How to Quickly Create an ASM Instance
The Istio community website lists a Bookinfo example for beginners to quickly learn about some concepts and capabilities of the service mesh technology. This article demonstrates the quick-start tutorial provided by Alibaba Cloud Service Mesh (ASM) concerning how to deploy the Bookinfo example. This article is the second edition in the ASM Public Preview Series, a collection of articles that describes key capabilities of Alibaba Cloud Service Mesh (ASM). Find below the links to other articles in this series:
The quick-start tutorial includes the following steps:
- Create an ASM instance with a managed control plane.
- Add an Alibaba Cloud Container Service for Kubernetes (ACK) cluster to the data plane of the ASM instance with a managed control plane.
- Deploy an ingress gateway to the ACK cluster in the data plane of the ASM instance.
- Deploy applications to the ACK cluster in the data plane of the ASM instance with a managed control plane.
- Define virtual services and an Istio gateway for the ASM instance with a managed control plane.
Create an ASM Instance with a Managed Control Plane
To use ASM, it is imperative to create an ASM instance.
Activate the following services:
- Elastic Scaling Service (ESS)
- Resource Access Management (RAM)
- Tracing Analysis (if the tracing analysis feature is required)
When you create an ASM instance, ASM may perform the following operations based on the configuration:
- Create a security group that allows all inbound internet control message protocol (ICMP) ports to access the virtual private cloud (VPC) instance.
- Create VPC routing rules.
- Create an elastic IP address (EIP).
- Create a RAM role and corresponding policies. The role owns all Server Load Balancer (SLB), CloudMonitor, VPC, and Log Service permissions. ASM will dynamically create SLB and VPC routing rules based on users’ configurations.
- Create a VPC SLB instance and expose port 6443.
- Create a VPC SLB instance and expose port 15011.
- When you use ASM, it will collect log information about managed control components to ensure stability.
1) Log on to the ASM console.
2) In the left-side navigation pane, click ASM Instance and then Create ASM Instance on the right.
3) On the Create ASM Instance page, enter the ASM instance name and select a region, VPC, and VSwitch.
Note: You can select the required VPC and VSwitch from the existing VPC list and VSwitch list. If the required VPC or VSwitch is not listed in the existing VPC list or VSwitch list respectively, click Create VPC to create a VPC instance or click Create VSwitch to create a VSwitch. For more information, see Create a VPC and Create a VSwitch.
4) Determine whether to select Expose API Server with EIP.
If an ASM instance runs on Kubernetes, you may define various ASM resources, such as virtual services, target rules, and Istio gateways through API Server.
i) If Expose API Server with EIP is selected, an EIP will be created and mounted to the VPC SLB instance. Port 6443 of API Server will be exposed. Use the kubeconfig file to connect to and operate clusters and define ASM resources through the internet.
ii) If Expose API Server with EIP is not selected, no EIP will be created. In this case, you must use the kubeconfig file to connect to and operate clusters and define ASM resources in the VPC instance.
5) Determine whether to select Expose Istio Pilot with EIP.
i) If Expose Istio Pilot with EIP is selected, an EIP will be created and mounted to the VPC SLB instance. Port 15011 of Istio Pilot will be exposed. Envoy proxies deployed in data-plane clusters may use this public IP address to connect to Istio Pilot.
ii) If Expose Istio Pilot with EIP is not selected, no EIP will be created. In this case, only clusters interconnected with the VPC instance can be added to the data plane, including clusters in the same VPC and cross-VPC clusters that are connected through Cloud Enterprise Network.
Note: Expose Istio Pilot with EIP is not selected by default, and the data and control planes are preferentially connected through the VPC instance.
6) Observability: Determine whether to select Enable Tracing Analysis.
ASM integrates with the Alibaba Cloud Tracing Analysis service, which provides distributed application developers with tools, such as trace recovery, request count, link topology, and application dependency analysis. It helps developers quickly analyze and diagnose performance bottlenecks in the distributed application architecture and improve the efficiency of development and diagnosis.
Note: To select this option, you need to first log on to the Tracing Analysis console and enable the Tracing Analysis service.
7) Traffic Management: Determine whether to select Enable Access to Nearest Service.
ASM provides global load balancing capabilities to application services through the Envoy proxy. You can deploy application services in cross-region ACK clusters. ASM provides the running status, routing, and backend information of these application services to the Envoy proxy. The Envoy proxy then routes traffic to the application instance whose services run in multiple regions in the most optimal way. ASM will prioritize the workload instances of the target service based on the location of the Envoy proxy that sends requests. After this option is selected, requests are preferentially sent to service instances located in the same region when all instances are normal to ensure access to the nearest service.
8) Policy Control: Determine whether to select Enable OPA Plug-in.
ASM integrates Open Policy Agent (OPA) to implement fine-grained access control for your applications. For example, using OPA for cross-microservice authorization. After selecting the Enable OPA Plug-in, just like the Istio Envoy proxy container, the OPA container will also be injected into the business pod. Then, you may use OPA to define access control policies in ASM to provide the out-of-the-box capability for distributed application developers and help them quickly define use policies and improve the development efficiency.
9) Service Agreement: Understand and accept Service Agreement and read and agree with ASM Service Terms and Disclaimer. Then, select this option.
10) Finally, click OK to begin creating an instance.
Note: It takes about 2 to 3 minutes to create an ASM instance.