BestHub
Sign in
Cloud Native 12 min read

Mastering Traffic Management with Kubernetes Gateway API on Alibaba Cloud Service Mesh (ASM)

Learn how to use the Kubernetes Gateway API with Alibaba Cloud Service Mesh (ASM) to configure north‑south and east‑west traffic routing, enable Waypoint, and apply AuthorizationPolicy, through step‑by‑step examples covering prerequisites, resource definitions, and verification commands.

Alibaba Cloud Native
Alibaba Cloud Native
Alibaba Cloud Native
Mastering Traffic Management with Kubernetes Gateway API on Alibaba Cloud Service Mesh (ASM)

Overview

The Gateway API is a Kubernetes project that defines a set of resources for L4/L7 traffic routing, aiming to become the next‑generation API for Ingress, load balancing, and service mesh. This guide shows how to use the Gateway API on Alibaba Cloud Service Mesh (ASM) to manage both north‑south and east‑west traffic.

Key Concepts

GatewayClass : similar to IngressClass, it selects the controller that implements the Gateway API.

Gateway : defines the actual gateway configuration, such as listeners and addresses.

HTTPRoute : attaches to a Gateway and specifies routing rules for HTTP traffic.

Background

The Gateway API originated at KubeCon 2019 to address the limitations of the Ingress API for fine‑grained traffic management. After Ingress reached stable v1, the community focused on Gateway API, which entered GA in October 2023.

Prerequisites

Create an ASM Enterprise instance and enable Ambient Mesh mode.

Have a Kubernetes cluster that meets ASM requirements.

Add the cluster to the ASM instance.

Enable Gateway API support in ASM (see the ASM documentation for step 2 of the enable‑Gateway‑API guide).

Step 1 – Create an ASM Gateway and Configure a Listener

First, create an ingress gateway (e.g., named ingressgateway) following the ASM documentation. Then apply the following Gateway resource:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gateway
  namespace: istio-system
spec:
  addresses:
  - type: Hostname
    value: istio-ingressgateway.istio-system.svc.cluster.local
  gatewayClassName: istio
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    hostname: "*.aliyun.com"
    name: default
    port: 80
    protocol: HTTP

This configuration creates an HTTP listener on port 80 for the host *.aliyun.com.

Step 2 – Create an HTTPRoute to Route Traffic to the Httpbin Service

Apply the following HTTPRoute resource, which binds to the gateway created above and forwards traffic to the httpbin service on port 8000:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: http
  namespace: default
spec:
  hostnames:
  - "*.aliyun.com"
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: gateway
    namespace: istio-system
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: httpbin
      port: 8000
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /

After applying, the Httpbin service can be accessed through the ASM gateway.

Verification

curl -HHost:httpbin.aliyun.com "http://${ASM_GATEWAY_ADDRESS}:80/status/418"

The response shows the classic “teapot” output, confirming the route works.

Step 3 – Enable Waypoint for Httpbin and Apply an AuthorizationPolicy

Enable a Waypoint (an east‑west gateway) for the Httpbin service with the following Gateway resource:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  annotations:
    istio.io/for-service-account: httpbin
  name: httpbin
  namespace: default
spec:
  gatewayClassName: istio-waypoint
  listeners:
  - allowedRoutes:
      namespaces:
        from: Same
    name: mesh
    port: 15008
    protocol: HBONE

HBONE is a special mTLS‑encrypted protocol used by the service mesh.

Next, create an AuthorizationPolicy that denies access to the /status/418 path:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authz-test
  namespace: default
spec:
  targetRef:
    name: httpbin
    kind: Gateway
    group: "gateway.networking.k8s.io"
  action: DENY
  rules:
  - to:
    - operation:
        paths:
        - "/status/418"

Test the policy:

curl -HHost:httpbin.aliyun.com "http://${ASM_GATEWAY_ADDRESS}:80/status/418"
# Output: RBAC: access denied%

Other paths remain accessible:

curl -HHost:httpbin.aliyun.com "http://${ASM_GATEWAY_ADDRESS}:80/headers" -I
# HTTP/1.1 200 OK …

Summary

The example demonstrates how to use the Kubernetes Gateway API on Alibaba Cloud Service Mesh to configure inbound (north‑south) and internal (east‑west) traffic, enable Waypoint, and enforce layer‑7 authorization policies. As the community continues to align Gateway API with Ambient Mesh concepts, it is expected to become the primary traffic‑management API for future service‑mesh deployments.

Architecture diagram
Architecture diagram
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Kubernetestraffic managementASMGateway APIWaypointAuthorizationPolicy
Alibaba Cloud Native
Written by

Alibaba Cloud Native

We publish cloud-native tech news, curate in-depth content, host regular events and live streams, and share Alibaba product and user case studies. Join us to explore and share the cloud-native insights you need.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment