Create an egress gateway

Procedure

1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Egress Gateway.

3. On the Egress Gateway page, click Create to configure the basic information for the gateway.

   The following table describes the gateway parameters. You can also click Create from YAML on the Egress Gateway page to define an egress gateway. For more information, see Manage an egress gateway by using KubeAPI.

   Parameter	Description
   Name	Enter a custom name for the gateway.
   Cluster	Select the cluster where you want to deploy the gateway.
   Port Mapping	Configure the Protocol and Service Port. Note By default, the console provides two common ports. You can modify them as needed.
   Resources Limits	Select the CPU and memory resource limits for the gateway pod.
   Gateway instances	Set the number of gateway replicas.

4. Optional: Click Advanced Options for advanced settings.

   Parameter	Description
   HPA	Select whether to enable the Horizontal Pod Autoscaler (HPA) feature. After you select HPA, the related configuration parameters are described as follows: metrics: Set the Monitoring items and Threshold. When a metric exceeds the specified threshold, the number of gateway replicas increases. When the metric falls below the threshold, the number of replicas decreases. If you set thresholds for both CPU and memory, scaling is triggered if either threshold is exceeded. Maximum replicas: The maximum number of replicas to which the gateway can scale out. Minimum number of replicas: The minimum number of replicas to which the gateway can scale in. Note This feature is available only in ASM Enterprise Edition or Ultimate Edition.
   Rolling Upgrade	Select whether to enable the rolling update feature. After you select Rolling Upgrade, the related configuration items are described as follows: Maximum number of unavailable instances: The maximum number of pods that can be unavailable during a rolling update. This ensures that a certain number of pods are available to serve traffic during the update. Exceeding the desired number of instances: The maximum number of extra pods allowed during a rolling update. For example, if you set this value to 25%, the number of pods cannot exceed 125% of the original replica count.
   Deploy ASM Gateway replicas as widely as possible	This option sets podAntiAffinity to preferentially schedule pods on different nodes.
   Custom Deployment Policy	You can customize the nodeSelector, tolerations, and affinity of the gateway. For more information about the fields, see ASM Gateway CRD reference.
   Support two-way TLS authentication	After you select Support two-way TLS authentication, traffic between your workloads (with sidecars) and the egress gateway uses mutual TLS (mTLS) to improve security. You can use the identities verified by mTLS together with an AuthorizationPolicy to configure access policies for egress traffic. Important Pods without an injected sidecar cannot access external services through the egress gateway.

5. After you complete the configuration, click Create.

   A Created status indicates that the gateway is successfully created. The Service address is the IP address of the egress gateway.

Related operations

After the egress gateway is created, you can manage it in the ASM console or view it in the ACK console.

Manage the gateway in the ASM console

You can view, edit, or delete the egress gateway in the ASM console.

1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Egress Gateway.

3. On the Egress Gateway page, manage the egress gateway.

   Actions	Description
   View or edit an egress gateway	Method 1: Using the console UI In the row of the target gateway, click View Details. On the Gateway Details page, click the icon next to the item that you want to modify, change the parameters as needed, and then click Confirm. Method 2: Using YAML In the row of the target gateway, click View YAML. In the Edit dialog box, modify the YAML configuration as required and then click OK.
   Delete an egress gateway	To the right of the target gateway, click Delete, and then in the Confirm dialog box, click OK. Important Deleting an egress gateway prevents services in the ASM instance from accessing external services through it. Proceed with caution.

View the gateway in the ACK console

• View the basic information of the egress gateway.

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Network > Services.

  3. On the Services page, select istio-system from the Namespace drop-down list.

     The page displays basic information about the egress gateway. For more details, click the service name.

• View the pod information of the egress gateway.

  1. In the left-side navigation pane of the cluster management page, choose Workloads > Pods.

  2. On the Pods page, select istio-system from the Namespace drop-down list.

  3. Click the target pod to view its detailed information.

Related documents

• To create an egress gateway by using an API, see Create an ASM Gateway.

• You can use an egress gateway as a unified exit point for external services to efficiently manage egress traffic with the observability and security features of ASM. For more information, see Configure a unified egress gateway for in-mesh traffic, Observability, and Security and dynamic certificate loading.

• You can use the ASMEgressTrafficPolicy CRD to customize how to manage and access external traffic through an egress gateway. For more information, see Manage egress traffic by using ASMEgressTrafficPolicy.

• For more information about gateway features, see Overview of ASM Gateways.