BestHub
Sign in
Cloud Native 9 min read

Deploy Alibaba Cloud Service Mesh (ASM): Gateways, Traffic Management & Zero‑Trust

This guide explains how to set up Alibaba Cloud Service Mesh (ASM) on an ACK Kubernetes cluster, covering prerequisites, two methods of cluster registration, creation of north‑south and east‑west gateways, traffic routing with HTTPRoute, security policies using PeerAuthentication and AuthorizationPolicy, and observability configuration via Telemetry.

Alibaba Cloud Infrastructure
Alibaba Cloud Infrastructure
Alibaba Cloud Infrastructure
Deploy Alibaba Cloud Service Mesh (ASM): Gateways, Traffic Management & Zero‑Trust

Overview

Alibaba Cloud Service Mesh (ASM) is a fully managed service‑mesh platform compatible with the open‑source Istio project. It simplifies service governance by providing traffic routing, security, and observability for Kubernetes workloads.

Prerequisites

ACK managed Kubernetes cluster has been created.

Gateway API installed in the cluster.

Connecting a Cluster to ASM

Component integration : Install the servicemesh-operator component from the ACK console. The operator automatically creates an ASM instance and registers the cluster.

Manual integration : Create an ASM instance in the ASM console and add the existing ACK cluster to it.

Creating Gateways

Ingress (North‑South) Gateway

Example creates a gateway named prod-gateway in the istio-system namespace that listens on port 80.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: prod-gateway
  namespace: istio-system
spec:
  gatewayClassName: istio  # ASM‑managed Istio gateway class
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All  # allow cross‑namespace route references

Waypoint (East‑West) Proxy

In Ambient mode, ASM uses a Waypoint proxy for internal traffic. The following creates a Waypoint gateway named waypoint in the default namespace.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: waypoint
  namespace: default
spec:
  gatewayClassName: istio-waypoint  # Waypoint‑specific class
  listeners:
  - name: mesh
    port: 15008
    protocol: HBONE
    allowedRoutes:
      namespaces:
        from: All

Label the namespace to enable Ambient mode and bind the Waypoint:

kubectl label ns default istio.io/dataplane-mode=ambient
kubectl label ns default istio.io/use-waypoint=waypoint

Traffic Management

ASM recommends using HTTPRoute for traffic splitting, while DestinationRule and ServiceEntry can provide finer‑grained policies.

Canary release example – 90 % of traffic to reviews‑v1, 10 % to reviews‑v2:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: internal-canary-route
  namespace: istio-system
spec:
  parentRefs:
  - kind: Service
    name: reviews-svc
    group: ""
  rules:
  - backendRefs:
    - name: reviews-v1
      port: 9080
      weight: 90
    - name: reviews-v2
      port: 9080
      weight: 10

External API circuit‑breaker – register the external service with ServiceEntry and define a DestinationRule that limits pending requests and triggers outlier detection on a single 5xx error.

# ServiceEntry
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-svc-se
  namespace: istio-system
spec:
  hosts:
  - api.external.com
  ports:
  - number: 443
    name: https
    protocol: TLS
  resolution: DNS
---
# DestinationRule
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: external-svc-dr
  namespace: istio-system
spec:
  host: api.external.com
  trafficPolicy:
    connectionPool:
      http:
        http1MaxPendingRequests: 1
    outlierDetection:
      consecutive5xxErrors: 1
      interval: 1s
      baseEjectionTime: 3m

Zero‑Trust Security Configuration

ASM uses PeerAuthentication to enforce mutual TLS and AuthorizationPolicy for RBAC/ABAC controls.

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default-mtls
  namespace: istio-system
spec:
  mtls:
    mode: STRICT  # reject clear‑text traffic

Example JWT‑based gateway policy:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: gateway-auth
  namespace: istio-system
spec:
  targetRefs:
  - kind: Gateway
    group: gateway.networking.k8s.io
    name: prod-gateway
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]
    when:
    - key: request.auth.claims[iss]
      values: ["https://accounts.google.com"]

Observability

ASM’s Telemetry resource lets you customize logs, metrics, and tracing for gateways and services.

apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: gateway-observability
  namespace: istio-system
spec:
  targetRefs:
  - kind: Gateway
    group: gateway.networking.k8s.io
    name: prod-gateway
  accessLogging:
  - providers:
    - name: envoy
    filter:
      expression: "response.code >= 400"
  metrics:
  - providers:
    - name: prometheus
    overrides:
    - statName: REQUEST_COUNT
      tagOverrides:
        gateway_zone:
          value: "'china-shanghai-1'"
  tracing:
  - providers:
    - name: opentelemetry
    randomSamplingPercentage: 100.0
    customTags:
      environment:
        literal: "production-canary"

For detailed configuration, refer to the ASM documentation links provided in the original article.

observabilityKubernetesservice meshAlibaba CloudASMzero trustGateway API
Alibaba Cloud Infrastructure
Written by

Alibaba Cloud Infrastructure

For uninterrupted computing services

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment