What is Alibaba Cloud Service Mesh-Alibaba Cloud Service Mesh-阿里云帮助中心

Alibaba Cloud Service Mesh (ASM) provides a fully managed Service Mesh platform built on Kubernetes. It is compatible with the open source Istio Service Mesh. ASM simplifies service governance, including traffic routing and splitting between services, mutual authentication for inter-service communication, and mesh observability. This significantly reduces development and operations workload.

Product introduction

ASM provides the following core capabilities:

Secures communication between services with mutual TLS, identity-based authorization, and authentication.
Automatically load-balances HTTP/HTTPS, gRPC, WebSocket, and TCP traffic.
Offers fine-grained traffic control through routing rules, retries, failover, and fault injection.
Enforces access control, rate limiting, and other extensible policies.
Delivers full observability for all traffic within the cluster, including ingress and egress, with built-in metrics, log collection, and tracing.

Service architecture

ASM consists of two parts: the control plane and the data plane.

The control plane reads user configurations and instructs the data plane on how to process traffic. Because ASM fully manages the control plane, it is more stable and efficient than self-built service meshes.
The data plane consists of network proxies deployed in your cluster that intercept and process traffic according to the control plane's configuration.

Data plane forms and modes

ASM supports multiple data plane forms, including ACK managed clusters, Container Compute Service (ACS), ACK Serverless clusters, ACK Edge clusters, and ACK One registered clusters, enabling traffic management across heterogeneous infrastructures.

Important

Starting from February 17, 2025, Alibaba Cloud Container Service for Kubernetes Serverless will close the entry for creating clusters for new users who have not created clusters before. For more information about this adjustment, see [Product Change] Announcement on closing the new creation entry of ACK Serverless clusters for new users.

Currently, ASM supports two data plane modes:

Sidecar mode: ASM automatically injects an Envoy proxy into each application pod. The proxy manages all inbound and outbound traffic for the pod.
Ambient mode: A Layer 4 proxy runs on each node. You can deploy Envoy proxies at the namespace or service level for Layer 7 functionality.

To select the right data plane mode, see Choose Ambient mode or Sidecar mode?.

Editions

ASM offers Standard Edition, Enterprise Edition, and Ultimate Edition. Commercial editions build on the Standard Edition with enhanced multi-protocol support, dynamic extensions, fine-grained service governance, a comprehensive zero trust security system, and improved performance at scale. These editions lower the barrier to running Service Mesh in production and are ideal for cross-language interoperability, fine-grained governance, and large-scale Service Mesh deployments.

Edition		Description
Free Edition	Standard Edition	For functional testing and evaluation. Supports up to 50 pods with no enterprise-level enhancements. Not recommended for production.
Commercial Edition	Enterprise Edition	For small to medium-scale production. Supports up to 1,000 pods with enterprise-level enhancements and SLA guarantees.
Commercial Edition	Ultimate	For large-scale production. Supports up to 10,000 pods with enterprise-level enhancements and SLA guarantees.

For more information about the features of Standard Edition, Enterprise Edition, and Ultimate Edition, see Features.
For information about how to change the specifications of an instance, see Change the specifications of an ASM instance.
For more information about instance specifications, see Commercialization announcement.

Core features

The following table lists the core features of ASM. For more information, see Features.

Feature	Description	References
Full lifecycle management of mesh instances	Fully managed control plane compatible with Istio community specifications. Supports one-click deployment, upgrade, and deletion to reduce operational overhead.	Instance management
Support for multiple infrastructure applications	Supports applications on ACK, ACK Serverless, ACS, edge clusters, and ACK One registered clusters.	Multi-cluster application management
Unified ingress and egress gateways	Unified traffic entry and exit points for mesh applications. Supports one-click enabling or disabling of mTLS for end-to-end encryption and traffic control.	ASM gateways
Multiple types of traffic management	Multi-protocol traffic management with end-to-end canary releases, circuit breaking, local rate limiting, slow start warm-up, and traffic fallback.
Compatible with multiple observability capabilities	Mesh diagnostics with integrated managed tracing, monitoring, and logging for end-to-end visibility.
Non-intrusive zero trust security system	Out-of-the-box, dynamically configurable zero trust security with identity authentication, certificate management, policy enforcement, and visual analytics.	Overview of zero trust security
Extensibility for custom logic	A plugin marketplace with ready-to-use extension plugins, plus support for custom EnvoyFilter resources.	Extension center
Comprehensive ecosystem integration	Integration with common GitOps tools and Serverless and AI services such as Knative and KServe.	Ecosystem integration

Billing

ASM is divided into Standard Edition, Enterprise Edition, and Ultimate Edition based on different features and support capabilities. The Standard Edition is free, while the other two versions are commercial editions with different billing standards. For more information about ASM billing, see Billing.

Quota limits

Before using ASM, note the following limits:

You can create a maximum of 10 Standard Edition + Lab instances. There is no quota limit for Enterprise Edition/Ultimate Edition. To increase the quota, please submit a ticket.
The number of pods for each mesh instance varies based on different ASM instance specifications. For details, see Quotas.

Note

Before using ASM, you need to ensure that you have activated Container Service for Kubernetes (ACK). For information about limitations when using Alibaba Cloud Container Service for Kubernetes clusters, see Quotas and Limits.

API support

ASM supports both Gateway API and Istio API.

Gateway API will be the default API for service mesh in the future. If you are new to Istio API, start with Gateway API. If you already use Istio API, you can continue using it.

Gateway API and Istio API share many similarities. Before you start, note the following differences:

In Istio API, Gateway defines gateway rules without deploying gateway Deployment/Service. In Gateway API, the Gateway resource both configures the gateway and synchronously deploys Deployment/Service.
Istio API's VirtualService configures all protocols in a single resource. Gateway API uses separate resources per protocol, such as HTTPRoute and GRPCRoute.
Gateway API does not yet fully cover all of Istio's features.

ASM user community

If you have any questions about ASM, join the DingTalk group 30421250.