Alibaba Cloud Service Mesh:Use PrivateLink to manage network connectivity between a control plane and a data-plane cluster across VPCs

Prerequisites

• An ASM instance is created. For more information, see Create an ASM instance.

• An ACK cluster is created in the same region as the ASM instance but in a different VPC. For more information, see Create a cluster.

• The PrivateLink service is activated. For more information, see Overview.

Procedure

1. Add the ACK cluster to the ASM instance. For more information, see Add a cluster to an ASM instance.

   After you add an ACK cluster to an ASM instance, the cluster is in the Connected state. You must perform the following steps to ensure connectivity.

2. Use the following content to create a file named asmpvlconfig.yaml:

   apiVersion: istio.alibabacloud.com/v1beta1
   kind: ASMPvlConfig
   metadata:
     name: default
   spec:
     ackVpcEndpoint:
     - clusterId: cab9ace222210457a83f09fcd42e9****
       vSwitches:
       - vSwitchId: vsw-bp1jsgsanpvxpj32yai50
         zoneId: cn-hangzhou-j
     asmVpcEndpoint:
       vSwitches:
       - vSwitchId: vsw-bp1l5hini55sstnwd2skf
         zoneId: cn-hangzhou-i

   The following table describes some fields in this file.

   Field		Description
   metadata	name	The name field of the resource object must be set to default. Other names are invalid.
   spec	ackVpcEndpoint	An array that contains the following configurations: clusterId: the ID of the ACK cluster that is added to the ASM instance. For example, the value cab9ace222210457a83f09fcd42e9**** indicates the ID of a specific ACK cluster. vSwitches: an array that contains a list of available vSwitches in the VPC of the ACK cluster. vSwitchId: the ID of a specific vSwitch. For example, vsw-bp1jsgsanpvxpj32yai50 indicates the ID of a vSwitch. zoneId: the ID of the zone in which the vSwitch specified by the vSwitchId field resides. For example, cn-hangzhou-j indicates a zone in the China (Hangzhou) region. Note To use PrivateLink to implement cross-VPC connectivity, you must set this field to the ID of the zone in which the vSwitch of the ASM instance resides.
   	asmVpcEndpoint	vSwitches: a list of arrays that specify vSwitch configurations, including the following content: vSwitchId: the ID of a specific vSwitch in the VPC of the ASM instance. zoneId: The ID of the zone in which the vSwitch specified by the vSwitchId field resides. The vSwitch is associated with the ASM instance. Note To use PrivateLink to implement cross-VPC connectivity, you must set this field to the ID of the zone in which the vSwitch of the ACK cluster resides.

3. Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then run the following command to deploy ASMPvlConfig resources:

   kubectl apply -f asmpvlconfig.yaml

4. Wait a few minutes and then run the following command to check the execution status of the ASMPvlConfig resource object:

   kubectl get asmpvlconfig default -o yaml

   Expected output:

   apiVersion: istio.alibabacloud.com/v1beta1
   kind: ASMPvlConfig
   metadata:
     name: default
   spec:
     ackVpcEndpoint:
     - clusterId: cab9ace222210457a83f09fcd42****
       vSwitches:
       - vSwitchId: vsw-bp1jsgsanpvxpj32yai50
         zoneId: cn-hangzhou-j
     asmVpcEndpoint:
       vSwitches:
       - vSwitchId: vsw-bp1l5hini55sstnwd2skf
         zoneId: cn-hangzhou-i
   status:
     clusters:
     - clusterId: cab9ace222210457a83f09fcd42****
       pvlEndpoint:
         connectionStatus: Connected
         domainName: ep-bp1i06bad79eb60c60cc.epsrv-bp1gqb8g1b8d7uactd.cn-hangzhou.privatelink.aliyuncs.com
         id: ep-bp1i06bad79eb60c60
         status: Active
       pvlEndpointService:
         id: epsrv-bp1gqb8g1b8d7uactd
         name: com.aliyuncs.privatelink.cn-hangzhou.epsrv-bp1gqb8g1b8d7uactd
         status: Active
     pilot:
       clusters:
       - clusterId: cab9ace222210457a83f09fcd42****
         pvlEndpoint:
           connectionStatus: Connected
           domainName: ep-bp1i52311b91a5a25e.epsrv-bp1cl4qwzkf747ug6tmy.cn-hangzhou.privatelink.aliyuncs.com
           id: ep-bp1i52311b91a5a25e
           status: Active
       pvlEndpointService:
         id: epsrv-bp1cl4qwzkf747ug6t
         name: com.aliyuncs.privatelink.cn-hangzhou.epsrv-bp1cl4qwzkf747ug6tmy
         status: Active
     status: Available      

   The output indicates that the status field is added. The following table describes the fields under the status field.

   Field	Description
   clusters	clusters: a list that contains the status information about the ACK cluster. clusterId: the ID of the ACK cluster. pvlEndpoint: the details about a specific PrivateLink endpoint. connectionStatus: the state of the PrivateLink connection that interconnects the ASM instance and the ACK cluster. domainName: the domain name of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster. id: the ID of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster. status: the state of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster. pvlEndpointService: the information about the PrivateLink endpoint service resource. id: the ID of the PrivateLink endpoint service of the Server Load Balancer (SLB) instance that is used to expose the API server of the ACK cluster. name: the name of the PrivateLink endpoint service of the SLB instance that is used to expose the API server of the ACK cluster. status: the state of the PrivateLink endpoint service of the SLB instance that is used to expose the API server of the ACK cluster.
   pilot	pilot: a list of the status information about the services managed by the control plane of ASM. clusters: a list of the status information about the ACK cluster. clusterId: the ID of the ACK cluster. pvlEndpoint: the details about a specific PrivateLink endpoint. connectionStatus: the state of the PrivateLink connection that interconnects the ASM instance and the ACK cluster. domainName: the domain name of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster. id: The ID of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster. status: the state of the PrivateLink endpoint that interconnects the ASM instance and the ACK cluster. pvlEndpointService: provides information about the endpoint service resource. id: the ID of the PrivateLink endpoint service of the SLB instance that is used to expose the Istio Pilot of the ASM instance. name: the name of the PrivateLink endpoint service of the SLB instance that is used to expose the Istio Pilot of the ASM instance. status: the state of the PrivateLink endpoint service of the SLB instance that is used to expose the Istio Pilot of the ASM instance.
   status	Indicates the overall availability status. Available indicates that connectivity is successfully configured. Other states indicate that the connectivity configuration failed.

5. Log on to the VPC console to view the status of the desired endpoint service and endpoint.

   1. Log on to the VPC console. In the left-side navigation pane, click Endpoints Service.

   2. In the top navigation bar, select the region where the desired endpoint service resides.

   3. On the Endpoints Service page, click the instance ID of the desired endpoint service to view the details of the endpoint service.

   4. In the left-side navigation pane, click Endpoints. On the Endpoints page, click the instance ID of the desired endpoint to view the details of the endpoint.

6. Add pvlEndpoint.domainName of the ACK cluster specified by clusterId in the clusters field described in Step 4 to the custom SAN field of the API server certificate of the ACK cluster. In this example, the domain name ep-bp1i06bad79eb60c60cc.epsrv-bp1gqb8g1b8d7uactdab.cn-hangzhou.privatelink.aliyuncs.com is used. For more information, see Customize the SAN of the API server certificate when you create an ACK cluster.

7. Check the status of the ACK cluster.

   If the ACK cluster is in the Running state, cross-VPC connectivity is implemented by using PrivateLink.