All Products
Search
Document Center

Alibaba Cloud Service Mesh:Overview of ASM gateways

Last Updated:Apr 07, 2024

Service Mesh (ASM) provides ingress and egress gateways to control inbound and outbound traffic and implement end-to-end encryption. This topic describes the features of ASM ingress and egress gateways.

Ingress gateway

An ingress gateway provides a unified entrance for routing the inbound traffic at Layer 7. It routes HTTP requests from the same Transmission Control Protocol (TCP) port to different Kubernetes services based on the content of requests. An ingress gateway provides various features, which include lifecycle management, support for multiple protocols, traffic management, security features, and observability capabilities.

Feature

Description

References

Lifecycle management

You can deploy an ASM ingress gateway in a Kubernetes cluster to act as a single entry point for access to your applications over the Internet or an internal network. The ingress gateway can simplify the management and routing of traffic, and use load balancing capabilities at Layer 7 to intelligently distribute traffic to the corresponding backend services based on paths in HTTP requests, host headers, or other attributes. You can manage an ingress gateway in the ASM console.

Create an ingress gateway

Use ASM serverless gateways to improve your system availability and elasticity

A serverless gateway is a new type of gateway that is provided by ASM. Serverless gateways help you handle traffic spikes to improve the stability of your system while keeping computing costs low. Compared with ASM gateways that run in Container Service for Kubernetes (ACK) clusters on the data plane, ASM serverless gateways have the advantages of high stability, high elasticity, and low cost. In addition, ASM serverless gateways are deployed in a serverless manner and managed by ASM. Therefore, ASM serverless gateways are highly available because they do not depend on ACK clusters.

Use ASM serverless gateways to improve your system availability and elasticity

Use of Network Load Balancer (NLB)

NLB is a Layer 4 load balancing service intended for the Internet of Everything (IoE) era. NLB offers ultra-high performance and can automatically scale on demand. It supports higher availability and further improves the stability of gateway traffic. Ingress gateways support NLB. If you set ServiceType to LoadBalancer for an ingress gateway, a Classic Load Balancer (CLB) instance is associated as the load balancer of the ingress gateway by default.

Associate an NLB instance with an ingress gateway

Support for multiple protocols

You can create destination rules and virtual services on a graphical user interface (GUI) without the need to write YAML files. This simplifies traffic management.

Configure traffic routing for an ASM gateway

If you want to optimize your network topology, scale out application servers, or throttle user traffic, you can use Traffic Management Center in the ASM console to smoothly migrate TCP traffic. This can ensure business continuity and high availability of services.

Use ASM to transfer TCP traffic

If you need to provide encrypted access over the secure HTTPS protocol, you can enable HTTPS by using an ASM ingress gateway. ASM allows you to enable dynamic certificate loading by using an ingress gateway. This way, you can dynamically configure private keys, server certificates, and root certificates in real time, and you do not need to restart ingress gateways or mount secret volumes. This simplifies operations and eliminates the risk of service interruptions caused by restarts of ingress gateways. An ingress gateway allows you to monitor and manage multiple certificates and their private keys. This provides flexible and secure communication capabilities for different hosts to enhance the security of data transmission.

Use an ingress gateway to enable HTTPS

You can use an ASM ingress gateway to access Google Remote Procedure Call (gRPC) services in an ASM instance. This allows you to implement accurate access control on gRPC services, improve service governance, and ensure the security of service-to-service communication.

Use an ingress gateway to access a gRPC service in an ASM instance

You can use ASMGrpcJsonTranscoder to transcode HTTP requests with JSON bodies (HTTP/JSON requests) to gRPC requests. This feature allows you to send HTTP/JSON requests from your client to access gRPC services in an ASM instance.

Use ASMGrpcJsonTranscoder to allow HTTP/JSON requests to access gRPC services in an ASM instance

WebSocket is a computer communications protocol that provides full-duplex communication channels over a single TCP connection. WebSocket is located at the application layer in the Open Systems Interconnection (OSI) model. WebSocket allows a server to push data to clients. Services that comply with WebSocket are WebSocket services.

Use an ingress gateway to access a WebSocket service in an ASM instance

Common traffic management features

In scenarios such as flash sales, the traffic may instantaneously reach a peak that exceeds the maximum load supported by your system. As a result, a large number of calls are waiting to be processed, and the system stops responding. ASM provides the local throttling feature that you can use to throttle traffic for gateways and services. In this way, you can protect your system from being overloaded.

Configure local throttling on an ingress gateway

You can configure global throttling for a specific route of an ingress gateway to implement precise control over traffic to cope with issues such as traffic bursts, service overload, resource exhaustion, and malicious attacks. This protects the stability of backend services, reduces costs, and improves user experience.

Configure global throttling on an ingress gateway

ASM allows you to configure resources such as virtual services and destination rules to implement non-intrusive traffic governance for microservices. For example, you can use features such as traffic routing, throttling, circuit breaking, and traffic mirroring.

Use the route-level circuit breaking feature of ASM

Gateway API is an open source project managed by the SIG-NETWORK community. The project aims to evolve service networking by providing expressive, extensible, and role-oriented interfaces. You can use Gateway API to define routing rules for accessing applications in a cluster.

Use Gateway API to define a routing rule

You can use Ingress resources in a managed cluster and specify a specific ASM gateway as the Ingress controller.

Use an ASM gateway as an Ingress controller to expose services in a cluster

You can use the traffic mirroring feature to mirror production traffic to a test cluster or test service version. Testing that uses the mirrored production traffic mitigates risks involved in version changes without affecting the production environment.

Use traffic mirroring across clusters at the service mesh layer

Session affinity (also known as sticky session) is a feature available on load balancers that allows all requests from the same user or session to be passed to the same backend server. This feature applies to scenarios where the user state must be maintained, such as online shopping carts, logon sessions, and personalized settings.

Implement session affinity in an ASM ingress gateway

Traffic security and dynamic certificate loading

If you need to provide encrypted access over the secure HTTPS protocol, you can enable HTTPS by using an ASM ingress gateway. ASM allows you to enable dynamic certificate loading by using an ingress gateway. This way, you can dynamically configure private keys, server certificates, and root certificates in real time, and you do not need to restart ingress gateways or mount secret volumes. This simplifies operations and eliminates the risk of service interruptions caused by restarts of ingress gateways. An ingress gateway allows you to monitor and manage multiple certificates and their private keys. This provides flexible and secure communication capabilities for different hosts to enhance the security of data transmission.

Use an ingress gateway to enable HTTPS

All data between an ingress gateway and a sidecar proxy is transmitted through a Mutual Transport Layer Security (mTLS) tunnel. If sidecar proxies are injected into an application, we recommend that you configure TLS termination on the ingress gateway to ensure end-to-end encryption. If sidecar proxies are not injected into an application or other special circumstances occur, the ingress gateway supports TLS pass-through.

Enable TLS pass-through on an ingress gateway

You can use an ingress gateway to enable HTTPS and dynamic certificate loading. This ensures gateway security. You can also create an HTTPS listener by binding a certificate to the CLB instance of an ingress gateway. The HTTPS listener decrypts HTTPS requests into HTTP requests and forwards the HTTP requests to the ingress gateway pod.

Create an HTTPS listener for the CLB instance of an ingress gateway

ASM allows you to synchronize certificates to multiple clusters in an ASM instance by using the certificate management feature. The certificate management feature helps you manage certificates by providing such capabilities as certificate information display and expiration alerting.

Use the certificate management feature of ASM

If security risks are caused by the use of earlier Transport Layer Security (TLS) versions, you can configure later TLS versions on ingress gateways. Then, you can disable earlier versions, such as TLS 1.0 and TLS 1.1, and enable securer TLS 1.2 and later to effectively prevent security risks such as man-in-the-middle attacks and data breach. This guarantees the stability and security of HTTPS connections between services and clients.

Configure TLS versions on an ingress gateway to enhance security

Ingress gateways allow you to configure gRPC services that are based on the mTLS protocol. This security mechanism ensures that only authorized clients can access gRPC services. End-to-end encryption and two-way authentication are implemented throughout the data transmission process to effectively protect information from eavesdropping, tampering, and unauthorized access.

Use an ingress gateway to configure an mTLS-based gRPC service

You can bind a certificate to a domain name in a visual manner. After you bind a certificate to a domain name, you can use an ingress gateway to access the domain name over a protocol such as HTTPS. This improves the security of the ingress gateway.

Bind a certificate to a domain name

You can connect an ingress gateway to a Web Application Firewall (WAF) instance, and customize the fields of access logs to view the headers that are added by the WAF instance to back-to-origin requests. This facilitates online O&M.

Connect an ingress gateway to a WAF instance

cert-manager is a certificate lifecycle management system that can be used to issue and deploy certificates. You can use cert-manager to issue certificates for ASM gateways. This way, you can use the ASM gateways to access services over HTTPS. This ensures data transmission security.

Use cert-manager to manage certificates for ASM gateways

Authorization management

ASM allows you to configure a blacklist or whitelist for an ingress gateway to control access to applications in an ASM instance based on source IP addresses, domain names in HTTP requests, ports, and remote IP blocks. You can use this feature to ensure the security of applications in an ASM instance. This topic describes how to configure a blacklist or whitelist for an ingress gateway to reject or allow requests from a specific source IP address.

Configure a blacklist or whitelist for an ingress gateway

When you need to customize access control policies based on your needs, such as authenticating requests based on domain names, paths, and methods in HTTP requests, you can implement custom authorization by using an ingress gateway to ensure that only authenticated users can access key services.

Implement custom authorization by using an ingress gateway

OpenID Connect (OIDC) built on the OAuth 2.0 protocol is a protocol for identity authentication and authorization. It is commonly used to implement single sign-on (SSO). After you configure OIDC-based SSO on an ingress gateway, you can use identity information provided by Alibaba Cloud IDentity as a Service (IDaaS) or other identity providers (IdPs) that comply with the OIDC protocol to log on to multiple related systems with a single ID. In addition, you do not need to modify your applications. This improves application security and simplifies the development and management of your application.

Configure OIDC-based SSO on an ingress gateway

JSON Web Tokens (JWTs) are commonly used to authenticate users. A JWT carries user information and a field that stores encrypted user information. When you implement JWT-based authentication, the encrypted user information is decrypted and then compared with the input user information. This verifies the user identity. You can configure JWT-based authentication on an ingress gateway.

Configure JWT-based authentication on an ingress gateway

When dynamic access control is required, you can integrate an Open Policy Agent (OPA) engine in an ingress gateway to customize authorization policies based on user identities or request content and control communication between services in real time. This effectively prevents unauthorized access, reduces the risks of data breach, and enhances the security of applications in an ASM instance. This topic describes how to use an OPA engine to authenticate and authorize requests that are received by an ingress gateway. In this example, requests flow through the ingress gateway to access the HTTPBin application.

Integrate an OPA engine with an ingress gateway

You can implement SSO to all the applications in an ASM instance by using the custom authorization service with zero code modification. This reduces the costs of application transformation and O&M.

Integrate Alibaba Cloud IDaaS with ASM to implement single sign-on

You can implement SSO to all the applications in an ASM instance by using self-managed Keycloak as the IdP.

Integrate Keycloak with ASM to implement SSO

You can configure JWT-based authentication for an ingress gateway in an ASM instance to authenticate the source of requests. This method is also called end-user authentication. After you configure JWT-based authentication for an ingress gateway in an ASM instance, ASM checks whether the requests to access services by using the ingress gateway contain a valid JWT in a request header. Only requests that contain a valid JWT are allowed.

Configure JWT authentication for an ingress gateway in ASM

When a client from one domain accesses a service in a different domain or a service that resides in the same domain but uses a different port from the client, the client initiates a cross-origin request. If the service does not allow cross-origin resource access, the client cannot access the service. In this case, you can configure a cross-origin resource sharing (CORS) policy in a virtual service of the ASM instance to implement CORS.

Implement CORS in ASM

You can restrict specific IP addresses from accessing applications in an ASM instance in scenarios where a Layer 7 proxy is or is not deployed between the client that initiates access requests and the ASM gateway.

Restrict specific IP addresses from accessing applications in an ASM instance

Custom features

You can configure an Istio gateway for multiple ingress gateways. This simplifies your configuration process.

Configure an Istio gateway for multiple ingress gateways

You can associate multiple CLB instances with an ingress gateway so that multiple CLB instances can be used to access the ingress gateway.

Access an ingress gateway by using multiple CLB instances

To enforce IP-based access control on an ingress gateway, you need to obtain the originating IP address of a client. For example, you can create an authorization policy to deny or allow requests to the ingress gateway by configuring an IP address blacklist or whitelist.

Obtain the originating IP address of a client from the HTTP request header

You can create an ingress gateway that uses an IPv6 address. IPv6 provides higher security compared with IPv4.

Create an ingress gateway that uses an IPv6 address

If the pods of a Kubernetes cluster on the data plane cannot access the IP address of the CLB instance that is configured in an ingress gateway, you can use the IP address of the Kubernetes cluster or the name of the ingress gateway to access the IP address of the CLB instance within the Kubernetes cluster.

What can I do if the pods of a Kubernetes cluster on the data plane cannot access the IP address of the CLB instance that is configured in an ingress gateway?

If your client uses HTTPS and is limited to support HTTP/2 and you cannot solve this issue by modifying configurations, we recommend that you disable HTTP/2 on your ingress gateway.

Disable HTTP/2 on an ingress gateway on which HTTPS is enabled

Egress gateway

ASM provides egress gateways to route all outbound traffic of applications in ASM. You can create and manage egress gateways in the ASM console or by using the Kubernetes API.

Feature

Description

References

Lifecycle management

If your applications require a centralized egress for Internet or internal network traffic, you can deploy an ASM egress gateway in a Kubernetes cluster. As a centralized egress, the egress gateway can simplify the management and routing of external service traffic in the cluster.

Create an egress gateway

Custom features

When applications in an ASM instance need to communicate with external services, you can use an egress gateway to centrally manage all outbound traffic. After you configure an egress gateway, you can implement security control and routing of traffic to improve the security and observability of applications in the ASM instance.

Configure an egress gateway to route all outbound traffic in ASM

ASM instances of version 1.16.4 and later allow you to use CustomResourceDefinition (CRD) fields to define an egress traffic policy.

Use an egress traffic policy to manage egress traffic

Istio gateway

An Istio gateway defines a load balancer that runs at the edge of an ASM instance to receive inbound or outbound HTTP/TCP traffic.

Feature

Description

References

Lifecycle management

You can create, modify, and delete an Istio gateway in the ASM console.

Manage Istio gateways

Advanced features of gateways

ASM allows you to configure high-availability gateways that provide graceful shutdown and observability capabilities. This reduces traffic loss and lowers your O&M costs.

Feature

Description

References

High availability

You can configure a high-performance and high-availability ASM gateway to ensure service continuity.

Configure a high-performance and high-availability ASM gateway

The pods of an ASM gateway can be scheduled to specified nodes to improve the high availability of the gateway and enhance the isolation between gateway pods and application pods.

Schedule the pods of an ASM gateway to a specified node

A serverless ASM gateway is provided based on virtual nodes and Elastic Container Instance. It is applicable to service scenarios that require elastic resources and do not require node maintenance.

Deploy a serverless ASM gateway to support elastic services

You can configure a pod anti-affinity policy in the YAML file of an ASM gateway to assign the pods of the gateway to different nodes or zones. This improves the availability of the gateway.

Improve availability for the ingress gateway service of an ASM instance

If you perform a scale-in or rolling restart operation on an ASM gateway, a small amount of traffic is lost because the number of gateway pods is reduced. To resolve this issue, you can enable graceful shutdown. This way, traffic can continue to be transferred within the specified period of time even if the number of gateway pods is reduced. This ensures that no traffic is lost.

Enable graceful shutdown to prevent traffic loss

You can deploy an ASM gateway in multiple clusters to improve service availability. You can deploy services in multiple clusters and then configure a unified ingress gateway for these clusters to manage the ingress traffic to these clusters.

Configure a unified ingress gateway for multiple clusters

An ASM gateway manages the ingress or egress of service traffic. It is required to be highly available. To ensure business continuity after the upgrade of an ASM gateway, you can perform a canary upgrade of the ASM gateway. You can start a new version of a gateway pod to verify that traffic can be properly forwarded from the pod. Then, you can fully upgrade the ASM gateway. If an issue occurs when traffic is forwarded from the pod, you can delete the new version of the pod at any time. After the issue is resolved, you can proceed with the upgrade.

Perform a canary upgrade of an ASM gateway

Observability

You can separately configure the features of generating and collecting the access logs of an ASM gateway based on your business requirements. If you enable the feature of generating the access logs of an ASM gateway, the gateway prints the access logs to the standard output. You can customize the fields that are printed in the access logs. If you enable the feature of collecting the access logs of an ASM gateway, the logs printed by the gateway are collected to Simple Log Service of Alibaba Cloud, which allows you to store and analyze logs and visualize the query and analysis results on charts.

Configure the features of generating and collecting the access logs of an ASM gateway

You can separately configure the features of generating and collecting the metrics of an ASM gateway based on your business requirements. If you enable the feature of generating the metrics of an ASM gateway, the gateway itself generates the corresponding metrics. You can customize the metrics that are generated by the gateway. If you enable the feature of collecting the metrics of an ASM gateway, the generated metrics are collected to Managed Service for Prometheus, which allows you to store and analyze metrics and visualize the query and analysis results on charts.

Configure the features of generating and collecting the metrics of an ASM gateway

Request payload processing

You can add HTTP response headers for web applications to improve application security.

Use an Envoy filter to add HTTP response headers in ASM

You can enable data compression for an ASM gateway to compress the response content for HTTP requests. This reduces response time and traffic consumption.

Enable data compression for the ingress gateway service of an ASM instance

Integration with existing systems

You can migrate traffic from your self-managed Istio ingress gateway or NGINX Ingress Controller to an ASM gateway for centralized management. This reduces maintenance costs and improves O&M efficiency.

Feature

Description

References

Migration of traffic from self-managed gateways to ASM ingress gateways

You can migrate traffic from a self-managed Istio ingress gateway to an ASM ingress gateway.

Migrate traffic from a self-managed Istio ingress gateway to an ASM ingress gateway

You can migrate traffic from NGINX Ingress Controller to an ASM ingress gateway.

Migrate traffic from Nginx Ingress Controller to the ASM ingress gateway

You can migrate common NGINX configurations to an ASM gateway.

Migrate common NGINX configurations to an ASM gateway