Mastering ASM Ambient Mode: Route‑Level Circuit Breaking and Rate Limiting
This article explains how ASM 1.25 Ambient mode enhances data‑plane performance while supporting route‑level circuit breaking and both local and global rate‑limiting configurations, providing detailed YAML examples and best‑practice guidance for managing traffic in a service‑mesh environment.
Preface
ASM 1.25 officially supports Ambient mode, offering better data‑plane forwarding performance and lower resource consumption while retaining most advanced mesh features. The Ambient mode also supports rate‑limit and circuit‑break functions, which are described below.
Route‑Level Circuit Breaking
The community Istio provides service‑level circuit breaking via Envoy connection pools, but it has two drawbacks: it only supports service‑level, not API‑level throttling, and it works after routing rules, so it cannot limit traffic before distribution.
ASM introduces route‑level circuit breaking. The following configuration applies to waypoints labeled gateway.networking.k8s.io/gateway-name: waypoint and defines a policy that triggers a circuit break when more than 60% of requests in a 10‑second window are error or slow, with a break duration of 90 seconds. During the break, the sidecar returns HTTP 499.
apiVersion: istio.alibabacloud.com/v1
kind: ASMCircuitBreaker
metadata:
name: break
spec:
workloadSelector:
labels:
gateway.networking.k8s.io/gateway-name: waypoint
applyToTraffic: waypoint
configs:
- target_services:
- name: httpbin
port: 8000
breaker_config:
slow_request_rt: 0.1s
break_duration: 90s
window_size: 10s
max_slow_requests: 10
min_request_amount: 3
error_percent:
value: 60
custom_response:
header_to_add:
x-envoy-circuitbreak: "true"
body: "hello, break!"
status_code: 499Global & Local Rate Limiting
Envoy supports two types of rate limiting: local (per‑instance) and global (via a gRPC service). Local limits each service instance’s request rate; global limits the whole mesh. They can be combined.
Local Rate Limiting
The following configuration applies to waypoints with the same label and limits requests to the httpbin service on port 8000 to 100 QPS, and limits requests with header x-quota: low to 1 request per 10 seconds.
apiVersion: istio.alibabacloud.com/v1
kind: ASMLocalRateLimiter
metadata:
name: limit
spec:
workloadSelector:
labels:
gateway.networking.k8s.io/gateway-name: waypoint
applyToTraffic: waypoint
configs:
- target_services:
- name: httpbin
port: 8000
limit:
custom_response_body: 'ratelimited'
fill_interval:
seconds: 1
quota: 100
limit_overrides:
- request_match:
header_match:
- name: x-quota
exact_match: low
limit:
custom_response_body: 'ratelimited'
fill_interval:
seconds: 10
quota: 1Global Rate Limiting
ASM can deploy a global rate‑limit service. If none is specified, the waypoint uses the default ASM service. The example below limits httpbin to 20 requests per minute and applies a distinct token bucket per value of header x-quota, allowing 1 request per minute for each distinct value.
apiVersion: istio.alibabacloud.com/v1
kind: ASMGlobalRateLimiter
metadata:
name: global-limit
spec:
workloadSelector:
labels:
gateway.networking.k8s.io/gateway-name: waypoint
applyToTraffic: waypoint
configs:
- target_services:
- kind: Service
name: httpbin
port: 8000
limit:
quota: 20
unit: MINUTE
limit_overrides:
- limit:
quota: 1
unit: MINUTE
request_match:
header_match:
- distinct: true
name: x-quota
name: defaultConclusion
ASM 1.25’s Ambient mode is stable and well‑integrated with Alibaba Cloud Container Service. For more details on ASM’s rate‑limit and circuit‑break capabilities, refer to the linked documentation.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.