All Products
Search
Document Center

Alibaba Cloud Service Mesh:Release Notes

Last Updated:Dec 10, 2024

This topic describes the latest updates related to Service Mesh ASM.

October 2024

Feature

Description

Region

Supported Istio version

Edition

References

Support a multi-primary control plane architecture

Supports multi-primary control plane mode, which is an architecture where multiple Service Mesh instances jointly manage multiple Kubernetes clusters. Compared to adding multiple Kubernetes clusters to a single ASM instance, the multi-primary control plane architecture offers significant advantages in isolating configurations and reducing configuration push latency, making it more suitable for building multi-cluster disaster recovery solutions for business peer deployments.

All

1.22 and above

All

Implement multi-cluster disaster recovery with ASM multi-primary control plane architecture

Deploying mesh proxy using native sidecar mode

Kubernetes of version 1.28 and later supports the native sidecar mode in ASM to address the known issues with its lifecycle and pod lifecycle. ASM of version 1.22 and later supports deploying mesh proxies for applications in the cluster using native sidecar mode, allowing you to add the mesh proxy container to the pod.

All

1.22 and above

All

Deploy mesh proxy using native Sidecar mode

Collection of monitoring metrics from ASM traffic scheduling suite

If your Kubernetes cluster is integrated with Alibaba Cloud Managed Service for Prometheus or a self-managed Prometheus instance, you can configure the collection of monitoring metrics from the ASM request scheduling agent to monitor the traffic scheduling behavior of each policy in the ASM traffic scheduling suite.

All

1.21 and above

All

Use ASM traffic scheduling suite for distributed system traffic control

Extending dimension information of ASM monitoring metrics using WASM plug-in

ASM comes with multiple built-in monitoring metrics and rich metric dimensions to help you better understand the operation of your applications. Additionally, ASM provides a powerful extension mechanism that allows you to write your own processing logic based on request or response information and add the processed results to the dimensions of monitoring metrics. This topic describes how to use the Wasm plug-in to add custom dimensions to existing monitoring metrics in ASM.

All

1.18 and above

All

Extend dimension information of ASM monitoring metrics using Wasm plugin

New periodic cleanup of ASM monitoring metrics

ASM generates metrics for all incoming, outgoing, and internal mesh traffic to monitor service behavior. These metrics include information such as total traffic, error rate, and request response time. However, long-term operation generates a large amount of metric data, significantly increasing resource consumption of Envoy and Prometheus. Therefore, ASM provides a configuration for regular cleanup of monitoring metrics, supporting the periodic cleanup of metrics cached in Envoy that have not been used for a period of time, to reduce Envoy memory consumption and decrease the network load when Prometheus pulls metrics.

All

1.18 and above

All

Configure periodic cleanup of ASM monitoring metrics

September 2024

Feature

Description

Region

Supported Istio version

Edition

References

Support for deploying and using ASM on CloudBox

You can create a CloudBox node pool in an ACK cluster and schedule application pods to CloudBox nodes to use CloudBox resources. After adding the ACK cluster to ASM, ASM will manage both public cloud and CloudBox node pools, providing rich, unified routing, security, and observability capabilities for traffic between applications.

All

1.22 and later

All

Use ASM to manage workloads on ACK CloudBox nodes

Support for importing Kubeconfig for cluster management

ASM supports importing any type of Kubernetes cluster using kubeconfig with cluster administrator permissions and managing applications on it.

All

1.22 and later

All

Manage Kubernetes clusters imported through kubeconfig

Best practices: End-to-end security capabilities

In TLS communication, the client verifies the server's certificate, but the client itself does not need to provide a certificate, meaning the server cannot verify the client's identity. In scenarios requiring higher security configurations, the server also needs to verify the client's identity, which requires mTLS communication. mTLS communication requires both the client and server to provide certificates and verify each other before encrypted communication can occur.

All

1.22 and later

All

Best practices:

Custom error page

In certain situations, ASM gateways or mesh proxies may directly return an HTTP response with a specific response code to downstream without proxying the request to upstream services. The CustomLocalReply plug-in allows customization of the response body, response code, and response content when ASM gateways or mesh proxies respond directly to downstream. Different response content can be defined for each response code.

All

All

All

CustomLocalReply plug-in

Description of ASMSwimLaneGroup and ASMSwimLane fields

Traffic lanes support custom destination traffic policies and HTTP routing operations on services within a lane group.

All

1.22 and later

All

Description of ASMSwimLaneGroup and ASMSwimLane fields

Support for remote control plane mode

When the data plane cluster is located in other cloud services or on-premises data centers and connected to the ASM control plane via the Internet or other special methods, and the connected network environment is unstable or bandwidth is limited, it is recommended to use the ASM remote control plane to reduce push latency.

All

1.22 and later

All

Develop Wasm plug-ins using Rust

ASM supports deploying Wasm plug-ins in mesh proxies to implement custom processing logic. The proxy-wasm community provides a Rust SDK for Wasm.

All

1.18 and later

All

Develop Wasm plug-ins for mesh proxies using Rust

August 2024

Feature

Description

Region

Supported Istio version

Edition

References

Support for Istio 1.22

Istio 1.22 is supported and the following important updates are implemented:

  • Native sidecar containers are supported (enabled for ACK clusters of V1.30 and later by default).

  • Container Compute Service (ACS) clusters are supported.

  • YiTian ARM is supported.

  • The Gateway API is updated to V1.1, and GRPCRoute is supported.

  • By default, the control plane uses Delta XDS to communicate with the data plane. This improves the configuration push efficiency.

  • Authorization policies can match request paths by using templates.

  • A timeout period can be configured, which specifies the maximum waiting time for a request authorization policy to obtain jwksUri.

All regions

1.22 and later

All

N/A

Support for the ACMG mode

The Alibaba Centralized Mesh Gateway (ACMG) mode is designed for large-scale network architectures to improve scalability, flexibility, and management efficiency of networks.

All regions

1.22 and later

All

ACMG mode

Security protection for egress traffic

ASMEgressTrafficPolicy custom resources and egress gateways are used to ensure the security of traffic transmitted from an ASM instance to external services.

All regions

1.22 and later

All

Enhanced capabilities in multi-cluster scenarios

The capabilities of east-west gateways are enhanced. Complete Layer 7 load balancing, authorization policies, and CIDR conflict handling are supported for cross-cluster calls through east-west gateways. If cross-network communication cannot be established for multiple clusters at the underlying layer, you can use east-west gateways of ASM to connect the clusters.

All regions

1.22 and later

Enterprise and Ultimate

Use ASM cross-cluster mesh proxy to implement cross-network communication among multiple clusters

Use of the new integration center by ARMS (extended metrics)

ASM allows you to enable metrics on the data plane. After the metrics are enabled, gateways and sidecar proxies generate metrics related to their running status and the metrics are collected to Managed Service for Prometheus.

All regions

1.17.2.35 and later

All

Upgrade metrics and dashboards of ASM

Best Practices - Support for registration of custom authorization services

ASM can be associated with custom authorization services based on HTTP and gRPC. This allows you to register existing or custom authorization services.

All regions

1.20 and later

All

Metric monitoring and alerting for throttling and circuit breaking

Metrics related to throttling and circuit breaking capabilities, such as local throttling, global throttling, service-level circuit breaking, host-level circuit breaking, and connection pool-level circuit breaking, can be collected to Managed Service for Prometheus. In addition, you can configure alerts to be reported when throttling and circuit breaking occur based on the metrics.

All regions

All

All

July 2024

Feature

Description

Region

Supported Istio version

Edition

References

Support for HTTP/3 that adopts the UDP-based Quick UDP Internet Connection (QUIC) protocol

ASM gateways support HTTP/3. HTTP/3 has the following advantages over HTTP/2: reduced handshake latency, new multiplexing mechanism, connection migration, and higher security. HTTP/3 that adopts the UDP-based QUIC protocol allows you to enable TCP and UDP listeners on the same port. These listeners do not conflict with existing HTTP/2 and HTTP/1 listeners.

All regions

1.16 and later

All

Use HTTP/3 to access an ASM ingress gateway

Support for the configuration of Limits on Downstream Connections

You can configure the maximum number of downstream connections allowed by a sidecar proxy based on your business requirements. You can specify an appropriate value for the Limits on Downstream Connections parameter to prevent sidecar proxies from being maliciously attacked.

All regions

1.21 and later

All

Configure sidecar proxies

Support for the configuration of a path normalization policy in an ASM instance

You can configure a path normalization policy to ensure that the paths of HTTP requests in ASM are always standardized. This reduces security risks.

All regions

1.21 and later

All

Configure a path normalization policy in an ASM instance

Support for LoadRampingPolicy, ConcurrencyLimitingPolicy, ConcurrencySchedulingPolicy, and QuotaSchedulingPolicy provided by the ASM traffic scheduling suite

The ASM traffic scheduling suite supports the following policies:

  • LoadRampingPolicy: This CustomResourceDefinition (CRD) allows you to implement progressive service release.

  • ConcurrencyLimitingPolicy: This CRD can be used to strictly limit the concurrent requests received by the destination service.

  • ConcurrencySchedulingPolicy: This CRD allows you to implement priority-based scheduling of requests under controlled concurrency.

  • QuotaSchedulingPolicy: This CRD allows you to implement priority-based scheduling of requests while ensuring that the request rate is below the quota limit.

All regions

1.21 and later

All

Use the ASM traffic scheduling suite to control traffic for a distributed system

Playground features

ASM Playground allows you to build a complete environment for a specific scenario with a few clicks. The environment includes workloads and all declarative API resources (custom resources). Each ASM playground instance represents a specific scenario and automatically deploys the required resources, allowing you to have a certain degree of control over the scenario. The specific degree of control depends on the scenario. This way, you can quickly build a scenario-specific environment and experience the powerful features of ASM with a few clicks.

All regions

1.21 and later

All

ASM Playground

June 2024

Feature

Description

Region

Supported Istio version

Edition

References

ASM network packet inspection

For the traffic in an ASM instance, a packet inspection task can quickly capture the traffic information about workloads and assist in the rapid diagnostics of complex traffic issues.

All regions

1.21 and later

All

Use packet inspection tasks to diagnose the traffic in an ASM instance

ASM traffic scheduling suite

The ASM traffic scheduling suite is an ASM-based centralized traffic scheduling architecture model, and a collective name for various traffic scheduling policies developed based on this architecture model. It supports advanced traffic scheduling features, such as user-specific throttling and priority-based request scheduling.

All regions

1.21 and later

All

Use the ASM traffic scheduling suite to control traffic for a distributed system

Peak EWMA load balancing algorithm

The peak exponentially weighted moving average (peak EWMA) load balancing algorithm calculates the moving average of static weights, latencies, error rates, and other factors to obtain the scores of nodes and then selects suitable nodes for load balancing. This algorithm can intelligently ignore pods with deteriorated performance and route traffic to other idle pods in scenarios such as occasional latency increases and errors, thereby reducing the overall error rates and the response latencies of applications.

All regions

1.21 and later

All

Use the peak EWMA load balancing algorithm

Enhanced Knative integration

Knative on ASM V1.12.4 is released. The integration of Knative on ASM with Container Service for Kubernetes (ACK) Knative is optimized to support quick deployment of Knative on ASM.

All regions

1.21 and later

All

Use ASM to simplify serverless workload management

Improved Terraform support

  • The latest version of ASM is used in the examples in the documentation.

  • A new section "Change the attributes of an ASM instance" is added to describe how to use Terraform to change the attributes of an ASM instance.

  • The method for processing the following situation is added: Some fields will be deleted when the terraform apply command is executed.

All regions

1.21 and later

All

Use Terraform to manage ASM instances

May 2024

Feature

Description

Region

Supported Istio version

Edition

References

Support for Istio 1.21

Istio 1.21 is officially released and available in all the regions. The latest features of the open source Istio 1.21 series are supported.

  • When you write a virtual service and a destination rule for a Service with the ExternalName field, you should use the value of the ExternalName field.

  • In a virtual service, you can configure the :authority header in the HTTPRouteDestination field.

  • In a destination rule, you can configure maxConcurrentStreams for the HTTP connection pool and idelTimeout for the TCP connection pool.

  • You can use the Sidecar Traffic Configuration feature to configure connection pools of sidecar proxies for inbound requests.

Important

In Istio 1.21, the Load Bootstrap Configurations Before Sidecar Proxy Is Started feature is deprecated. For more information, see Configure sidecar proxies.

All regions

1.21 and later

All

Support for Istio versions

Traffic lane

Traffic lanes support transparent transmitting of baggage headers and percentage-based routing.

All regions

1.21 and later

All

Enhanced capabilities in multi-cluster scenarios

A new networking solution is provided for multi-cluster scenarios. East-west ASM gateways can be used to establish Internet connections between clusters that reside in different regions. A new document Multi-cluster management overview is added to describe the scenarios and methods of multi-cluster management in ASM.

All regions

1.21 and later

All

Use ASM cross-cluster mesh proxy to implement cross-network communication among multiple clusters

Application-specific topology in Mesh Topology

You can select a namespace and an application in the namespace to view the topology of the services directly connected to the application. This optimizes the service topology display and user experience in scenarios with a large number of services.

All regions

1.21 and later

All

Enable Mesh Topology to improve observability

Route-level configurations in ASMCompressor

ASMCompressor supports route-level configurations. You can enable compression by default and disable compression on a specific route. This simplifies configurations, reducing the risk of incorrect configurations.

All regions

1.21 and later

All

Use ASMCompressor to define compression configurations for calls between application services

April 2024

Feature

Description

Region

Supported Istio version

Edition

References

Support for Istio 1.21

Istio 1.21 is available only to whitelisted users. The latest features of the open source Istio 1.21 series are supported.

  • When you write a virtual service and a destination rule for a Service with the ExternalName field, you should use the value of the ExternalName field.

  • In a virtual service, you can configure the :authority header in the HTTPRouteDestination field.

  • In a destination rule, you can configure maxConcurrentStreams for the HTTP connection pool and idelTimeout for the TCP connection pool.

  • You can use the Sidecar Traffic Configuration feature to configure connection pools of sidecar proxies for inbound requests.

Important

In Istio 1.21, the Load Bootstrap Configurations Before Sidecar Proxy Is Started feature is deprecated. For more information, see Configure sidecar proxies.

All regions

1.21 and later

All

Support for Istio versions

Automatic Certificate Management Environment (ACME) protocol for automatically issuing certificates for ASM gateways

ACME is a protocol for automating issuance of X.509 certificates. With the ACME protocol, a certificate authority (CA) automatically verifies that a certificate applicant has ownership of a domain and then issues a certificate for the applicant. ASM gateways can connect to multiple CAs over the ACME protocol to dynamically obtain domain name certificates. This way, the workload of certificate maintenance is reduced.

All regions

All

All

Use ACME CA to issue certificates for ASM ingress gateways

Data plane performance optimization based on eRDMA and SMC

You can enable Shared Memory Communication (SMC) in an ASM instance to optimize ASM data plane communication performance on Alibaba Cloud 8th-generation ECS instances that support elastic Remote Direct Memory Access (eRDMA) and run Alibaba Cloud Linux 3.

All regions

1.21 and later

All

Enable SMC in an ASM instance to accelerate network communications on Alibaba Cloud 8th-generation ECS instances

Use of PrivateLink to manage network connectivity between a control plane and a data plane cluster across VPCs

If an ASM instance and a Container Service for Kubernetes (ACK) cluster on the data plane reside in different virtual private clouds (VPCs) in the same region, you can use PrivateLink to connect the ASM instance to the ACK cluster on the data plane. ASM allows you to use CustomResourceDefinitions (CRDs) to simplify network connectivity.

All regions

1.21 and later

All

Use PrivateLink to manage network connectivity between a control plane and a data-plane cluster across VPCs

Use of dynamic subset load balancing to accelerate the inference process of Model Service Mesh

You can use the dynamic subset load balancing feature of ASM to route requests to the correct runtime environment to accelerate the inference process of Model Service Mesh.

All regions

1.21 and later

All

Use dynamic subset load balancing to accelerate model service mesh inference

Use of ASMCircuitBreaker to configure circuit breaking rules for inter-service call traffic

You can use the ASMCircuitBreaker CRD to configure circuit breaking rules for east-west call traffic.

All regions

1.19 and later

All

Use ASMCircuitBreaker to configure circuit breaking rules for inter-service call traffic

March 2024

Feature

Description

Region

Supported Istio version

Edition

References

Support for outputting access logs in plain text strings and JSON strings

Access logs can be output to the corresponding container as plain text strings. The plain text form is more information-dense and space-saving than the JSON form.

All regions

1.20 and later

All

Configure observability settings

Support for maintenance windows

You can configure a maintenance window of an ASM instance to specify the automatic maintenance time of the managed control plane of the ASM instance.

All regions

All

All

Use the maintenance window of an ASM instance

Support for the development of WebAssembly (Wasm) extensions for an Envoy proxy in Go

You can develop a Wasm extension in Go and insert it into the filter chain of an Envoy proxy. This helps you meet requirements in specific scenarios. For example, Wasm extensions allow you to dynamically add or modify HTTP headers based on specific rules, adjust route destinations, and access external custom authorization services.

All regions

1.18 and later

All

Write a Wasm plug-in in Go for an Envoy proxy

Support for managed security groups

When you create an ASM instance, you can create a security group to provide a higher level of security protection for the ASM control plane.

All regions

1.20 and later

All

Create an ASM instance

February 2024

Feature

Description

Region

Supported Istio version

Edition

References

Support for Istio 1.20

The latest features of the open source Istio 1.20 series are supported.

All regions

1.20 and later

All

Support for Istio versions

Support for canary upgrades of ASM gateways

To ensure business continuity after an upgrade of an ASM gateway, you can perform a canary upgrade of the ASM gateway. You can start a new version of a gateway pod to verify that traffic can be properly forwarded. Then, you can fully upgrade the ASM gateway. If an issue is found during the verification, you can delete the new version of the pod at any time. After the issue is resolved, you can proceed with the upgrade.

All regions

1.20 and later

All

Perform a canary upgrade of an ASM gateway

Support for configuring a Prometheus instance to collect metrics of applications in ASM over mutual Transport Layer Security (mTLS)

For critical services, it is essential to have encryption mechanisms in place not only for the communication among services but also for the collection of metrics. ASM allows you to configure a Prometheus instance to collect metrics of applications in an ASM instance over mTLS.

All regions

All

All

Configure a Prometheus instance to collect metrics of applications in an ASM instance over mTLS

Optimization of the plug-in center and Envoy filters

  • The supported plug-ins are extended in the plug-in center. ASMGrpcJsonTranscoder is used for transcoding between HTTP/JSON and gRPC/Protobuf.

  • The plug-in center allows you to create multiple plug-in instances. Each plug-in instance has an independent plug-in configuration and effective scope.

  • Envoy filter templates can be bound to a specified scope of versions of ASM instances, instead of a single ASM instance version.

All regions

1.18 and later

All

Support for managing Envoy filter templates and traffic lanes in a declarative manner

  • ASM allows you to manage Envoy filter templates by using CRDs.

  • ASM allows you to manage traffic lanes by using CRDs.

  • Argo CD allows you to implement a GitOps approach to manage traffic lanes.

All regions

1.20 and later

All

January 2024

Feature

Description

Region

Supported Istio version

Edition

References

Intelligent diagnostics added to the mesh diagnostics feature of ASM

AI assistant is integrated for intelligent diagnostics. After diagnosis results are generated, the Large Language Model (LLM) technology is used to explain the causes of the results of the diagnostics items and provide solutions.

All regions

All

All

Diagnose ASM instances

Enhanced features of Mesh Topology

Mesh Topology provides more powerful observability features and improved ease of use.

  • For ASM instances of Enterprise Edition or Ultimate Edition, Mesh Topology can calculate and display the effective circuit breaking or throttling configurations on services or workloads.

  • In single-cluster mode, the related parameters are automatically configured when Mesh Topology in managed mode is enabled. This improves ease of use.

  • The pay-as-you-go billing method is provided for the Classic Load Balancer (CLB) instance of the Mesh Topology service, helping users reduce costs.

All regions

All

All

Enable Mesh Topology to improve observability

Support for custom request headers and response headers

ASM allows you to use the VirtualService and EnvoyFilter CRDs to customize request headers and response headers.

All regions

All

All

Support for scenario-based throttling

Best practices are provided for using the throttling feature in the following scenarios:

  • On an ASM ingress gateway, local throttling rules are required for individual routes and for the combinations of a gateway domain name and a port.

  • On an ASM ingress gateway, global throttling rules are required for individual routes, combinations of a gateway domain name and a port, requests that contain specific request headers and query parameters, and requests from specific client IP addresses.

  • Local throttling rules are required for requests that are sent to specific ports of application services on specific paths.

  • Global throttling rules are required for requests that are sent to specific ports of application services on specific paths.

All regions

1.11.5 and later

Enterprise and Ultimate

December 2023

Feature

Description

Region

Supported Istio version

Edition

References

Support for Istio 1.19 and 1.18 patch versions

  • The latest features of the open source Istio 1.19 series are supported. The Common Vulnerabilities and Exposures (CVEs) published by the open source Istio community are fixed in the associated ASM versions.

  • The 1.18 patch versions are released to support the open source Istio 1.18.6. The CVEs published by the open source Istio community are fixed in the associated ASM versions.

All regions

All

All

None

Pay-as-you-go billing method for the CLB instances that are created for a new ASM instance

When you create an ASM instance, internal-facing CLB instances that use the pay-as-you-go billing method are created by default to access the API server and the Istio control plane.

All regions

All

All

Support for use of Common Expression Language (CEL) to configure rules for filtering access logs

ASM allows you to use CEL to configure rules for filtering logs. In business scenarios with a large number of access requests, you can filter logs based on specific conditions to reduce the resource overhead of sidecar proxies and focus on key log content.

All regions

1.18 and later

All

Use CEL to configure rules for filtering access logs

Simplified management of local throttling

The local throttling feature is enhanced to meet requirements in common throttling scenarios. In addition, a graphical user interface (GUI) is provided to simplify the configuration process and reduce operation errors. This improves the overall ease of use.

All regions

1.18 and later

All

November 2023

Feature

Description

Region

Supported Istio version

Edition

References

Support for Model Service Mesh

Model Service Mesh is used to deploy and manage machine learning model services. In addition, Model Service Mesh provides some features, such as traffic splitting, A/B testing, and canary release, to help you better control and manage the traffic destined for model services. You can use these features to easily switch traffic among different model versions and roll back to specific model versions.

Model Service Mesh also supports the dynamic routing feature. This feature allows you to route requests to appropriate model services based on their attributes, such as model type, data format, or other metadata.

Model Service Mesh allows developers to deploy, manage, and scale machine learning models more easily while providing high availability, resiliency, and flexibility to meet different business needs.

All regions

1.18 and later

All

Support for the deployment of ASM serverless gateways

ASM serverless gateways can be deployed on virtual nodes and elastic container instances. ASM serverless gateways are applicable to service scenarios that require elastic resources and do not require node maintenance.

All regions

1.18 and later

All

Use ASM serverless gateways to improve your system availability and elasticity

Support for accessing applications in an ASM instance by using a CLB instance

Mesh Topology in managed mode allows you to access applications deployed in an ASM instance by using a CLB instance. This simplifies the access configurations of Mesh Topology.

All regions

1.18 and later

All

Enable Mesh Topology in managed mode

Support for KServe 0.11

KServe 0.11 can be integrated with ASM to facilitate your management of model services. You can use InferenceService to deploy a transformer and select an appropriate KServe version based on your business requirements.

All regions

1.18 and later

All

Use InferenceService to deploy a transformer

Support for integration with OpenTelemetry Collector

Tracing data can be exported to Managed Service for OpenTelemetry or a self-managed system that is compatible with Zipkin.

All regions

1.18 and later

All

October 2023

Feature

Description

Region

Supported Istio version

Edition

References

Support for using the ASMCompressor CRD fields to define compression configurations for calls between application services

You can use CRD fields to define the compression configurations for calls between application services. In addition, you can add compression filters that use consistent compression configurations to your applications. The parameters of the Gzip and Brotli compression algorithms are configurable.

All regions

1.18 and later

All

Support for using the ASMGrpcJsonTranscoder CRD fields to define the configurations for transcoding between HTTP/JSON and gRPC/Protobuf

You can use CRD fields to define the configurations for transcoding between HTTP/JSON and gRPC/Protobuf, which are used for calls between application services. In addition, you can add transcoding filters that use consistent transcoding configurations to your applications.

All regions

1.18 and later

All

Support for custom Wasm plug-ins on the ASM data plane

You can configure custom Wasm plug-ins for ASM sidecar proxies or ASM gateways to improve the extensibility of the ASM data plane. Wasm plug-ins support multiple programming languages (such as C++ and Golang) and can be loaded in multiple ways: HTTP, OCI image hub, and ConfigMap.

All regions

1.18 and later

All

Use the Coraza Wasm plug-in to implement WAF capabilities on an ASM gateway

Support for using the ASMGlobalRateLimiter CRD fields to configure global throttling for ingress gateways and inbound traffic directed to services

You can use CRD fields to configure global throttling for ingress gateways and inbound traffic directed to services.

All regions

1.18 and later

All

September 2023

Feature

Description

Region

Supported Istio version

Edition

References

Support for dynamic subnet load balancing

The dynamic subnet load balancing feature dynamically selects a subset of destination services based on metadata such as request information.

All regions

1.18 and later

Enterprise and Ultimate

Dynamic subset load balancing

Support for traffic lane in strict and permissive modes

Traffic lanes support both strict and permissive modes. In permissive mode, the mechanism of fallback to the baseline lane can simplify end-to-end (E2E) traffic management in scenarios where request routing headers are the same as E2E pass-through request headers.

All regions

1.18 and later

Enterprise and Ultimate

Support for Mesh Topology in managed mode

Compared with Mesh Topology in in-Kubernetes-cluster mode, Mesh Topology in managed mode has greater advantages in unified observation of multiple clusters, easy configuration, and service reliability.

All regions

1.18 and later

Enterprise and Ultimate

Enable Mesh Topology in managed mode

August 2023

Feature

Description

Region

Supported Istio version

Edition

References

Ambient Mesh

A sidecarless data plane mode that is compatible with Istio Ambient Mesh is provided. You can adopt the service mesh technology incrementally depending on the features that you require. The features include Layer 4 and Layer 7 routing and authorization.

All regions

1.18 and later

Enterprise and Ultimate

Support for Istio 1.18.x versions

The latest features of the open source Istio 1.18 series are supported.

All regions

1.18 and later

All

None

Container Network Interface (CNI) mode enabled by default during ASM instance creation

By default, the CNI mode is enabled when you create an ASM instance. However, in the case of ACK Serverless and ACK on Elastic Container Instance clusters, CNI DaemonSet is not deployed even if the CNI mode is enabled.

All regions

1.18 and later

All

Enable a CNI plug-in to improve security

Support for Knative 1.8

Knative 1.8 is used by default when you use Knative on ASM to deploy serverless workloads in an ASM instance of version 1.18.

All regions

1.18 and later

All

Use ASM to simplify serverless workload management

Support for Network Load Balancer (NLB) by ingress gateways

NLB offers ultra-high performance and can automatically scale on demand. NLB supports higher availability and further improves the stability of gateway traffic.

All regions

1.18 and later

All

Associate an NLB instance with an ingress gateway

July 2023

Feature

Description

Region

Supported Istio version

Edition

References

Canary release of a control plane

ASM supports revision- and label-based canary updates of a control plane in a more stable and secure manner.

All regions

1.16 and later

Enterprise and Ultimate

Use canary release to enhance update stability

Simplified label synchronization of global namespaces

If multiple Kubernetes clusters on the data plane are added to the ASM instance, you can modify the clusters to which a global namespace belongs. This way, you can synchronize varied namespace labels to different clusters based on your business requirements.

The ASM console provides the istio.io/rev namespace label to simplify the injection of sidecar proxies of different versions during a canary release.

All regions

1.16 and later

All

Manage global namespaces

Audit alerts for operations on ASM resources

After you enable the audit feature for ASM, you can configure alerts in Simple Log Service to enable audit alerts for changes of ASM resources. This way, alerts are sent to alert contacts in a timely manner for changes of important resources.

All regions

1.15 and later

All

Configure audit alerts for operations on ASM resources

Adaptive xDS optimization for an egress gateway

After you enable the adaptive xDS optimization feature, an egress gateway named istio-axds-egressgateway is deployed in the corresponding Kubernetes cluster, and you can modify the configuration of the egress gateway.

All regions

1.15 and later

All

Use adaptive xDS optimization to improve the configuration push efficiency of the control plane

Integration with an external Open Policy Agent (OPA) engine

Compared with OPA deployed in sidecar mode, an OPA engine outside pods boasts the following advantages: The resource usage is lower. The pod does not need to be restarted for OPA container deployment and access to applications. You can use an OPA policy for specific requests to an application.

All regions

1.15 and later

All

Use an ASM security policy to access an external OPA engine

Log and metric collection of a gateway

ASM allows you to configure the features of generating and collecting the access logs and metrics of a gateway. You can view the raw logs and log dashboard of a specific gateway.

All regions

1.17 and later

All

June 2023

Feature

Description

Region

Supported Istio version

Edition

References

Observability Management Center 2.0

Observability settings, including log settings, metric settings, and trace analysis settings, can be configured in the same module.

All regions

1.17.2.35 and later

All

On-demand configuration of the feature of merging Istio metrics with application metrics

For an application integrated with Prometheus, you can use sidecar proxies to expose application metrics by merging Istio metrics with the application metrics.

All regions

1.17 and later

All

Merge Istio metrics with application metrics

Namespace blacklist mode of service discovery selectors

You can use service discovery selectors to configure a namespace whitelist and allow the control plane of an ASM instance to discover and process applications in namespaces that are not in blacklists. This makes it more efficient for the control plane to push service configurations to sidecar proxies on the data plane.

All regions

1.17 and later

Enterprise and Ultimate

Use service discovery selectors to improve the efficiency of pushing ASM configurations

ASM fallback mechanism for traffic management

A fallback mechanism provides an alternative call path when a service call fails. ASM allows you to define fallback parameters in a virtual service so that a fallback can be performed when a requested service fails.

All regions

1.17 and later

Enterprise and Ultimate

Use an ASM fallback mechanism

Logon to Mesh Topology as a RAM user or by using custom access modes

You can log on to the Mesh Topology console as a Resource Access Management (RAM) user by default. Alternatively, you can configure the domain name, port, service root path, and protocol used to access Mesh Topology.

All regions

1.17 and later

All

Enable Mesh Topology to improve observability

Alerts of ASM certificate management in Simple Log Service

You can configure certificate management alerts on the control plane. Certificate expiration and about-to-expiration alerts are supported.

All regions

1.17 and later

All

Use the certificate management feature of ASM

May 2023

Feature

Description

Region

Supported Istio version

Edition

References

Support for Istio 1.17.x versions

The latest features of the open source Istio 1.17 series are supported.

All regions

1.17 and later

All

None

Support for the Machine Learning Operations (MLOps) management of models by KServe on ASM

KServe can be integrated with ASM to facilitate your management of AI model services.

All regions

1.17 and later

Enterprise and Ultimate

Integrate KServe with ASM to implement inference services based on cloud-native AI models

Support for serverless ASM gateways

A serverless ASM gateway is provided based on virtual nodes and elastic container instances. It is applicable to service scenarios that require elastic resources and do not require node maintenance.

All regions

1.16 and later

Enterprise and Ultimate

Deploy a serverless ASM gateway to support elastic services

Support for global certificate management

ASM supports the following certificate management features in a global manner:

  • An Istio gateway can directly reference a certificate that is registered on the Certificate Management page.

  • ASM supports Transport Layer Security (TLS) and mutual TLS (mTLS) certificates.

  • ASM supports certificate expiration alerts.

All regions

1.17 and later

All

Use an ingress gateway to enable HTTPS

Support for a GUI that allows you to view Istio resources in Mesh Topology

The Virtual Services option is added so that you can check whether virtual service resources are configured in Mesh Topology.

All regions

1.15 and later

Enterprise and Ultimate

Enable Mesh Topology to improve observability

Support for namespace exclusion during ASM instance diagnostics

During ASM instance diagnostics, you can choose to exclude a specified namespace. Diagnosis results will not be generated for the excluded namespace.

All regions

1.17 and later

All

Diagnose ASM instances

April 2023

Feature

Description

Region

Supported Istio version

Edition

References

Support for Istio 1.16.x versions

Open source Istio 1.16 series are supported.

All regions

1.16 and later

All

None

Simplified management of sidecar proxy injection

The management of injection policies and sidecar injector settings is simplified.

All regions

1.16 and later

All

Configure sidecar proxy injection policies

Support for the Google Remote Procedure Call (gRPC)-JSON transcoder plug-in

You can access gRPC services by using RESTful APIs or HTTP/JSON requests, which simplifies the integration of gRPC services so that you can use gRPC services easily.

All regions

1.16 and later

Enterprise and Ultimate

Use ASMGrpcJsonTranscoder to allow HTTP/JSON requests to access gRPC services in an ASM instance

Logon to Mesh Topology as a RAM user

Single Sign On (SSO) is implemented for the Mesh Topology console. You can log on to ASM Mesh Topology as a RAM user.

All regions

1.16 and later

Enterprise and Ultimate

Log on to ASM Mesh Topology with an Alibaba Cloud account or as a RAM user

March 2023

Feature

Description

Region

Supported Istio version

Edition

References

Connection of an ingress gateway to a Web Application Firewall (WAF) instance

  • An ingress gateway can be connected to a WAF instance to protect services against attacks.

  • You can customize the fields of access logs to view the headers that are added by the WAF instance to back-to-origin requests. This facilitates online O&M.

All regions

All

Enterprise and Ultimate

Connect an ingress gateway to a WAF instance

Configuration of Ingress resources

You can use Ingress resources in a cluster on the data plane and specify an ASM gateway as the Ingress controller to expose services in the cluster.

All regions

1.16 and later

Enterprise and Ultimate

Use an ASM gateway as an Ingress controller to expose services in a cluster

Management of Knative Services

ASM integrates the capabilities of the Knative Serving component that is deployed in either an ACK cluster or an ACK Serverless cluster. This helps you manage serverless workloads.

All regions

1.16 and later

Enterprise and Ultimate

Use ASM to simplify serverless workload management

Logon to Mesh Topology by using OpenID Connect (OIDC)

You can connect to an identity provider (IdP) over the OIDC protocol to log on to Mesh Topology and configure SSO to Mesh Topology in the ASM console.

All regions

1.15.3.120 and later

Enterprise and Ultimate

Enable Mesh Topology to improve observability

Overcommitment mode for sidecar proxies

You can enable the dynamic resource overcommitment feature and configure resources that can be dynamically overcommitted in a sidecar proxy.

All regions

1.16 and later

Enterprise and Ultimate

Configure ACK resources that can be dynamically overcommitted in a sidecar proxy

Configuration of egress traffic policies

An egress traffic policy defines how an egress gateway manages egress traffic. An egress traffic policy can work with sidecar proxies and authorization policies to provide more comprehensive control over egress traffic.

All regions

1.16 and later

Enterprise and Ultimate

Configuration of a global default HTTP request retry policy

ASM allows you to configure a global default HTTP request retry policy that can define the number of retries, retry timeout period, and retry conditions.

All regions

1.15 and later

All

None

February 2023

Feature

Description

Region

Supported Istio version

Edition

References

Support for the Istio 1.15.3.105 version

Open source Istio 1.15 series and Kubernetes 1.21 to 1.25 versions are supported.

All regions

v1.15.3.105

All

None

Enhanced observability

  • Telemetry CRDs are provided to define and manage logging, monitoring, and tracing analysis features.

  • The user interface is updated to make the configuration of monitoring metrics easier and more efficient. The scope of metrics that must be displayed within the mesh topology is optimized.

  • Mesh-wide and namespace-specific configurations are supported.

All regions

All

All

Customize metrics in ASM

Optimized performance of the mesh topology

  • The speed of loading the mesh topology is significantly increased for clusters each with more than 150 pods.

  • Health checks for workloads are optional. If you disable this feature, the speed of loading the mesh topology is improved.

All regions

1.14 and later

All

Enable Mesh Topology to improve observability

Enhanced traffic management in the multi-cluster environment

The feature of keeping traffic in-cluster is supported in the multi-cluster environment. When you deploy a service across multiple clusters, this feature ensures that traffic is only routed to workloads within the specified cluster.

All regions

1.15.3.101 and later

All

Enable the feature of keeping traffic in-cluster in multi-cluster scenarios

More flexible sidecar proxy configuration

  • Parameters such as Istio-Proxy Concurrency and Monitoring Statistics are provided for you to configure global-level sidecar proxies. Previously, these parameters were available only when you configured namespace-level or workload-level sidecar proxies.

  • The environment variables of sidecar proxies can be configured.

All regions

1.15.3.101 and later

All

Configure sidecar proxies

Custom ASM gateway configurations and enhanced observability

  • A multi-cluster gateway can be configured to apply the same or different resource configurations to clusters in a multi-cluster environment.

  • More flexibility is provided for metric customization.

  • A dashboard is added to display key metrics of the gateway pod in real time.

All regions

All

Enterprise and Ultimate

Configure a unified ingress gateway for multiple clusters

January 2023

Feature

Description

Region

Supported Istio version

Edition

References

Topology query in a range of time within 90 days

The topology in a range of time within 90 days can be queried by using the Mesh Topology tool.

All regions

1.14 and later

All

Enable Mesh Topology to improve observability

New environment variable for the configuration of sidecar proxies on the data plane

A new environment variable is added to the configuration of sidecar proxies. You can configure the environment variable to load the bootstrap configuration before sidecar proxies are started.

All regions

1.15.3.63 and later

All

Configure sidecar proxies

Enhanced security capabilities of ingress gateways

OIDC-based SSO and JSON Web Token (JWT)-based authentication can be configured by using ASM ingress gateways in a few steps.

All regions

1.15.3.25 and later

Enterprise and Ultimate

Historical release notes

For more information about release notes for Service Mesh before 2023, see Historical release notes (before 2023).