ACMG mode - Alibaba Cloud Service Mesh - Alibaba Cloud Documentation Center

The Alibaba Centralized Mesh Gateway (ACMG) mode is a solution designed for large-scale network architectures to improve network scalability, flexibility, and management efficiency. This topic describes the architecture and features of the ACMG mode.

Feature description

Service Mesh (ASM) instances of V1.22 and later support the ACMG mode. Similar to the Ambient Mesh mode, the ACMG mode supports both data planes with or without sidecars. Its features cover the following aspects:

Traffic management: basic traffic routing, load balancing, circuit breaking, throttling, fault tolerance, retry, timeout, and other features related to traffic management.
Security: authorization policies at Layer 4 and Layer 7.
Observability: metric monitoring, access logs, and trace analysis.

Different from the Ambient Mesh mode, the ACMG mode supports central proxies to implement centralized management of east-west traffic. This further simplifies O&M and reduces the resource usage of mesh infrastructure.

Architecture design

In ACMG mode, Layer 4 proxies are separated from Layer 7 proxies. The main features of ASM in ACMG mode are the same as those in Ambient Mesh mode. The control plane is responsible for configuring Layer 4 and Layer 7 proxies, delivering the configurations, and providing CA services. Note that the ACMG mode supports Layer 7 proxy sharing among multiple namespaces in the same cluster, thereby reducing ASM infrastructure costs. In addition, the Layer 7 component is managed by ASM and runs independently of applications. This avoids intrusion into service workloads and facilitates O&M. The following table describes the two components.

Component	Feature
zTunnel	A data plane component that acts as a Layer 4 identity proxy for service workloads in a data plane node.
Central Proxy	A data plane component that acts as a centralized Layer 7 proxy. An entire cluster shares a central proxy. ASM is responsible for the deployment and auto scaling of the central proxy.

Benefits of the ACMG mode

The preceding figure compares the architectures of the three modes. The following table summarizes the advantages and disadvantages of these modes.

Mode	Advantage	Disadvantage
Sidecar mode	You can use sidecar containers to configure each service instance independently. The network security, reliability, and observability between service calls are enhanced. Flexible traffic management, load balancing, and advanced features such as circuit breakers and request routing are supported.	A sidecar container is injected into each pod. Therefore, the complexity of application deployment increases, as well as the resource consumption and the complexity of O&M and management.
Ambient Mesh mode	Without additional sidecar containers, Layer 4 and Layer 7 proxies can run independently. This eliminates the need to modify or redeploy existing applications and makes deployment and management easier. You can adopt mesh technologies in an incremental fashion. For example, you can use the encrypted communication network at Layer 4 at the initial stage and gradually add features to adapt to different migration policies.	In some scenarios, the Ambient Mesh mode does not support client-specific configurations or destination rules. Waypoint proxy configurations must be explicitly specified by service or namespace, which also incurs certain O&M costs.

Similar to the Ambient Mesh mode, the ACMG mode supports the following capabilities:

Decoupling of services from networks: allows independent upgrades and O&M of networks.
Secure network transmission: Node-level ztunnels are used to meet the architecture requirements of zero trust networks.

Different from the Ambient Mesh mode, the ACMG mode has the following advantages:

Saved user resources: Layer 7 proxy sharing among multiple namespaces is supported to reduce resource consumption.
Reduced O&M workloads: You do not need to care about the creation of proxy services and the scaling of Layer 7 proxies. Auto scaling is supported.
Support for auto scaling of the central proxy: A central proxy is shared among multiple namespaces to process traffic in the same cluster. Auto scaling ensures the normal operation of Layer 7 proxies.

Compared with the sidecar mode and Ambient Mesh mode, a Layer 7 central proxy in ACMG mode has a larger coverage area and can be shared by all services in the cluster.

Routing in ACMG mode

In ACMG mode, workloads can be classified into the following two types:

Uncaptured: a standard pod in which no mesh feature is enabled.
Captured: a pod in which traffic is intercepted by a ztunnel. Traffic of pods can be captured by adding the istio.io/dataplane-mode=acmg label to namespaces. In addition, the captured traffic is processed by the central proxy.

Ztunnel routing

Ztunnel routing in ACMG mode is the same as that in Ambient Mesh mode. For more information, see Ztunnel routing

Routing of the central proxy

If the ACMG mode is not enabled for the namespace where the server is located by using a namespace label, traffic is not routed by the central proxy, regardless of whether the ACMG mode is enabled for the client.

If the ACMG mode is enabled for the namespace where the server is located by using a namespace label, the corresponding ztunnel intercepts traffic from the client only when the ACMG mode is enabled for the namespace where the client is located. Then, the traffic is routed to the central proxy, which then sends the traffic to a specific pod of the server based on routing decisions.

To sum up, traffic passes through the central proxy and the created Layer 7 traffic management policies take effect only when the ACMG mode is enabled for both the client and the server.