Use HTTP/3 to access an ASM ingress gateway - Alibaba Cloud Service Mesh

HTTP/3 is the third major version of the HTTP protocol. Unlike HTTP/1.1 and HTTP/2, HTTP/3 no longer uses the traditional TCP protocol at the transport layer but adopts the UDP-based Quick UDP Internet Connection (QUIC) protocol. This change enables HTTP/3 to feature lower latency, more robust error recovery, and more efficient connection multiplexing. This topic describes how to configure HTTP/3-based services on an ASM gateway.

Background information

HTTP/3 uses QUIC over UDP as a transport mechanism and therefore has the following advantages over HTTP/2:

Reduced handshake latency: HTTP/3 uses the 0-RTT feature of the QUIC protocol to complete connection establishment. (RTT is short for round trip time.) In addition, TLS is integrated into QUIC to support simultaneous encryption and handshakes, greatly reducing the latency during connection establishment.
New multiplexing mechanism: HTTP/2 suffers from head-of-line blocking at the TCP layer. HTTP/3 uses QUIC to multiplex multiple independent streams on the same connection, and the data streams are independent of each other. Even if a packet in one data stream is lost, the transmission of other data streams is not blocked. This way, the blocking of a single data flow no longer affects the transmission performance of the entire connection.
Connection migration: HTTP/3 supports migration of connections between different IP addresses, even if the network environment changes, such as switching from a Wi-Fi network to a mobile network. This ensures the continuity and stability of connections.
Security: HTTP/3 mandates the use of TLS 1.3 for encrypted transmission, ensuring higher security and privacy protection.

ASM gateways support HTTP/3. You can use HTTP/3 to access services that are exposed on ASM gateways to improve service performance and stability.

Prerequisites

A Container Service for Kubernetes (ACK) cluster is added to your ASM instance, and the version of your ASM instance is 1.16 or later. For more information, see Add a cluster to an ASM instance.
An ingress gateway is deployed. For more information, see Create an ingress gateway.
The HTTPBin application is deployed. For more information, see Deploy the HTTPBin application.
The version of the ACK cluster is 1.24 or later. The version of the Cloud Controller Manager (CCM) component is 2.6.0 or later.
A certificate named aliyun.com.cert is created for your ASM instance. For more information, see Use the certificate management feature of ASM.

Step 1: Enable HTTP/3

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Instance > Base Information.
In the upper-right corner of the Base Information page, click Settings. In the Settings Update panel, select Enable HTTP/3.

Step 2: Enable a UDP listener on the ASM ingress gateway

The QUIC protocol is based on UDP. Therefore, you must enable a UDP listener on the ASM ingress gateway.

In this example, you can modify the YAML configuration of the ASM ingress gateway to enable a UDP listener on port 444 of the ASM ingress gateway.

apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
  labels:
    asm-gateway-type: ingress
  name: ingressgateway
  namespace: istio-system
spec:
  ......
  ports:
    - name: http-0
      port: 80
      protocol: HTTP
      targetPort: 80
    -name: udp # Enable a UDP listener on port 444.
      port: 444
      protocol: UDP
      targetPort: 444
  ......

Note

An ASM gateway supports both TCP and UDP listeners on the same port. For example, you can add a UDP listener on port 443 that is used to expose HTTPS services. The two listeners do not conflict with each other.

Step 3: Configure an Istio gateway

QUIC enforces TLS communication. Therefore, you must configure a certificate for the Istio gateway. Update the configuration of the Istio gateway by using the following YAML file:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: httpbin
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
      - '*'
      port:
        name: test
        number: 80
        protocol: HTTP
    - hosts:
      - '*'
      port:
        name: quic
        number: 444
        protocol: HTTPS
      tls:
        credentialName: aliyun.com.cert
        mode: SIMPLE

Step 4: Perform a test to use HTTP/3 to access the ASM gateway

curl is a common HTTP test tool. However, curl commands do not support HTTP/3 by default. You can run the following command to check whether your curl supports HTTP/3:

curl --version | grep http3

If the output similar to the following is displayed, the curl commands in the current environment support HTTP/3.

curl 8.9.0-DEV (aarch64-apple-darwin23.5.0) libcurl/8.9.0-DEV quictls/3.1.4 zlib/1.2.12 libidn2/2.3.7 nghttp2/1.59.0 ngtcp2/1.2.0 nghttp3/1.1.0

If no output is displayed, the curl commands in the current environment do not support HTTP/3. You can rebuild curl of a version that supports HTTP/3. For more information, see Build with quictls.

After the build is complete, you can run the following command to test whether HTTP/3 is supported:

curl -k --http3-only -H Host:aliyun.com --resolve aliyun.com:444 :${IP address of the ASM gateway} https://aliyun.com:444/headers -v

Expected output:

......
* Connected to aliyun.com (xxx.xx.xx.x) port 444
* using HTTP/3
* [HTTP/3] [0] OPENED stream for https://aliyun.com:444/headers
* [HTTP/3] [0] [:method: GET]
* [HTTP/3] [0] [:scheme: https]
* [HTTP/3] [0] [:authority: aliyun.com]
* [HTTP/3] [0] [:path: /headers]
* [HTTP/3] [0] [user-agent: curl/8.9.0-DEV]
* [HTTP/3] [0] [accept: */*]
> GET /headers HTTP/3
> Host:aliyun.com
> User-Agent: curl/8.9.0-DEV
> Accept: */*
>
* Request completely sent off
* old SSL session ID is stale, removing
< HTTP/3 200
< server: istio-envoy
< date: Wed, 26 Jun 2024 07:40:07 GMT
< content-type: application/json
< content-length: 460
< access-control-allow-origin: *
< access-control-allow-credentials: true
< x-envoy-upstream-service-time: 1
< alt-svc: h3=":444"; ma=86400
<
{
  "headers": {
    "Accept": "*/*",
    "Host": "aliyun.com",
    "Transfer-Encoding": "chunked",
    "User-Agent": "curl/8.9.0-DEV",
    "X-Envoy-Attempt-Count": "1",
    "X-Envoy-External-Address": "xx.xx.xx.xx",
    "X-Forwarded-Client-Cert": "xxxxxxx"
  }
}
* Connection #0 to host aliyun.com left intact

References

For more information about the reasons why head-of-line blocking at the TCP layer of HTTP/2 can only be mitigated but not completely avoided, see Hypertext Transfer Protocol Version 2 (HTTP/2).
HTTP/3 introduces a new multiplexing mechanism that fundamentally solves the problem of head-of-line blocking. The official documentation also mentions how to improve connection performance by avoiding head-of-line blocking. For more information, see QUIC: A UDP-Based Multiplexed and Secure Transport.