | All regions | 1.18 and later | All | |
Support for KServe 0.11 | KServe 0.11 can be integrated with ASM to facilitate your management of model services. You can use InferenceService to deploy a transformer and select an appropriate KServe version based on your business requirements. | All regions | 1.18 and later | All | |
Support for integration with OpenTelemetry Collector | Tracing data can be exported to Managed Service for OpenTelemetry or a self-managed system that is compatible with Zipkin. | All regions | 1.18 and later | All |
October 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for using the ASMCompressor CRD fields to define compression configurations for calls between application services | You can use CRD fields to define the compression configurations for calls between application services. In addition, you can add compression filters that use consistent compression configurations to your applications. The parameters of the Gzip and Brotli compression algorithms are configurable. | All regions | 1.18 and later | All | |
Support for using the ASMGrpcJsonTranscoder CRD fields to define the configurations for transcoding between HTTP/JSON and gRPC/Protobuf | You can use CRD fields to define the configurations for transcoding between HTTP/JSON and gRPC/Protobuf, which are used for calls between application services. In addition, you can add transcoding filters that use consistent transcoding configurations to your applications. | All regions | 1.18 and later | All | |
Support for custom Wasm plug-ins on the ASM data plane | You can configure custom Wasm plug-ins for ASM sidecar proxies or ASM gateways to improve the extensibility of the ASM data plane. Wasm plug-ins support multiple programming languages (such as C++ and Golang) and can be loaded in multiple ways: HTTP, OCI image hub, and ConfigMap. | All regions | 1.18 and later | All | Use the Coraza Wasm plug-in to implement WAF capabilities on an ASM gateway |
Support for using the ASMGlobalRateLimiter CRD fields to configure global throttling for ingress gateways and inbound traffic directed to services | You can use CRD fields to configure global throttling for ingress gateways and inbound traffic directed to services. | All regions | 1.18 and later | All |
September 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for dynamic subnet load balancing | The dynamic subnet load balancing feature dynamically selects a subset of destination services based on | All regions | 1.18 and later | Enterprise and Ultimate | |
Support for traffic lane in strict and permissive modes | Traffic lanes support both strict and permissive modes. In permissive mode, the mechanism of fallback to the baseline lane can simplify end-to-end (E2E) traffic management in scenarios where request routing headers are the same as E2E pass-through request headers. | All regions | 1.18 and later | Enterprise and Ultimate | |
Support for Mesh Topology in managed mode | Compared with Mesh Topology in in-Kubernetes-cluster mode, Mesh Topology in managed mode has greater advantages in unified observation of multiple clusters, easy configuration, and service reliability. | All regions | 1.18 and later | Enterprise and Ultimate |
August 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Ambient Mesh | A sidecarless data plane mode that is compatible with Istio Ambient Mesh is provided. You can adopt the service mesh technology incrementally depending on the features that you require. The features include Layer 4 and Layer 7 routing and authorization. | All regions | 1.18 and later | Enterprise and Ultimate | |
Support for Istio 1.18.x versions | The latest features of the open source Istio 1.18 series are supported. | All regions | 1.18 and later | All | None |
Container Network Interface (CNI) mode enabled by default during ASM instance creation | By default, the CNI mode is enabled when you create an ASM instance. However, in the case of ACK Serverless and ACK on Elastic Container Instance clusters, CNI DaemonSet is not deployed even if the CNI mode is enabled. | All regions | 1.18 and later | All | |
Support for Knative 1.8 | Knative 1.8 is used by default when you use Knative on ASM to deploy serverless workloads in an ASM instance of version 1.18. | All regions | 1.18 and later | All | |
Support for Network Load Balancer (NLB) by ingress gateways | NLB offers ultra-high performance and can automatically scale on demand. NLB supports higher availability and further improves the stability of gateway traffic. | All regions | 1.18 and later | All |
July 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Canary release of a control plane | ASM supports revision- and label-based canary updates of a control plane in a more stable and secure manner. | All regions | 1.16 and later | Enterprise and Ultimate | |
Simplified label synchronization of global namespaces | If multiple Kubernetes clusters on the data plane are added to the ASM instance, you can modify the clusters to which a global namespace belongs. This way, you can synchronize varied namespace labels to different clusters based on your business requirements. The ASM console provides the | All regions | 1.16 and later | All | |
Audit alerts for operations on ASM resources | After you enable the audit feature for ASM, you can configure alerts in Simple Log Service to enable audit alerts for changes of ASM resources. This way, alerts are sent to alert contacts in a timely manner for changes of important resources. | All regions | 1.15 and later | All | |
Adaptive xDS optimization for an egress gateway | After you enable the adaptive xDS optimization feature, an egress gateway named istio-axds-egressgateway is deployed in the corresponding Kubernetes cluster, and you can modify the configuration of the egress gateway. | All regions | 1.15 and later | All | Use adaptive xDS optimization to improve the configuration push efficiency of the control plane |
Integration with an external Open Policy Agent (OPA) engine | Compared with OPA deployed in sidecar mode, an OPA engine outside pods boasts the following advantages: The resource usage is lower. The pod does not need to be restarted for OPA container deployment and access to applications. You can use an OPA policy for specific requests to an application. | All regions | 1.15 and later | All | |
Log and metric collection of a gateway | ASM allows you to configure the features of generating and collecting the access logs and metrics of a gateway. You can view the raw logs and log dashboard of a specific gateway. | All regions | 1.17 and later | All |
June 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Observability Management Center 2.0 | Observability settings, including log settings, metric settings, and trace analysis settings, can be configured in the same module. | All regions | 1.17.2.35 and later | All | |
On-demand configuration of the feature of merging Istio metrics with application metrics | For an application integrated with Prometheus, you can use sidecar proxies to expose application metrics by merging Istio metrics with the application metrics. | All regions | 1.17 and later | All | |
Namespace blacklist mode of service discovery selectors | You can use service discovery selectors to configure a namespace whitelist and allow the control plane of an ASM instance to discover and process applications in namespaces that are not in blacklists. This makes it more efficient for the control plane to push service configurations to sidecar proxies on the data plane. | All regions | 1.17 and later | Enterprise and Ultimate | Use service discovery selectors to improve the efficiency of pushing ASM configurations |
ASM fallback mechanism for traffic management | A fallback mechanism provides an alternative call path when a service call fails. ASM allows you to define fallback parameters in a virtual service so that a fallback can be performed when a requested service fails. | All regions | 1.17 and later | Enterprise and Ultimate | |
Logon to Mesh Topology as a RAM user or by using custom access modes | You can log on to the Mesh Topology console as a Resource Access Management (RAM) user by default. Alternatively, you can configure the domain name, port, service root path, and protocol used to access Mesh Topology. | All regions | 1.17 and later | All | |
Alerts of ASM certificate management in Simple Log Service | You can configure certificate management alerts on the control plane. Certificate expiration and about-to-expiration alerts are supported. | All regions | 1.17 and later | All |
May 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Istio 1.17.x versions | The latest features of the open source Istio 1.17 series are supported. | All regions | 1.17 and later | All | None |
Support for the Machine Learning Operations (MLOps) management of models by KServe on ASM | KServe can be integrated with ASM to facilitate your management of AI model services. | All regions | 1.17 and later | Enterprise and Ultimate | Integrate KServe with ASM to implement inference services based on cloud-native AI models |
Support for serverless ASM gateways | A serverless ASM gateway is provided based on virtual nodes and elastic container instances. It is applicable to service scenarios that require elastic resources and do not require node maintenance. | All regions | 1.16 and later | Enterprise and Ultimate | |
Support for global certificate management | ASM supports the following certificate management features in a global manner:
| All regions | 1.17 and later | All | |
Support for a GUI that allows you to view Istio resources in Mesh Topology | The Virtual Services option is added so that you can check whether virtual service resources are configured in Mesh Topology. | All regions | 1.15 and later | Enterprise and Ultimate | |
Support for namespace exclusion during ASM instance diagnostics | During ASM instance diagnostics, you can choose to exclude a specified namespace. Diagnosis results will not be generated for the excluded namespace. | All regions | 1.17 and later | All |
April 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for Istio 1.16.x versions | Open source Istio 1.16 series are supported. | All regions | 1.16 and later | All | None |
Simplified management of sidecar proxy injection | The management of injection policies and sidecar injector settings is simplified. | All regions | 1.16 and later | All | |
Support for the Google Remote Procedure Call (gRPC)-JSON transcoder plug-in | You can access gRPC services by using RESTful APIs or HTTP/JSON requests, which simplifies the integration of gRPC services so that you can use gRPC services easily. | All regions | 1.16 and later | Enterprise and Ultimate | Use ASMGrpcJsonTranscoder to allow HTTP/JSON requests to access gRPC services in an ASM instance |
Logon to Mesh Topology as a RAM user | Single Sign On (SSO) is implemented for the Mesh Topology console. You can log on to ASM Mesh Topology as a RAM user. | All regions | 1.16 and later | Enterprise and Ultimate | Log on to ASM Mesh Topology with an Alibaba Cloud account or as a RAM user |
March 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Connection of an ingress gateway to a Web Application Firewall (WAF) instance |
| All regions | All | Enterprise and Ultimate | |
Configuration of Ingress resources | You can use Ingress resources in a cluster on the data plane and specify an ASM gateway as the Ingress controller to expose services in the cluster. | All regions | 1.16 and later | Enterprise and Ultimate | Use an ASM gateway as an Ingress controller to expose services in a cluster |
Management of Knative Services | ASM integrates the capabilities of the Knative Serving component that is deployed in either an ACK cluster or an ACK Serverless cluster. This helps you manage serverless workloads. | All regions | 1.16 and later | Enterprise and Ultimate | |
Logon to Mesh Topology by using OpenID Connect (OIDC) | You can connect to an identity provider (IdP) over the OIDC protocol to log on to Mesh Topology and configure SSO to Mesh Topology in the ASM console. | All regions | 1.15.3.120 and later | Enterprise and Ultimate | |
Overcommitment mode for sidecar proxies | You can enable the dynamic resource overcommitment feature and configure resources that can be dynamically overcommitted in a sidecar proxy. | All regions | 1.16 and later | Enterprise and Ultimate | Configure ACK resources that can be dynamically overcommitted in a sidecar proxy |
Configuration of egress traffic policies | An egress traffic policy defines how an egress gateway manages egress traffic. An egress traffic policy can work with sidecar proxies and authorization policies to provide more comprehensive control over egress traffic. | All regions | 1.16 and later | Enterprise and Ultimate | |
Configuration of a global default HTTP request retry policy | ASM allows you to configure a global default HTTP request retry policy that can define the number of retries, retry timeout period, and retry conditions. | All regions | 1.15 and later | All | None |
February 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Support for the Istio 1.15.3.105 version | Open source Istio 1.15 series and Kubernetes 1.21 to 1.25 versions are supported. | All regions | v1.15.3.105 | All | None |
Enhanced observability |
| All regions | All | All | |
Optimized performance of the mesh topology |
| All regions | 1.14 and later | All | |
Enhanced traffic management in the multi-cluster environment | The feature of keeping traffic in-cluster is supported in the multi-cluster environment. When you deploy a service across multiple clusters, this feature ensures that traffic is only routed to workloads within the specified cluster. | All regions | 1.15.3.101 and later | All | Enable the feature of keeping traffic in-cluster in multi-cluster scenarios |
More flexible sidecar proxy configuration |
| All regions | 1.15.3.101 and later | All | |
Custom ASM gateway configurations and enhanced observability |
| All regions | All | Enterprise and Ultimate |
January 2023
Feature | Description | Region | Supported Istio version | Edition | References |
Topology query in a range of time within 90 days | The topology in a range of time within 90 days can be queried by using the Mesh Topology tool. | All regions | 1.14 and later | All | |
New environment variable for the configuration of sidecar proxies on the data plane | A new environment variable is added to the configuration of sidecar proxies. You can configure the environment variable to load the bootstrap configuration before sidecar proxies are started. | All regions | 1.15.3.63 and later | All | |
Enhanced security capabilities of ingress gateways | OIDC-based SSO and JSON Web Token (JWT)-based authentication can be configured by using ASM ingress gateways in a few steps. | All regions | 1.15.3.25 and later | Enterprise and Ultimate |
Historical release notes
For more information about release notes for Service Mesh before 2023, see Historical release notes (before 2023).