Associate an NLB instance with an ingress gateway - Alibaba Cloud Service Mesh

Network Load Balancer (NLB) instances are next-generation Layer 4 load balancers developed by Alibaba Cloud for the Internet of Everything (IoE). NLB provides ultra-high performance, supports automatic scaling, offers higher availability, and further enhances the stability of gateway traffic. ASM ingress gateways support the use of NLB. If you set ServiceType to LoadBalancer for an ingress gateway, a Classic Load Balancer (CLB) instance is automatically associated as the load balancer for the gateway Service. This topic describes how to associate an NLB instance with an ingress gateway.

Prerequisites

A Kubernetes cluster is added to your ASM instance with the following conditions met:

The version of the Kubernetes cluster is V1.24 or later and the cloud controller manager (CCM) version is V2.5.0 or later.
The version of the ASM instance is V1.18 or later.
The VPC where the ACK cluster resides has vSwitches in at least two zones.

Procedure

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

You can choose to create an ingress gateway using the console or a YAML template.

Create an ingress gateway using the console

On the Ingress Gateway page, click Create. This topic only describes the parameters for NLB instances. For more information about other configuration parameters, see Create an ingress gateway.

Configuration item	Description
NLB	This configuration is required only when Service Type is set to LoadBalancer. Internet Access and VPC Access are supported.
Create SLB Instance	By default, Create SLB Instance is selected on the console. You can select Use Existing SLB Instance as needed. After selecting this option, you need to select vSwitches deployed in at least two zones in Select Zones for NLB Instance below.
Use Existing SLB Instance	After selecting this option, you need to select an existing NLB instance in Select An Existing Load Balancer below. Important We recommend assigning a load balancer for each Kubernetes service. If multiple Kubernetes services share the same load balancer, the following risks and limitations exist: Using an existing load balancer will overwrite existing listeners, leading to your application to be inaccessible. Load balancers created by Kubernetes through Service cannot be reused. Only those manually created in the console (or by calling OpenAPI) can be reused. Multiple Services sharing the same load balancer cannot have the same frontend listener port, as this would result in port conflicts. When reusing a load balancer, names of listeners and vServer groups are used by Kubernetes as unique identifiers. Therefore, do not modify the names of listeners or vServer groups. Cross-cluster and cross-region load balancer reuse is not supported.

Create an ingress gateway using a YAML template

On the Ingress Gateway page, click Use a YAML template, set the gateway name to ingressgateway-nlb-test, and select istio-system for Namespace. Configure the following YAML.

In the YAML, you need to set loadBalancerClass to alibabacloud.com/nlb. You do not need to specify specifications for the NLB instance, but you must specify at least two zones.

Expand to view YAML

apiVersion: istio.alibabacloud.com/v1
kind: IstioGateway
metadata:
  name: ingressgateway-nlb-test
  namespace: istio-system
spec:
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - podAffinityTerm:
          labelSelector:
            matchExpressions:
            - key: istio
              operator: In
              values:
              - ingressgateway
          topologyKey: kubernetes.io/hostname
        weight: 1
  autoCreateGatewayYaml: false
  clusterIds:
  - ${Current mesh added cluster ID}
  disableContainerPortExposed: true
  dnsPolicy: ClusterFirst
  externalTrafficPolicy: Local
  gatewayType: ingress
  hostNetwork: false
  ports:
  - name: http-0
    port: 80
    protocol: HTTP
    targetPort: 80
  - name: https-1
    port: 443
    protocol: HTTPS
    targetPort: 443
  replicaCount: 2
  resources:
    limits:
      cpu: "2"
      memory: 4G
    requests:
      cpu: 200m
      memory: 256Mi
  rollingMaxSurge: 25%
  rollingMaxUnavailable: 25%
  runAsRoot: true
  serviceAnnotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain-timeout: "10"
    service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: ${Zone ID}:${VSwitch ID in this zone},${Another zone ID}:${VSwitch ID in this zone}	# For example, cn-hangzhou-g:vsw-bp1xxxxxxxxxx,cn-hangzhou-j:vsw-bp1xxxxxxxxxx
  serviceType: LoadBalancer
  loadBalancerClass: alibabacloud.com/nlb

After the creation is complete, the page displays as follows. For gateways using CLB, the Service Address is displayed as an IP address. For gateways using NLB, the Service Address is displayed as a domain name. If you specify two zones when you create an ingress gateway, two IP addresses are bound to the domain name.

You can log on to the NLB console to view the current NLB status. For more information, see Configure network-based load balancing NLB using annotations and NLB billing.