Features - Alibaba Cloud Service Mesh

Service Mesh (ASM) provides the following editions that support different features and capabilities: Standard Edition, Enterprise Edition, and Ultimate Edition. Standard Edition is free of charge, and the other editions are commercial editions. This topic describes the features supported by different ASM editions.

Note

Compared with Standard Edition, Enterprise Edition and Ultimate Edition support more protocols, enhance dynamic extension capabilities, provide fine-grained service governance, and improve the zero-trust security system. In addition, Enterprise Edition and Ultimate Edition enhance performance, provide better support for large-scale clusters, and simplify the use of ASM instances in production environments. Enterprise Edition and Ultimate Edition are applicable to scenarios in which you require cross-language interoperability and fine-grained service governance and want to apply the service mesh technology in production environments on a large scale. For more information about how to change the edition of an ASM instance, see Change the edition of an ASM instance. For more information about ASM editions, see Announcement on the launch of commercial editions.

Features supported on the ASM control plane

Mesh management

Feature	Open source edition	Standard Edition	Enterprise Edition	Ultimate Edition
Full lifecycle management of ASM instances such as instance deployment and upgrade management in the ASM console
Support for Container Service for Kubernetes (ACK) clusters (including ACK managed clusters and ACK dedicated clusters) of all compatible Kubernetes versions and the ACK on ECI mode
Support for Container Compute Service (ACS) clusters
Support for ACK Serverless clusters of all compatible Kubernetes versions
Support for registered external Kubernetes clusters
Support for ACK edge clusters
Support for multi-cluster deployment across virtual private clouds (VPCs) and regions in production environments
Supported operating systems	Alibaba Cloud Linux 2	Alibaba Cloud Linux 2	Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3	Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3
Automatic diagnostics of mesh configuration issues	Partially supported
Rollback of Istio resources to an earlier version
Support for Kubernetes clusters on the data plane to access Istio resources by using the Kubernetes API in multi-cluster mode

Management of data plane components

Feature	Open source edition	Standard Edition	Enterprise Edition	Ultimate Edition
Configurations of sidecar proxies at global, namespace, and workload levels	Partially supported
Configuration of the sidecar injector in the console
Support for Container Network Interface (CNI) plug-ins in ACK clusters

ASM gateway management

Feature	Open source edition	Standard Edition	Enterprise Edition	Ultimate Edition
Full lifecycle management of ASM gateways such as creation, upgrades, deletion, and configuration updates of an ASM gateway
Route management in the console
Advanced features, such as graceful shutdown, horizontal pod autoscaling (HPA), upgrades without service disruption, and Transport Layer Security (TLS) acceleration
Integration of envoy.ext_authz, which allows customers to configure custom authorization services in the console
Integration with the OpenID Connect (OIDC) based single sign-on (SSO) feature
Integration with the throttling and circuit breaking features
Certificate management
Integration with observability features
High availability

Traffic management

Feature	Open source edition	Standard Edition	Enterprise Edition	Ultimate Edition
Compatibility with the concepts of VirtualService, DestinationRule, and Gateway defined in open source Istio
Configuration of traffic routing rules in the console
Local throttling	Partially supported	Partially supported
Support for Spring Cloud services
Graceful start and shutdown of services
Traffic lane and traffic labeling
Route-level circuit breaking
Intra-zone Provider First
Warm-up
Traffic management based on services
Layer 7 load balancing of east-west gateways

Observability management

Feature	Open source edition	Standard Edition	Enterprise Edition	Ultimate Edition
Visual service mesh topology for easy analysis	Partially supported	Partially supported
Integration with a self-managed Prometheus service	Partially supported. The self-managed Prometheus service must be independently deployed.
Integration with Application Real-Time Monitoring Service (ARMS) of Alibaba Cloud
Integration with Simple Log Service
Custom metrics	Partially supported	Partially supported
Enhanced built-in common dashboards
Service level objective (SLO) policies
SLO-driven application scaling

Security management

Feature	Open source edition	Standard Edition	Enterprise Edition	Ultimate Edition
Integration with the Resource Access Management (RAM) system to support various features such as RAM authorization
Configuration of security policies in the console
Easy configuration of security policies based on scenarios (support for OIDC-based SSO and JWT-based authentication)
Fine-grained access control by using the Open Policy Agent (OPA) policy engine
OpenAPI operation audit
Kubernetes API operation audit
Integration with the authorization system for Alibaba Cloud accounts
Trial run of ASM authorization policies

Scalability and ecosystem integration

Feature	Open source edition	Standard Edition	Enterprise Edition	Ultimate Edition
Plug-in marketplace
Compatibility between Envoy filters and multiple API versions
Connect to third-party service registries
Integration with the cloud-native inference service KServe
Best practices for application release with Argo CD, Argo Rollouts, and KubeVela
Support for Terraform

Performance optimization and best practices

Feature	Open source edition	Standard Edition	Enterprise Edition	Ultimate Edition
TLS acceleration by using Multi-Buffer
Configuration of the selective service discovery feature in the console
Automatic recommendation of sidecars based on access log analysis
Performance optimization by using Node Feature Discovery (NFD) to detect hardware and software capabilities, such as the support for Advanced Vector Extensions (AVX) and QuickAssist Technology (QAT) acceleration
Best practices that include standardized service definitions and optimized parameter configurations

Stability and supported scale

Feature	Open source edition	Standard Edition	Enterprise Edition	Ultimate Edition
Supported scale on the data plane	We recommend that you use this edition only for development and testing purposes.	50 Pod	1000 Pod	10000 Pod
Managed Istiod components on the control plane	-	Single replica	Multiple replicas	Multiple replicas

Note

Take note of the following considerations for supported scale on the data plane in Standard Edition:

This edition is suitable only for development and testing purposes.
To ensure cluster stability, ASM checks the number of pods in clusters on the data plane before an upgrade. If the number of pods exceeds the limit, you must change the edition of the ASM instance before the upgrade. Otherwise, your business may be affected. For more information about how to change the edition of an ASM instance, see Change the edition of an ASM instance.
ASM calculates the number of pods based on the namespaces that are detected during service discovery and automatically excludes the following system namespaces: istio-system, arms-prom, kube-node-lease, kube-public, and kube-system.

References for features of ASM commercial editions

Feature	References
Mesh management	Enable Multi-Buffer for TLS acceleration
ASM gateways	Bind a certificate to a domain name Enable data compression for the ingress gateway service of an ASM instance Improve availability for the ingress gateway service of an ASM instance
Traffic management	Configure local throttling on an ingress gateway Use the route-level circuit breaking feature of ASM Enable graceful shutdown to prevent traffic loss Configure traffic routing for an ASM gateway Label traffic Manage Spring Cloud services Use traffic labels to implement an end-to-end canary release