Use ASM serverless gateways to improve your system availability and elasticity - Alibaba Cloud Service Mesh

A Service Mesh (ASM) serverless gateway is a new type of gateway that is provided by ASM. Serverless gateways help you handle traffic spikes to improve the stability of your system while keeping computing costs low. Compared with ASM gateways that run in Container Service for Kubernetes (ACK) clusters on the data plane, ASM serverless gateways have the advantages of high stability, high elasticity, and low cost. In addition, ASM serverless gateways are deployed in a serverless manner and managed by ASM. Therefore, ASM serverless gateways are highly available because they do not depend on ACK clusters. This topic describes how to use ASM serverless gateways and introduces logs and metrics related to ASM serverless gateways.

Prerequisites

An ACK cluster is added to your ASM instance whose version is 1.18.0.147 or later.
An application is deployed in the cluster that is added to the ASM instance.

Scenarios

ASM serverless gateways help you handle traffic spikes to improve the stability of your system while keeping computing costs low. ASM serverless gateways are commonly used in the following scenarios:

For online services with obvious traffic fluctuations, such as online education and e-commerce, you can use ASM serverless gateways to handle traffic spikes. With the serverless architecture, you can significantly reduce the amount of fixed resources, helping you reduce computing costs.
When multiple clusters are added to an ASM instance, for example, two ACK clusters are added to an ASM instance, ASM serverless gateways are deployed independent of a specific ACK cluster. This provides high availability.

Step 1: Create an ASM serverless ingress gateway

You can create an ASM serverless ingress gateway only by using YAML files. Compared with ASM gateways that run in ACK clusters on the data plane, the asm.alibabacloud.com/managed-by-asm: 'true' annotation is added for ASM serverless gateways. You do not need to enter the ID of an ACK cluster on the data plane. If you want to collect metrics of ASM serverless gateways, you can add the asm.alibabacloud.com/export-metrics annotation to export the metrics to the destination ACK cluster on the data plane.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

On the Ingress Gateway page, click Create from YAML, enter a name for the ASM serverless gateway that you want to create, copy the following YAML code to the YAML code editor, and then click Create.

apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
  annotations:
    asm.alibabacloud.com/managed-by-asm: 'true'
    asm.alibabacloud.com/export-metrics: 'ack-cluster-id'
  name: ingressgateway
  namespace: istio-system
spec:
  gatewayType: ingress
  dnsPolicy: ClusterFirst
  externalTrafficPolicy: Local
  hostNetwork: false
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
    - name: https
      port: 443
      protocol: TCP
      targetPort: 443
  replicaCount: 1
  resources:
    limits:
      cpu: '2'
      memory: 2G
    requests:
      cpu: 200m
      memory: 256Mi
  rollingMaxSurge: 100%
  rollingMaxUnavailable: 25%
  runAsRoot: true
  serviceType: LoadBalancer

Note: The ASM serverless gateway that you created supports LoadBalancer and ClusterIP Services. If you set the serviceType parameter to ClusterIP, make sure that the client and gateway pods are interconnected. For example, by default, pods in the same virtual private cloud (VPC) can access each other by using the Terway plug-in.

Step 2: Create a traffic rule

Create an HTTP domain name.
1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
3. On the Ingress Gateway page, click the desired gateway. In the left-side navigation pane on the Gateway overview page, click Domain/Certificate. On the Domain tab, click Create.
4. On the Add domain page, set Domain Name to *, Protocol to HTTP, Port Name to http, and Port to 80. Then, click Create.
Import the productapge service.
1. In the left-side navigation pane on the Gateway overview page, click Upstream Service. On the page that appears, click Import service.
2. On the Import service page, select default from the Namespace drop-down list, select productapge in the select service section, click the icon to add the productapge service to the selected section, and then click Submit.
Create a routing rule.
1. In the left-side navigation pane on the Gateway overview page, click Route management. On the page that appears, click Create.
2. In the set route detail step, set route type to http, Namespace to default, and Name to productapge. In the Matching Rule section, set Method to Prefix and Content to /. Then, click Next.
3. In the set route destination step, set select upstream service to productapge and click Next.
4. In the advanced config step, click Create.

Step 3: Access the productpage service through the ASM serverless gateway

In the address bar of your browser, enter {IP address of the ASM serverless gateway}/productpage to access the productpage service. For more information about how to obtain the IP address of an ingress gateway, see Obtain the IP address of the ingress gateway.

Step 4: Configure the access log collection feature of the ASM serverless gateway

Important

If you configure the access log collection feature of the ASM serverless gateway, the gateway restarts. We recommend that you perform this operation during off-peak hours.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, find the desired ASM serverless gateway and click YAML. In the YAML code editor, add the asm.alibabacloud.com/aliyun-logs-project: k8s-log-**** annotation to configure the access log collection feature of the ASM serverless gateway.
In this example, the access logs of the ASM serverless gateway are collected to the mesh-log-c4e1bbed247634d0482000d94e947**** project. The following code block provides the sample configurations:
Show the ingressgateway.yaml file
```
apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
  annotations:
    asm.alibabacloud.com/managed-by-asm: 'true'
    asm.alibabacloud.com/aliyun-logs-project: mesh-log-c4e1bbed247634d0482000d94e947****
  name: ingressgateway
  namespace: istio-system
spec:
 ....
```
Click OK to update the configurations of the ASM serverless gateway.

Step 5: Configure access over HTTPS

Run the following commands to generate a Certificate Authority (CA) certificate.

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt 
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt

Configure the certificate.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Certificate Management.

On the Certificate Management page, click Create. In the Certificate Information panel, configure the parameters and click OK.

Parameter	Description
Name	The name of the certificate. For this example, enter myexample-credential.
Public Key Certificate	The electronic document used to prove the validity of the public key. For this example, enter the content of the aliyun.com.crt file generated in substep 1 in Step 5.
Private Key	The private key. For this example, enter the content of the aliyun.com.key file generated in substep 1 in Step 5.

Create an HTTPS domain name.
1. In the left-side navigation pane, click Ingress Gateway. On the page that appears, find the desired ingress gateway and click its name. In the left-side navigation pane on the Gateway overview page, Domain/Certificate. On the Domain tab, click Create.
2. On the Add domain page, set Domain Name to *, Protocol to HTTPS, Port Name to https, and Port to 443. Select myexample-credential from the credential drop-down list, select Secure connections with standard TLS semantics, and then click Create.

Run the following command to access the ASM serverless gateway over HTTPS:

curl -k -H Host:aliyun.com --resolve aliyun.com:443:{IP address of the desired ASM serverless gateway}  https://aliyun.com/productpage -I

Step 6: View the access logs of the ASM serverless gateway

Log on to the Simple Log Service console.
In the Projects section, click the name of the log that you configured in substep 1 in Step 4. In the left-side navigation pane, click the icon (Log Storage ). In the Logstores section, click mesh-ingress-log, enter productpage in the search box, and then click Search & Analyze.

FAQ

How do I export the metrics of an ASM serverless gateway?

Make sure that you have enabled the generation and collection of metrics in ASM and that you can view the metrics dashboard on Observability Management Center > Monitoring indicators. For more information, see Collect metrics to Managed Service for Prometheus.
In the YAML file of the ASM serverless gateway for which you want to export the metrics, add the asm.alibabacloud.com/export-metrics: ${ack-cluster-id} annotation.
This feature is available only for ASM instances whose versions are 1.18.0.147 or later. For more information about how to upgrade an ASM instance, see Update an ASM instance.
After the asm.alibabacloud.com/export-metrics: ${ack-cluster-id} annotation is added, the services and endpoints of the ASM serverless gateway are synchronized to the specified ACK cluster. Then, you just need to configure the endpoint for data collection in Managed Service for Prometheus.

In the Application Real-Time Monitoring Service (ARMS) console, configure the endpoint for data collection.

Log on to the ARMS console.
In the left-side navigation pane, choose Managed Service for Prometheus > Instances. In the upper-left corner of the page, select the region where the Managed Service for Prometheus instance resides.
On the Instances page, click the name of the desired Managed Service for the Prometheus instance. On the page that appears, click Settings in the left-side navigation pane.

On the Settings tab of the Settings page, click Edit Prometheus.yaml, add the following code to the Prometheus.yaml file, and then click Save.

Show the YAML code

scrape_configs:
- job_name: istio-system/managed-envoy
  honor_timestamps: true
  honor_labels: false
  scrape_interval: 30s
  scheme: http
  metrics_path: /stats/prometheus
  relabel_configs:
  - regex: 'true'
    action: keep
    source_labels:
    - __meta_kubernetes_service_labelpresent_asm_sync_target
    replacement: $1
    separator: ;
  - regex: http-envoy-prom
    action: keep
    source_labels:
    - __meta_kubernetes_endpoint_port_name
    replacement: $1
    separator: ;
  - regex: (.*)
    action: replace
    source_labels:
    - __meta_kubernetes_namespace
    replacement: $1
    separator: ;
    target_label: namespace
  metric_relabel_configs:
  - regex: envoy_.*
    action: drop
    source_labels:
    - __name__
    replacement: $1
    separator: ;
  kubernetes_sd_configs:
  - role: endpoints
    namespaces: {}
    follow_redirects: true
  scrape_timeout: 10s

What do I do if I cannot access a backend application by using an ASM serverless gateway?

Make sure that the security group of the desired cluster on the data plane does not block traffic from the ASM serverless gateway.
1. View the CIDR block of the vSwitch of your ASM instance.
  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Instance > Base Information.
  3. On the Base Information page, click the link to the right of vSwitch. On the page that appears, view the CIDR block of the vSwitch.
2. View the security group of the desired cluster on the data plane.
  1. Log on to the ACK console. In the left-side navigation pane, click Cluster.
  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.
  3. On the Cluster Information page, click the Cluster Resources tab and click the link to the right of Security Group.
  4. On the details page of the security group, view the inbound rules of the security group. Make sure that the CIDR block of the vSwitch of your ASM instance and the port of the backend application pod fall in the range that the rules specify.
If status codes such as 404 and 503 are returned, check whether traffic rules are correctly configured and whether the backend application runs as expected.