All Products
Search
Document Center

Alibaba Cloud Service Mesh:Use PrivateLink to manage network connectivity between a control plane and a data-plane cluster across VPCs

Last Updated:Jun 06, 2024

If a Service Mesh (ASM) instance and a Container Service for Kubernetes (ACK) cluster on the data plane reside in different virtual private clouds (VPCs) in the same region, you can use PrivateLink to connect the ASM instance to the ACK cluster on the data plane. ASM allows you to use CustomResourceDefinitions (CRDs) to simplify network connectivity.

Prerequisites

  • An ASM instance is created. For more information, see Create an ASM instance.

  • An ACK cluster is created in the same region as the ASM instance but in a different VPC. For more information, see Create a cluster.

  • The PrivateLink service is activated. For more information, see Overview.

Procedure

  1. Add the ACK cluster to the ASM instance. For more information, see Add a cluster to an ASM instance.

    After you add an ACK cluster to an ASM instance, the cluster is in the Connected state. You must perform the following steps to ensure connectivity.

  2. Use the following content to create a file named asmpvlconfig.yaml:

    apiVersion: istio.alibabacloud.com/v1beta1
    kind: ASMPvlConfig
    metadata:
      name: default
    spec:
      ackVpcEndpoint:
      - clusterId: cab9ace222210457a83f09fcd42e9****
        vSwitches:
        - vSwitchId: vsw-bp1jsgsanpvxpj32yai50
          zoneId: cn-hangzhou-j
      asmVpcEndpoint:
        vSwitches:
        - vSwitchId: vsw-bp1l5hini55sstnwd2skf
          zoneId: cn-hangzhou-i

    The following table describes some fields in this file.

    Field

    Description

    metadata

    name

    The name field of the resource object must be set to default. Other names are invalid.

    spec

    ackVpcEndpoint

    An array that contains the following configurations:

    • clusterId: the ID of the ACK cluster that is added to the ASM instance. For example, the value cab9ace222210457a83f09fcd42e9**** indicates the ID of a specific ACK cluster.

    • vSwitches: an array that contains a list of available vSwitches in the VPC of the ACK cluster.

      • vSwitchId: the ID of a specific vSwitch. For example, vsw-bp1jsgsanpvxpj32yai50 indicates the ID of a vSwitch.

      • zoneId: the ID of the zone in which the vSwitch specified by the vSwitchId field resides. For example, cn-hangzhou-j indicates a zone in the China (Hangzhou) region.

        Note

        To use PrivateLink to implement cross-VPC connectivity, you must set this field to the ID of the zone in which the vSwitch of the ASM instance resides.

    asmVpcEndpoint

    vSwitches: a list of arrays that specify vSwitch configurations, including the following content:

    • vSwitchId: the ID of a specific vSwitch in the VPC of the ASM instance.

    • zoneId: The ID of the zone in which the vSwitch specified by the vSwitchId field resides. The vSwitch is associated with the ASM instance.

      Note

      To use PrivateLink to implement cross-VPC connectivity, you must set this field to the ID of the zone in which the vSwitch of the ACK cluster resides.

  3. Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then run the following command to deploy ASMPvlConfig resources:

    kubectl apply -f asmpvlconfig.yaml
  4. Wait a few minutes and then run the following command to check the execution status of the ASMPvlConfig resource object:

    kubectl get asmpvlconfig default -o yaml

    Expected output:

    apiVersion: istio.alibabacloud.com/v1beta1
    kind: ASMPvlConfig
    metadata:
      name: default
    spec:
      ackVpcEndpoint:
      - clusterId: cab9ace222210457a83f09fcd42****
        vSwitches:
        - vSwitchId: vsw-bp1jsgsanpvxpj32yai50
          zoneId: cn-hangzhou-j
      asmVpcEndpoint:
        vSwitches:
        - vSwitchId: vsw-bp1l5hini55sstnwd2skf
          zoneId: cn-hangzhou-i
    status:
      clusters:
      - clusterId: cab9ace222210457a83f09fcd42****
        pvlEndpoint:
          connectionStatus: Connected
          domainName: ep-bp1i06bad79eb60c60cc.epsrv-bp1gqb8g1b8d7uactd.cn-hangzhou.privatelink.aliyuncs.com
          id: ep-bp1i06bad79eb60c60
          status: Active
        pvlEndpointService:
          id: epsrv-bp1gqb8g1b8d7uactd
          name: com.aliyuncs.privatelink.cn-hangzhou.epsrv-bp1gqb8g1b8d7uactd
          status: Active
      pilot:
        clusters:
        - clusterId: cab9ace222210457a83f09fcd42****
          pvlEndpoint:
            connectionStatus: Connected
            domainName: ep-bp1i52311b91a5a25e.epsrv-bp1cl4qwzkf747ug6tmy.cn-hangzhou.privatelink.aliyuncs.com
            id: ep-bp1i52311b91a5a25e
            status: Active
        pvlEndpointService:
          id: epsrv-bp1cl4qwzkf747ug6t
          name: com.aliyuncs.privatelink.cn-hangzhou.epsrv-bp1cl4qwzkf747ug6tmy
          status: Active
      status: Available      

    The output indicates that the status field is added. The following table describes the fields under the status field.

    Field

    Description

    clusters

    clusters: a list that contains the status information about the ACK cluster.

    • clusterId: the ID of the ACK cluster.

    • pvlEndpoint: the details about a specific PrivateLink endpoint.

      • connectionStatus: the state of the PrivateLink connection that interconnects the ASM instance and the ACK cluster.

      • domainName: the domain name of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster.

      • id: the ID of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster.

      • status: the state of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster.

    • pvlEndpointService: the information about the PrivateLink endpoint service resource.

      • id: the ID of the PrivateLink endpoint service of the Server Load Balancer (SLB) instance that is used to expose the API server of the ACK cluster.

      • name: the name of the PrivateLink endpoint service of the SLB instance that is used to expose the API server of the ACK cluster.

      • status: the state of the PrivateLink endpoint service of the SLB instance that is used to expose the API server of the ACK cluster.

    pilot

    pilot: a list of the status information about the services managed by the control plane of ASM.

    • clusters: a list of the status information about the ACK cluster.

      • clusterId: the ID of the ACK cluster.

      • pvlEndpoint: the details about a specific PrivateLink endpoint.

        • connectionStatus: the state of the PrivateLink connection that interconnects the ASM instance and the ACK cluster.

        • domainName: the domain name of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster.

        • id: The ID of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster.

        • status: the state of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster.

    • pvlEndpointService: provides information about the endpoint service resource.

      • id: the ID of the PrivateLink endpoint service of the SLB instance that is used to expose the Istio Pilot of the ASM instance.

      • name: the name of the PrivateLink endpoint service of the SLB instance that is used to expose the Istio Pilot of the ASM instance.

      • status: the state of the PrivateLink endpoint service of the SLB instance that is used to expose the Istio Pilot of the ASM instance.

    status

    Indicates the overall availability status. Available indicates that connectivity is successfully configured. Other states indicate that the connectivity configuration failed.

  5. Log on to the VPC console to view the status of the desired endpoint service and endpoint.

    1. Log on to the VPC console. In the left-side navigation pane, click Endpoints Service.

    2. In the top navigation bar, select the region where the desired endpoint service resides.

    3. On the Endpoints Service page, click the instance ID of the desired endpoint service to view the details of the endpoint service.

    4. In the left-side navigation pane, click Endpoints. On the Endpoints page, click the instance ID of the desired endpoint to view the details of the endpoint.

  6. Add pvlEndpoint.domainName of the ACK cluster specified by clusterId in the clusters field described in Step 4 to the custom SAN field of the API server certificate of the ACK cluster. In this example, the domain name ep-bp1i06bad79eb60c60cc.epsrv-bp1gqb8g1b8d7uactdab.cn-hangzhou.privatelink.aliyuncs.com is used. For more information, see Customize the SAN of the API server certificate when you create an ACK cluster.

  7. Check the status of the ACK cluster.

    If the ACK cluster is in the Running state, cross-VPC connectivity is implemented by using PrivateLink.