Managed Anthos Service Mesh supported features

This page describes the supported features and limitations for managed Anthos Service Mesh. For the list of Anthos Service Mesh supported features for Anthos Service Mesh with an in-cluster control plane, see In-cluster control plane.

Limitations

The following limitations apply:

GKE clusters must be in one of the supported regions.
GKE version must be a supported version.
Only the platforms listed in Environments are supported.
Changing release channels is not supported.
Migrations from managed Anthos Service Mesh with asmcli to Anthos Service Mesh with fleet API are not supported. Similarly, provisioning managed Anthos Service Mesh with fleet API from --management manual to --management automatic is not supported.
Migrations and upgrades are supported only from in-cluster Anthos Service Mesh versions 1.9+ installed with Mesh CA. Installations with Istio CA (previously known as Citadel) must first migrate to Mesh CA.
Scale is limited to 1000 services and 5000 workloads per cluster.
Only multi-primary deployment option for multi-cluster is supported: primary-remote deployment option for multi-cluster is not.
istioctl ps is not supported. Instead you can use istioctl x ps --xds-via-agents to list all workloads. Additionally, you can use istioctl pc with the pod name and namespace to get detailed information of the pod.
Unsupported Istio APIs:
- Envoy filters
- IstioOperator API
Note: You can still enable optional features without using the IstioOperator API, see Enabling optional features on managed Anthos Service Mesh. You can also use the migration tool included with asmcli to automatically convert other IstioOperator optional features to be compatible with managed control plane. For more information, see Migrate from IstioOperator.
You can use the managed control plane without an GKE Enterprise subscription, but certain UI elements and features in Google Cloud console are only available to GKE Enterprise subscribers. For information about what is available to subscribers and non-subscribers, see GKE Enterprise and Anthos Service Mesh UI differences.
During the provisioning process for a managed control plane, Istio CRDs corresponding to the selected channel are installed in the specified cluster. If there are existing Istio CRDs in the cluster, they will be overwritten
Managed Anthos Service Mesh only supports the default DNS domain .cluster.local.
As of November 14th, 2023, new installations of managed Anthos Service Mesh on the rapid release channel fetch JWKS only using Envoys. This is equivalent to the PILOT_JWT_ENABLE_REMOTE_JWKS=envoy Istio option. Compared to installations on the regular and stable release channels, or installations on the rapid release channel before November 14th, 2023, you might need extra ServiceEntry and DestinationRule configurations. For an example, see the requestauthn-with-se.yaml.tmpl.

After provisioning Anthos Service Mesh, you must contact support before initiating IP rotation or certificate credential rotation.

Channel differences

There are differences in supported features between release channels.

– indicates the feature is available and enabled by default.
* – indicates the feature is supported for the platform and can be enabled, as described in Enabling optional features or the feature guide linked in the feature table.
– indicates either the feature isn't available or it isn't supported.

The default and optional features are fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support.

Managed control plane supported features

Install, upgrade, and roll back

Feature	Stable	Regular	Rapid
Installation on GKE clusters using fleet feature API
Upgrades from ASM 1.9 versions that use Mesh CA
Direct (skip-level) upgrades from Anthos Service Mesh versions prior to 1.9 (see notes for indirect upgrades)
Direct (skip-level) upgrades from Istio OSS (see notes for indirect upgrades)
Direct (skip-level) upgrades from Istio-on-GKE add-on (see notes for indirect upgrades)
Enabling optional features

Environments

Feature	Stable	Regular	Rapid
GKE 1.25-1.27 in one of the supported regions
GKE 1.25-1.27 clusters with Autopilot
Environments outside of Google Cloud (GKE Enterprise on-premises, GKE Enterprise on other public clouds, Amazon EKS, Microsoft AKS, or other Kubernetes clusters)

Scale

Feature	Stable	Regular	Rapid
1000 services and 5000 workloads per cluster

Platform environment

Feature	Stable	Regular	Rapid
Single network
Multi-network
Single-project
Multi-project with shared VPC

Deployment model

Feature	Stable	Regular	Rapid
Multi-primary
Primary-remote

Notes on terminology

A multi-primary configuration means that the configuration must be replicated in all clusters.
A primary-remote configuration means that a single cluster contains the configuration and is considered the source of truth.
Anthos Service Mesh uses a simplified definition of network based on general connectivity. Workload instances are on the same network if they are able to communicate directly, without a gateway.

Security

VPC Service Controls

Feature	Stable	Regular	Rapid
VPC Service Control (VPC-SC) preview
VPC Service Control (VPC-SC) GA

Certificate distribution/rotation mechanisms

Feature	Stable	Regular	Rapid
Workload certificate management
External certificate management on ingress and egress gateways.

Certificate authority (CA) support

Feature	Stable	Regular	Rapid
Anthos Service Mesh certificate authority (Mesh CA)
Certificate Authority Service
Istio CA
Integration with custom CAs

Anthos Service Mesh security features

In addition to supporting Istio security features, Anthos Service Mesh provides even more capabilities to help you secure your applications.

Feature	Stable	Regular	Rapid
IAP integration
End-user authentication
Dry-run mode
Denial logging
Audit policies

Authorization policy

Feature	Stable	Regular	Rapid
Authorization v1beta1 policy

Authentication policy

Feature	Stable	Regular	Rapid
Auto-mTLS
mTLS PERMISSIVE mode
mTLS STRICT mode	*	*	*

Request authentication

Feature	Stable	Regular	Rapid
JWT authentication^{(Note 1)}

Notes:

Third-party JWT is enabled by default.

Base Images

Feature	Stable	Regular	Rapid
Distroless proxy image

Telemetry

Metrics

Feature	Stable	Regular	Rapid
Cloud Monitoring (HTTP in-proxy metrics)
Cloud Monitoring (TCP in-proxy metrics)
Prometheus metrics export to Grafana (Envoy metrics only)	*	*	*
Prometheus metrics export to Kiali
Google Cloud Managed Service for Prometheus, not including the Anthos Service Mesh dashboard	*	*	*
Istio Telemetry API
Custom adapters/backends, in or out of process
Arbitrary telemetry and logging backends

Proxy request logging

Feature	Stable	Regular	Rapid
Traffic logs
Access logs	*	*	*

Tracing

Feature	Stable	Regular	Rapid
Cloud Trace	*	*	*
Jaeger tracing (allows use of customer-managed Jaeger)	Compatible	Compatible	Compatible
Zipkin tracing (allows use of customer-managed Zipkin)	Compatible	Compatible	Compatible

Networking

Traffic interception/redirection mechanism

Feature	Stable	Regular	Rapid
Traditional use of `iptables` using `init` containers with `CAP_NET_ADMIN`
Istio Container Network Interface (CNI)
Whitebox sidecar

Protocol support

Feature	Stable	Regular	Rapid
IPv4
HTTP/1.1
HTTP/2
TCP byte streams (Note 1)
gRPC
IPv6

Notes:

Although TCP is a supported protocol for networking and TCP metrics are collected, they are not reported. Metrics are displayed only for HTTP services in the Google Cloud console.
Services that are configured with Layer 7 capabilities for the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka, Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by using TCP byte stream support. If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Anthos Service Mesh's routing logic), then the protocol isn't supported.

Envoy deployments

Feature	Stable	Regular	Rapid
Sidecars
Ingress gateway
Egress directly out from sidecars
Egress using egress gateways	*	*	*

CRD support

Feature	Stable	Regular	Rapid
Sidecar resource
Service entry resource
Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules
Custom Envoy filters
Istio Operator

Load balancer for the Istio ingress gateway

Feature	Stable	Regular	Rapid
Third-party external load balancer
Google Cloud Internal load balancer	*	*	*

Service mesh cloud gateway

Feature	Stable	Regular	Rapid
Service mesh cloud gateway

Load balancing policies

Feature	Stable	Regular	Rapid
Round robin
Least connections
Random
Passthrough
Consistent hash
Locality

Regions

GKE clusters must be in one of the following regions or any zone within the following regions.

Region	Location
`asia-east1`	Taiwan
`asia-east2`	Hong Kong
`asia-northeast1`	Tokyo, Japan
`asia-northeast2`	Osaka, Japan
`asia-northeast3`	South Korea
`asia-south1`	Mumbai, India
`asia-south2`	Delhi, India
`asia-southeast1`	Singapore
`asia-southeast2`	Jakarta
`australia-southeast1`	Sydney, Australia
`australia-southeast2`	Melbourne, Australia
`europe-central2`	Poland
`europe-north1`	Finland
`europe-southwest1`	Spain
`europe-west1`	Belgium
`europe-west2`	England
`europe-west3`	Germany
`europe-west4`	Netherlands
`europe-west6`	Switzerland
`europe-west8`	Italy
`europe-west9`	France
`me-central1`	Doha
`me-central2`	Dammam, Saudi Arabia
`me-west1`	Tel Aviv
`northamerica-northeast1`	Montreal, Canada
`northamerica-northeast2`	Toronto, Canada
`southamerica-east1`	Brazil
`southamerica-west1`	Chile
`us-central1`	Iowa
`us-east1`	South Carolina
`us-east4`	Northern Virginia
`us-east5`	Ohio
`us-south1`	Dallas
`us-west1`	Oregon
`us-west2`	Los Angeles
`us-west3`	Salt Lake City
`us-west4`	Las Vegas

User interface

Feature	Stable	Regular	Rapid
Anthos Service Mesh dashboards in the Google Cloud console
Cloud Monitoring
Cloud Logging

Tooling

Feature	Stable	Regular	Rapid
`istioctl` compatible with Anthos Service Mesh 1.9.x
`istioctl ps`
`istioctl x ps` (with `--xds-via-agents` flag)