Anthos Service Mesh 1.6

Supported features

This page describes features that are supported in Anthos Service Mesh 1.6.4. For the supported features in previous versions of Anthos Service Mesh, see the archive documentation:

When you install Anthos Service Mesh, you use a configuration profile that is suitable for your environment:

  • asm-gcp: Use this profile for installations on Google Kubernetes Engine.

  • asm-multicloud: Use this profile for installations on the following environments:

    • Anthos GKE on-prem
    • Amazon Elastic Kubernetes Service (Amazon EKS)
    • Microsoft Azure Kubernetes Service (Microsoft AKS)

The supported features differ between the profiles. In the following tables, any feature with the icon indicates that the feature is either enabled by default or enabled in the profile. Supported optional indicates that you can override the profile and enable the feature, as described in Enabling optional features.

The default and optional features are fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support. Any feature with the icon indicates either the feature isn't available or it isn't supported.


Feature asm-gcp asm-multicloud
istioctl install
istioctl upgrade and downgrade
istioctl enable optional features
Anthos CLI install
Migration from Istio on GKE


Certificate distribution/rotation mechanisms

Feature asm-gcp asm-multicloud
workload certificate management using Envoy SDS
external certificate management on ingress gateway using Envoy SDS Supported optional

Certificate authority (CA) support

Feature asm-gcp asm-multicloud
Anthos Service Mesh certificate authority (Mesh CA)
Citadel CA
Integration with custom CAs

Authorization policy

Feature asm-gcp asm-multicloud
Authorization v1beta1 policy

Authentication policy

Peer authentication

Feature asm-gcp asm-multicloud
PERMISSIVE mTLS mode is enabled at mesh level
mTLS STRICT mode Supported optional Supported optional

Request authentication

Feature asm-gcp asm-multicloud
JWT authentication



Feature asm-gcp asm-multicloud
Cloud Monitoring (HTTP in-proxy metrics)
Cloud Monitoring (TCP in-proxy metrics)
Mesh telemetry (in-proxy edge data)
Prometheus metrics export to Grafana and Kiali
Custom adapters/backends, in or out of process
Arbitrary telemetry and logging backends

Access logging

Feature asm-gcp asm-multicloud
Cloud Logging
Direct Envoy to stdout Supported optional Supported optional


Feature asm-gcp asm-multicloud
Cloud Trace Supported optional
Jaeger tracing (allows use of customer-managed Jaeger) Supported optional
Zipkin tracing (allows use of customer-managed Jaeger) Supported optional


Feature asm-gcp asm-multicloud
Policy checks


Traffic interception/redirection mechanism

Feature asm-gcp asm-multicloud
Traditional use of iptables using init containers with CAP_NET_ADMIN
Istio Container Network Interface (CNI)
Whitebox sidecar

Protocol support

Feature asm-gcp asm-multicloud
TCP byte streams (Note 1)


  1. Although TCP is a supported protocol for networking, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services in the Cloud Console.
  2. Services that are configured with Layer 7 capabilities for the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka, Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by using TCP byte stream support. If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Anthos Service Mesh's routing logic), then the protocol isn't supported.

Envoy deployments

Feature asm-gcp asm-multicloud
Ingress gateway
Egress directly out from sidecars
Egress using egress gateways Supported optional Supported optional

CRD support

Feature asm-gcp asm-multicloud
Sidecar resource
Service entry resource
Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules
custom Envoy filters

Load balancer for the Istio ingress gateway

Feature asm-gcp asm-multicloud
Public load balancer
Google Cloud Internal load balancer Supported optional Not supported. See the links below.

For information on configuring load balancers, see the following:

Load balancing policies

Feature asm-gcp asm-multicloud
round robin
least connections
Consistent Hash

Multi-cluster support

Feature asm-gcp asm-multicloud
Single network
Single project
Multi-primary (multiple clusters with control planes) Supported optional

User interface

Feature asm-gcp asm-multicloud
Anthos Service Mesh dashboards in the Cloud Console
Cloud Monitoring
Cloud Logging
Grafana dashboards Installed, customer-managed
Kiali Installed, customer-managed

As a convenience, the asm-multicloud profile installs an instance of Grafana and Kiali, but Cloud Support can't provide help managing these these third-party products. See their documentation for help setting up and managing the dashboards.

Supported environments

Anthos Service Mesh 1.6.4 supports the following environments:

Environment Version
GKE on Google Cloud We recommend that you enroll GKE clusters in a release channel. When enrolling, use the Regular release channel because other channels might be based on a GKE version that isn't supported. Anthos Service Mesh 1.6.4 supports the following GKE versions: 1.15, 1.16, 1.17, and 1.18. Note that GKE version 1.14 is not supported with Anthos Service Mesh 1.6.4.

For more information about the GKE versions included in each release channel see the following:

GKE on-prem Anthos 1.4, Kubernetes version 1.16
Amazon EKS Kubernetes version 1.16
Microsoft AKS Kubernetes version 1.16