Create an ASM ingress gateway to provide a unified access entry point for a Kubernetes cluster - Alibaba Cloud Service Mesh

An Alibaba Cloud Service Mesh (ASM) ingress gateway acts as a single entry point for access to your applications over the Internet or an internal network. It operates at Layer 7 and routes requests to backend services based on HTTP paths, host headers, and other attributes.

This topic describes how to create an ingress gateway in the ASM console. To use the Kubernetes API instead, see Create and manage an ingress gateway by using the Kubernetes API.

Prerequisites

Add the cluster to the ASM instance.

Workflow overview

Configure basic parameters: name, cluster, service type, load balancer, port mapping, and resource limits.
(Optional) Configure advanced options: traffic policy, autoscaling, rolling upgrade, TLS optimization, and deployment strategy.
Create the gateway and verify its status.

Step 1: Configure basic parameters

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, click Create. You can also click Create from YAML to create an ingress gateway. For more information, see Create and manage an ingress gateway by using the Kubernetes API.
On the Create page, configure the following parameters.

Parameter	Description
Name	The name of the ingress gateway.
Cluster	The cluster in which to deploy the ingress gateway.
Service Type	The Kubernetes Service type. Valid values: LoadBalancer, ClusterIP, and NodePort. For details about each type, see Service. Note If the cluster on the data plane is a registered cluster, verify that it supports LoadBalancer Services before selecting LoadBalancer. Otherwise, gateway creation fails.
NLB/CLB	The access type for the Classic Load Balancer (CLB) instance. Required when Service Type is set to LoadBalancer. Valid values: Internet Access and Private Access.
Create a CLB Instance / Use Existing CLB Instance	Required when Service Type is set to LoadBalancer. Use Existing CLB Instance: Select an existing CLB instance from the drop-down list. Create a CLB Instance: Click Create a CLB Instance and select the specifications from the drop-down list.
Port Mapping	The ports to expose. Set Protocol and Service Port. By default, two commonly used Istio ports are preconfigured. Modify them as needed.
Resources Limits	The CPU and memory specifications for each gateway Pod.
Gateway instances	The number of Pod replicas for the ingress gateway.

Important

Assign a dedicated CLB instance to each Kubernetes Service. Sharing a CLB instance across multiple Services introduces the following risks:

Assigning a CLB instance already in use by another Service forcibly overwrites its existing listeners. This may interrupt the original Kubernetes Service and make your applications unavailable.
A CLB instance created through a Kubernetes Service cannot be shared with other Services. Only CLB instances created in the CLB console or through API operations can be shared.
Services sharing a CLB instance must use different frontend listening ports. Otherwise, port conflicts occur.
Listener names and vServer group names serve as unique identifiers for Kubernetes and cannot be changed.
CLB instances cannot be shared across clusters or regions.

Step 2: (Optional) Configure advanced options

Click Advanced Options to expand the advanced configuration section.

Parameter	Description
External Traffic Policy	Controls how external traffic is routed. Local: Routes traffic only to Pods on the node where the gateway runs. Cluster: Routes traffic to Pods on any node in the cluster.
HPA	Enables Horizontal Pod Autoscaler (HPA). Configure Monitoring items and Threshold to trigger scaling. When CPU utilization or memory usage exceeds the threshold, the gateway scales out. When metrics drop below the threshold, the gateway scales in. Set Maximum replicas and Minimum number of replicas to define the scaling range. Note Available only for ASM Enterprise or Ultimate Edition.
Rolling Upgrade	Configures rolling update behavior. Maximum number of unavailable instances: The maximum number of Pods that can be unavailable during a rolling update. Exceeding the desired number of instances: The maximum number of Pods that can be created beyond the desired count. For example, setting this to 25% means the total Pod count during an update cannot exceed 125% of the desired replicas.
Enable MultiBuffer-based TLS encryption and decryption performance optimization	Accelerates TLS encryption and decryption using Multi-Buffer. supported nodeaffinity: Select the labels for nodes where Multi-Buffer takes effect. Poll Delay(ms): Reduces the delay before Multi-Buffer processes requests. For details, see Enable Multi-Buffer for TLS acceleration. Note Available only for ASM Enterprise or Ultimate Edition.
Deploy ASM Gateway replicas as widely as possible	Sets `podAntiAffinity` to distribute gateway Pods across different nodes.
Custom Deployment Policy	Configures `nodeSelector`, `tolerations`, and `affinity` fields for the gateway. For details, see CRD fields for an ASM gateway.
Graceful Shutdown	Maintains existing connections when a CLB instance is removed from a gateway Pod. Set Connection timeout (seconds) to specify how long existing connections persist after detachment. The default is 30 seconds. We recommend that you set a connection timeout that does not exceed 30 seconds. Note Available only for ASM Enterprise or Ultimate Edition.

Step 3: Create and verify

Click Create.
On the Ingress Gateway page, verify that the gateway status is Running. The Service address column displays the IP address of the ingress gateway.

Manage the ingress gateway

After the ingress gateway is created, manage it from the ASM console or view it in the Container Service for Kubernetes (ACK) console.

Edit or delete in the ASM console

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, find the target gateway and perform one of the following operations:
- View or edit: Click View Details to modify the gateway configuration. Alternatively, click YAML to edit the gateway definition directly in the Edit dialog box. For field descriptions, see CRD fields for an ASM gateway.
- Delete: Click Delete, then click OK in the Submit dialog box.
  Important
  Deleting an ingress gateway permanently removes it and cuts off all external access through this gateway. This action cannot be undone.

View in the ACK console

View basic information:

Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, click the name of the cluster. In the left-side navigation pane, choose Network > Services.
Select istio-system from the Namespace drop-down list.

The External Endpoint column displays the IP address of the ingress gateway.

View Pod information:

Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, click the name of the cluster. In the left-side navigation pane, choose Workloads > Pods.
Select istio-system from the Namespace drop-down list.
Click a Pod name to view its details.

Alibaba Cloud Service Mesh:Create an ingress gateway