All Products
Search
Document Center

Alibaba Cloud Service Mesh:Create an egress gateway

更新時間:Dec 19, 2024

If your applications require a centralized egress for Internet or internal network traffic, you can deploy a Service Mesh (ASM) egress gateway in a Kubernetes cluster. As a centralized egress, the egress gateway can simplify the management and routing of external service traffic in the cluster.

Prerequisites

A Container Service for Kubernetes (ACK) cluster is added to your ASM instance. For more information, see The cluster is added to the ASM instance..

Procedure

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Egress Gateway.

  3. On the Egress Gateway page, click Create. On the Create page, configure the parameters of the egress gateway.

    The following table describes the parameters. You can also click Create from YAML on the Egress Gateway page to define an egress gateway. For more information, see Create and manage an egress gateway by using the Kubernetes API.

    Parameter

    Description

    Name

    The name of the egress gateway.

    Cluster

    The cluster in which you want to deploy the ingress gateway.

    Port Mapping

    The ports that services need to expose. Set Protocol and Service Port.

    Note

    By default, two commonly used ports appear in the console. You can keep or remove the default ports or add ports as needed.

    Resources Limits

    The CPU and memory specifications for the pod of the ingress gateway.

    Gateway instances

    The number of pod replicas for the egress gateway.

  4. (Optional) Click Advanced Options and configure the parameters that are described in the following table.

    Parameter

    Description

    HPA

    Specifies whether to enable the Horizontal Pod Autoscaler (HPA) feature. If you select HPA to enable this feature, configure the following parameters:

    • metrics: Set Monitoring items and Threshold. If the metric value exceeds the specified threshold, the number of pod replicas increases for the ingress gateway. If the metric value is below the specified threshold, the number of pod replicas decreases for the ingress gateway.

      If you specify thresholds for CPU utilization and memory usage, both thresholds take effect. In this case, if the CPU utilization or memory usage exceeds or is below the specified threshold, the egress gateway is accordingly resized.

    • Maximum replicas: the maximum number of pod replicas for the ingress gateway.

    • Minimum number of replicas: the minimum number of pod replicas for the ingress gateway.

    Note

    This feature is available only to ASM instances of Enterprise or Ultimate Edition.

    Rolling Upgrade

    Specifies whether to enable the rolling update feature. If you select Rolling Upgrade to enable this feature, configure the following parameters:

    • Maximum number of unavailable instances: the maximum number of pod replicas that can be unavailable during a rolling update. This ensures that a certain number of pods can provide services during the update.

    • Exceeding the desired number of instances: the maximum number of pod replicas that can be created over the expected number of pod replicas during a rolling update. For example, if you set this parameter to 25%, the number of pod replicas during a rolling update cannot exceed 125% of the expected number of pod replicas.

    Deploy ASM Gateway replicas as widely as possible

    When podAntiAffinity is set for the ingress gateway, gateway pods are preferentially deployed to different nodes.

    Custom Deployment Policy

    You can configure the nodeSelector, tolerations, and affinity fields for the ASM gateway. For more information about these fields, see CRD fields for an ASM gateway.

    Support two-way TLS authentication

    If you select Support two-way TLS authentication, sidecar proxies that are injected into service pods and the egress gateway authenticate each other by using TLS. This improves security. You can configure access policies for outbound traffic based on authorization policies and the identities verified by using mutual TLS.

    Important

    Pods that are not injected with sidecar proxies cannot access external services by using the egress gateway.

  5. Click Create.

    If the status of the ingress gateway is Running, the ingress gateway is created. Service address is the IP address of the egress gateway.

Related operations

After an egress gateway is created, you can log on to the ASM console to manage the egress gateway. You can also log on to the ACK console to view the egress gateway.

Log on to the ASM console to manage an egress gateway

After an egress gateway is created, you can log on to the ASM console to view, edit, or delete the egress gateway.

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Egress Gateway.

  3. On the Egress Gateway page, manage the egress gateway as needed.

    Operation

    Description

    View or edit an egress gateway

    • Method 1:

      1. Find the egress gateway and click View Details.

      2. On the Gateway Details page, click the 编辑 icon next to the parameter that you want to modify, modify the parameter settings, and then click Submit.

    • Method 2:

      1. Find the egress gateway and click YAML.

      2. In the Edit dialog box, modify the YAML configuration, and then click OK.

    Delete an egress gateway

    Find the egress gateway, click Delete. In the message that appears, click OK.

    Important

    After an egress gateway is deleted, the internal services of the ASM instance cannot access external services by using the egress gateway. Exercise caution when you perform this operation.

Log on to the ACK console to view an egress gateway

  • View basic information about an egress gateway.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Network > Services.

    3. In the upper part of the Services page, select istio-system from the Namespace drop-down list.

      You can view basic information about the egress gateway. You can also click the name of the egress gateway to view detailed information.

  • View the pod information of an egress gateway.

    1. In the left-side navigation pane of the details page, choose Workloads > Pods.

    2. In the upper part of the Pods page, select istio-system from the Namespace drop-down list.

    3. Click the destination pod to view the details of the egress gateway pod.

References