All Products
Search
Document Center

Alibaba Cloud Service Mesh:Create an ingress gateway

Last Updated:Nov 18, 2024

You can deploy an ASM ingress gateway in a Kubernetes cluster to act as a single entry point for access to your applications over the Internet or an internal network. The ingress gateway can simplify the management and routing of traffic, and use load balancing capabilities at Layer 7 to intelligently distribute traffic to backend services based on the HTTP request URL, host header, or other properties.

Prerequisites

The cluster is added to the ASM instance..

Procedure

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

  3. On the Ingress Gateway page, click Create and configure the basic information of the gateway.

    The following table describes the parameters. You can also click Use a YAML template on the Ingress Gateway page to define the ingress gateway. For more information, see Manage the ingress gateway by using KubeAPI.

    Parameter

    Description

    Name

    The name of the ingress gateway.

    Cluster

    The cluster in which you want to deploy the ingress gateway.

    Service Type

    The service type. Valid values: LoadBalancer, ClusterIP, and NodePort. For more information about the three types, see Service.

    Note

    If your cluster on the data plane is a registered cluster and you need to select LoadBalancer, make sure that the cluster supports LoadBalancer Services to prevent ingress gateway creation failures.

    CLB/NLB

    You must specify this parameter when you set Service Type to LoadBalancer.

    Valid values: Internet Access and Private Access.

    Create LoadBalancer Instance

    You must specify this parameter when you set Service Type to LoadBalancer.

    • Create LoadBalancer Instance:

      • If you select CLB, you need to select the required load balancer specification from the Select CLB Specifications drop-down list.

      • If you select NLB, you need to select the vSwitches that are deployed in at least two zones from the Select Zones for NLB Instance drop-down list.

    • Use Existing SLB Instance: Select a value from the list of existing load balancers.

    Important

    We recommend that you assign a load balancer to each Kubernetes service. If multiple Kubernetes services share a load balancer, the following risks and limitations exist:

    • Using an existing load balancer will overwrite existing listeners, leading to your application to be inaccessible.

    • Load balancers created by Kubernetes through the Service cannot be reused. Only load balancers that you manually create in the console (or by calling OpenAPI) can be reused.

    • Multiple Services that share the same load balancer cannot have the same frontend listening port, as this would result in port conflicts.

    • When reusing a load balancer, names of listeners and vServer groups are used by Kubernetes as unique identifiers. Therefore, do not modify the names of listeners or vServer groups.

    • Cross-cluster and cross-region load balancer reuse is not supported.

    Port Mapping

    Set Protocol and Service Port.

    Note

    The ASM console provides two default ports that are commonly used by Istio. You can also set the parameters as needed.

    Resources Limits

    The CPU and memory specifications for the pod of the ingress gateway service.

    Gateway instances

    The number of pod replicas for the ingress gateway service.

  4. Optional:Click Advanced Options and configure the parameters that are described in the following table.

    Parameter

    Description

    External Traffic Policy

    The policy to distribute external traffic. Valid values:

    • Local: Traffic is routed only to pods on the node where the ingress gateway service is deployed.

    • Cluster: Traffic can be routed to pods on other nodes in the cluster.

    HPA

    Select HPA and set the following parameters:

    • metrics: Set Monitoring items and Threshold. If the metric value exceeds the specified threshold, the number of pod replicas increases for the ingress gateway. If the metric value is below the specified threshold, the number of pod replicas decreases for the ingress gateway.

      If you specify thresholds for CPU utilization and memory usage, both thresholds take effect. In this case, if the CPU utilization or memory usage exceeds or is below the specified threshold, the ingress gateway is accordingly resized.

    • Maximum replicas: the maximum number of pod replicas for the ingress gateway.

    • Minimum number of replicas: the minimum number of pod replicas for the ingress gateway.

    Note

    This feature is available only for ASM instances of Enterprise or Ultimate Edition.

    Rolling Upgrade

    Select Rolling Upgrade and set the following parameters:

    • Maximum number of unavailable instances: the maximum number of pod replicas that can be unavailable during a rolling update.

    • Exceeding the desired number of instances: the maximum number of pod replicas that can be created over the expected number of replicas during a rolling update. For example, if you set this parameter to 25%, the number of replicas during a rolling update cannot exceed 125% of the expected number of replicas.

    Enable MultiBuffer-based TLS encryption and decryption performance optimization

    Select Enable MultiBuffer-based TLS encryption and decryption performance optimization to speed up TLS encryption and decryption.

    • supported nodeaffinity: Select the label of the nodes on which the performance optimization feature takes effect.

    • Poll Delay(ms): A specified polling delay reduces the time Multi-Buffer waits before processing requests. For more information, see Parameter description.

    Note

    This feature is available only for ASM instances of Enterprise or Ultimate Edition.

    Deploy ASM Gateway replicas as widely as possible

    When podAntiAffinity is set for the ingress gateway, gateway pods are preferentially deployed to different nodes.

    Custom Deployment Policy

    You can configure the nodeSelector, tolerations, and affinity fields for the ASM gateway. For more information about the fields, see ASM gateway CRD description.

    Graceful Shutdown

    After you select Graceful Shutdown, the gateway service will not be affected when the load balancer is disabled.

    Connection timeout (seconds): After removing an ASM gateway pod from the load balancer, the load balancer will wait for the configured connection timeout duration before disconnecting from the pod. During the specified period of time, the pod of the ingress gateway can handle existing connections. The default graceful shutdown time for the gateway pod is 30 seconds. The timeout period configured on the load balancer side should not exceed 30 seconds.

    Note

    This feature is available only for ASM instances of Enterprise or Ultimate Edition.

  5. After the configuration is complete, click Create.

    The gateway status is Running, which indicates that the creation is successful. Service address is the IP address of the ingress gateway.

Related operations

After the ingress gateway is created, you can manage the ingress gateway in the ASM console or view the ingress gateway in the ACK console.

Manage the ingress gateway in the ASM console

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

  3. On the Ingress Gateway page, perform the operations that are described in the following table.

    Operation

    Description

    View or edit an ingress gateway

    • Method 1: Find the ingress gateway that you want to view or edit and click View Details. Then, you can modify the information based on your business requirements.

    • Method 2: Find the ingress gateway that you want to view or edit and click YAML. In the Edit dialog box, modify the related fields as needed, and click OK. For more information about the fields, see ASM gateway CRD description.

    Delete an ingress gateway

    Find the ingress gateway that you want to delete and click Delete. In the Submit message, click OK.

    Important

    After the ingress gateway is deleted, external services cannot access services in the ASM instance by using the ingress gateway. An ingress gateway that is deleted cannot be restored. You can only create another one. Exercise caution when you perform this operation.

View the ingress gateway in the ACK console

  • To view the basic information about the ingress gateway, perform the following steps:

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Network > Services.

    3. In the upper part of the Services page, select istio-system from the Namespace drop-down list.

      You can view the basic information of the desired ingress gateway. The IP address in the External IP column is the IP address of the ingress gateway.

  • To view the pod information about the ingress gateway, perform the following steps:

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Workloads > Pods.

    3. In the upper part of the Pods page, select Istio-system from the Namespace drop-down list.

    4. Click the desired pod to view the pod information about the ingress gateway.

References