Stay organized with collections
Save and categorize content based on your preferences.
This page describes the supported features and limitations for managed
Anthos Service Mesh. For the list of Anthos Service Mesh supported features for
Anthos Service Mesh with an in-cluster control plane, see
In-cluster control plane.
Limitations
The following limitations apply:
GKE clusters must be in one of the supported regions.
Migrations and upgrades are supported only from in-cluster Anthos Service Mesh
versions 1.9+ installed with Mesh CA. Installations with Istio CA (previously
known as Citadel) must first
migrate to Mesh CA.
Scale is limited to 1000 services and 5000 workloads per cluster.
Only multi-primary deployment option for multi-cluster is supported:
primary-remote deployment option for multi-cluster is not.
istioctl ps is not supported, however you can use istioctl pc with the pod name and namespace instead.
Unsupported Istio APIs:
Envoy filters
IstioOperator API
You can use the managed control plane without an Anthos subscription,
but certain UI elements and features in Google Cloud console are only available
to Anthos subscribers. For information about what is available
to subscribers and non-subscribers, see
Anthos and Anthos Service Mesh UI differences.
During the provisioning process for a managed control plane,
Istio CRDs corresponding to the selected channel are installed in the
specified cluster. If there are existing Istio CRDs in the cluster, they will
be overwritten.
Channel differences
There are differences in supported features between
release channels.
– indicates the feature is available and
enabled by default.
* – indicates the feature is supported for
the platform and can be enabled, as described in
Enabling optional features
or the feature guide linked in the feature table.
– indicates either the feature isn't
available or it isn't supported.
The default and optional features are fully supported by Google Cloud
Support. Features not explicitly listed in the tables receive best-effort
support.
Managed control plane supported features
Install, upgrade, and roll back
Feature
Stable
Regular
Rapid
Installation on new GKE clusters - the resulting installation uses Stackdriver and Mesh CA
Installation on GKE clusters using fleet feature API
Upgrades from ASM 1.9 versions that use Mesh CA
Direct (skip-level) upgrades from Anthos Service Mesh versions prior to 1.9 (see notes for indirect upgrades)
Direct (skip-level) upgrades from Istio OSS (see notes for indirect upgrades)
Direct (skip-level) upgrades from Istio-on-GKE add-on (see notes for indirect upgrades)
GKE private clusters with public endpoint access, with or without Master
Authorized Network (MAN) enabled. In private clusters, the
GKE control plane (master) has a
private and public endpoint. There are three configuration
combinations to control access to the cluster endpoints:
Public endpoint access disabled: prevents untrusted IP addresses from
outside Google Cloud. For more information, see
Endpoints in private clusters.
Public endpoint access enabled, authorized networks enabled: creates a
private cluster with limited access to the public endpoint.
Public endpoint access enabled, authorized networks disabled: create
a private cluster with unrestricted access to the public endpoint.
Environments outside of Google Cloud (Anthos on-premises,
Anthos on other public clouds, Amazon EKS, Microsoft AKS,
or other Kubernetes clusters)
Scale
Feature
Stable
Regular
Rapid
1000 services and 5000 workloads per cluster
Platform environment
Feature
Stable
Regular
Rapid
Single network
Multi-network
Single-project
Multi-project with shared VPC
Deployment model
Feature
Stable
Regular
Rapid
Multi-primary
Primary-remote
Notes on terminology
A multi-primary configuration means that the configuration must be replicated in all clusters.
A primary-remote configuration means that a single cluster contains the configuration and is considered the source of truth.
Anthos Service Mesh uses a simplified definition of network based on general
connectivity. Workload instances are on the same network if they are able to
communicate directly, without a gateway.
Although TCP is a supported protocol for networking, TCP
metrics aren't collected or reported. Metrics are displayed only for HTTP
services in the Google Cloud console.
Services that are configured with Layer 7 capabilities for
the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka,
Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by
using TCP byte stream support. If TCP byte stream cannot support the protocol
(for example, Kafka sends a redirect address in a protocol-specific reply and
this redirect is incompatible with Anthos Service Mesh's routing logic), then the
protocol isn't supported.
Envoy deployments
Feature
Stable
Regular
Rapid
Sidecars
Ingress gateway
Egress directly out from sidecars
Egress using egress gateways
*
*
*
CRD support
Feature
Stable
Regular
Rapid
Sidecar resource
Service entry resource
Percentage, fault injection, path matching, redirects, retries, rewriting,
timeout, retry, mirroring, header manipulation, and CORS routing rules
