Create an ingress gateway to centrally manage inbound traffic for a Kubernetes cluster - Alibaba Cloud Service Mesh

You can deploy an ASM ingress gateway in a Kubernetes cluster to act as a single entry point for access to your applications over the Internet or an internal network. The ingress gateway can simplify the management and routing of traffic, and use load balancing capabilities at Layer 7 to intelligently distribute traffic to backend services based on the HTTP request URL, host header, or other properties.

Prerequisites

The cluster is added to the ASM instance..

Procedure

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

On the Ingress Gateway page, click Create and configure the basic information of the gateway.

The following table describes the parameters. You can also click Use a YAML template on the Ingress Gateway page to define the ingress gateway. For more information, see Manage the ingress gateway by using KubeAPI.

Parameter	Description
Name	The name of the ingress gateway.
Cluster	The cluster in which you want to deploy the ingress gateway.
Service Type	The service type. Valid values: LoadBalancer, ClusterIP, and NodePort. For more information about the three types, see Service. Note If your cluster on the data plane is a registered cluster and you need to select LoadBalancer, make sure that the cluster supports LoadBalancer Services to prevent ingress gateway creation failures.
CLB/NLB	You must specify this parameter when you set Service Type to LoadBalancer. Valid values: Internet Access and Private Access.
Create LoadBalancer Instance	You must specify this parameter when you set Service Type to LoadBalancer. Create LoadBalancer Instance: If you select CLB, you need to select the required load balancer specification from the Select CLB Specifications drop-down list. If you select NLB, you need to select the vSwitches that are deployed in at least two zones from the Select Zones for NLB Instance drop-down list. Use Existing SLB Instance: Select a value from the list of existing load balancers. Important We recommend that you assign a load balancer to each Kubernetes service. If multiple Kubernetes services share a load balancer, the following risks and limitations exist: Using an existing load balancer will overwrite existing listeners, leading to your application to be inaccessible. Load balancers created by Kubernetes through the Service cannot be reused. Only load balancers that you manually create in the console (or by calling OpenAPI) can be reused. Multiple Services that share the same load balancer cannot have the same frontend listening port, as this would result in port conflicts. When reusing a load balancer, names of listeners and vServer groups are used by Kubernetes as unique identifiers. Therefore, do not modify the names of listeners or vServer groups. Cross-cluster and cross-region load balancer reuse is not supported.
Port Mapping	Set Protocol and Service Port. Note The ASM console provides two default ports that are commonly used by Istio. You can also set the parameters as needed.
Resources Limits	The CPU and memory specifications for the pod of the ingress gateway service.
Gateway instances	The number of pod replicas for the ingress gateway service.

Optional:Click Advanced Options and configure the parameters that are described in the following table.

Parameter	Description
External Traffic Policy	The policy to distribute external traffic. Valid values: Local: Traffic is routed only to pods on the node where the ingress gateway service is deployed. Cluster: Traffic can be routed to pods on other nodes in the cluster.
HPA	Select HPA and set the following parameters: metrics: Set Monitoring items and Threshold. If the metric value exceeds the specified threshold, the number of pod replicas increases for the ingress gateway. If the metric value is below the specified threshold, the number of pod replicas decreases for the ingress gateway. If you specify thresholds for CPU utilization and memory usage, both thresholds take effect. In this case, if the CPU utilization or memory usage exceeds or is below the specified threshold, the ingress gateway is accordingly resized. Maximum replicas: the maximum number of pod replicas for the ingress gateway. Minimum number of replicas: the minimum number of pod replicas for the ingress gateway. Note This feature is available only for ASM instances of Enterprise or Ultimate Edition.
Rolling Upgrade	Select Rolling Upgrade and set the following parameters: Maximum number of unavailable instances: the maximum number of pod replicas that can be unavailable during a rolling update. Exceeding the desired number of instances: the maximum number of pod replicas that can be created over the expected number of replicas during a rolling update. For example, if you set this parameter to 25%, the number of replicas during a rolling update cannot exceed 125% of the expected number of replicas.
Enable MultiBuffer-based TLS encryption and decryption performance optimization	Select Enable MultiBuffer-based TLS encryption and decryption performance optimization to speed up TLS encryption and decryption. supported nodeaffinity: Select the label of the nodes on which the performance optimization feature takes effect. Poll Delay(ms): A specified polling delay reduces the time Multi-Buffer waits before processing requests. For more information, see Parameter description. Note This feature is available only for ASM instances of Enterprise or Ultimate Edition.
Deploy ASM Gateway replicas as widely as possible	When `podAntiAffinity` is set for the ingress gateway, gateway pods are preferentially deployed to different nodes.
Custom Deployment Policy	You can configure the `nodeSelector`, `tolerations`, and `affinity` fields for the ASM gateway. For more information about the fields, see ASM gateway CRD description.
Graceful Shutdown	After you select Graceful Shutdown, the gateway service will not be affected when the load balancer is disabled. Connection timeout (seconds): After removing an ASM gateway pod from the load balancer, the load balancer will wait for the configured connection timeout duration before disconnecting from the pod. During the specified period of time, the pod of the ingress gateway can handle existing connections. The default graceful shutdown time for the gateway pod is 30 seconds. The timeout period configured on the load balancer side should not exceed 30 seconds. Note This feature is available only for ASM instances of Enterprise or Ultimate Edition.

After the configuration is complete, click Create.
The gateway status is Running, which indicates that the creation is successful. Service address is the IP address of the ingress gateway.

Related operations

After the ingress gateway is created, you can manage the ingress gateway in the ASM console or view the ingress gateway in the ACK console.

Manage the ingress gateway in the ASM console

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

On the Ingress Gateway page, perform the operations that are described in the following table.

Operation	Description
View or edit an ingress gateway	Method 1: Find the ingress gateway that you want to view or edit and click View Details. Then, you can modify the information based on your business requirements. Method 2: Find the ingress gateway that you want to view or edit and click YAML. In the Edit dialog box, modify the related fields as needed, and click OK. For more information about the fields, see ASM gateway CRD description.
Delete an ingress gateway	Find the ingress gateway that you want to delete and click Delete. In the Submit message, click OK. Important After the ingress gateway is deleted, external services cannot access services in the ASM instance by using the ingress gateway. An ingress gateway that is deleted cannot be restored. You can only create another one. Exercise caution when you perform this operation.

View the ingress gateway in the ACK console

To view the basic information about the ingress gateway, perform the following steps:
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Network > Services.
3. In the upper part of the Services page, select istio-system from the Namespace drop-down list.
  You can view the basic information of the desired ingress gateway. The IP address in the External IP column is the IP address of the ingress gateway.
To view the pod information about the ingress gateway, perform the following steps:
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Workloads > Pods.
3. In the upper part of the Pods page, select Istio-system from the Namespace drop-down list.
4. Click the desired pod to view the pod information about the ingress gateway.

References

For more information about how to create an ingress gateway by using an API, see CreateASMGateway.
For more information about how to provide centralized traffic egress for applications in a mesh, see Create an egress gateway.
For more information about how to distribute traffic to different versions of a service based on a specified ratio, such as canary release and A/B testing, see Use Istio resources to route traffic to different versions of a service.
For more information about the call relationships and traffic flows among apps, services, and application versions, see Use Mesh Topology to view the topology of an application.
For more information about the features of gateways, see Overview of ASM gateways.