This page describes features that are supported in Anthos Service Mesh 1.7.3. For the supported features in previous versions of Anthos Service Mesh, see the archive documentation:
Support for Anthos Service Mesh follows the Anthos Version Support Policy. Google supports Anthos Service Mesh versions for at least nine months from their original release date.
The following table shows the supported versions of Anthos Service Mesh and the earliest end-of-life (EOL) date for a version.
|Release version||Release date||Earliest EOL date|
|1.4||December 20, 2019||Unsupported (September 18, 2020)|
|1.5||May 20, 2020||February 17, 2021|
|1.6||June 30, 2020||March 30, 2021|
|1.7||November 3, 2020||August 2, 2021|
For more information about our support policies, refer to Getting support.
Upgrade path for 1.4
Anthos Service Mesh 1.4 is no longer supported. You must upgrade to Anthos Service Mesh 1.5 or later. See the following guides for more information to help plan your upgrade:
Upgrading from 1.4 to 1.5:
Upgrading from 1.5 to 1.6:
Upgrading from 1.6 to 1.7:
When you install Anthos Service Mesh, you use a configuration profile that is suitable for your environment:
asm-gcp: This profile configures the features for a mesh containing one or more GKE on Google Cloud clusters in the same Google Cloud project.
asm-gcp-multiprojectbeta: This profile configures the features for a mesh with multiple GKE on Google Cloud clusters in different Cloud projects.
asm-multicloud: This profile configures the features for a mesh on the following environments:
- GKE on-prem
- GKE on AWS
- Amazon Elastic Kubernetes Service (Amazon EKS)
- Microsoft Azure Kubernetes Service (Microsoft AKS)
The supported features differ between the profiles. In the following tables, any feature with the icon indicates that the feature is either enabled by default or enabled in the profile. Supported optional indicates that you can override the profile and enable the feature, as described in Enabling optional features.
The default and optional features are fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support. Any feature with the icon indicates either the feature isn't available or it isn't supported.
For more information about the
install_asm script, see
Installation, migration, and upgrade on GKE on Google Cloud.
|Migration from Istio and the Istio on GKE add-on|
|Enabling optional features|
|Migration from Istio and the Istio on GKE add-on|
|Enabling optional features|
Note that you use the
asm-multicloud when installing or upgrading
Anthos Service Mesh on environments that aren't on Google Cloud, as described in the
- Installing Anthos Service Mesh on premises
- Installing Anthos Service Mesh on GKE on AWS
- Installing Anthos Service Mesh on attached Kubernetes clusters
Certificate distribution/rotation mechanisms
|workload certificate management using Envoy SDS|
|external certificate management on ingress gateway using Envoy SDS||Supported optional||Supported optional|
Certificate authority (CA) support
|Anthos Service Mesh certificate authority (Mesh CA)|
|Integration with custom CAs|
|Authorization v1beta1 policy|
|mTLS PERMISSIVE mode||Supported optional||Supported optional||Supported optional|
|mTLS STRICT mode||Supported optional||Supported optional||Supported optional|
|Cloud Monitoring (HTTP in-proxy metrics)|
|Cloud Monitoring (TCP in-proxy metrics)|
|Mesh telemetry (in-proxy edge data)|
|Prometheus metrics export to Grafana and Kiali||Supported optional|
|Custom adapters/backends, in or out of process|
|Arbitrary telemetry and logging backends|
|Direct Envoy to
||Supported optional||Supported optional||Supported optional|
|Cloud Trace||Supported optional||Supported optional|
|Jaeger tracing (allows use of customer-managed Jaeger)||Supported optional||Supported optional|
|Zipkin tracing (allows use of customer-managed Zipkin)||Supported optional||Supported optional|
Traffic interception/redirection mechanism
|Traditional use of
|Istio Container Network Interface (CNI)|
|TCP byte streams (Note 1)|
- Although TCP is a supported protocol for networking, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services in the Cloud Console.
- Services that are configured with Layer 7 capabilities for the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka, Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by using TCP byte stream support. If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Anthos Service Mesh's routing logic), then the protocol isn't supported.
|Egress directly out from sidecars|
|Egress using egress gateways||Supported optional||Supported optional||Supported optional|
|Service entry resource|
|Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules|
|custom Envoy filters|
Load balancer for the Istio ingress gateway
|Public load balancer|
|Google Cloud Internal load balancer||Supported optional||Supported optional||Not supported. See the links below.|
For information on configuring load balancers, see the following:
- Setting up your load balancer for GKE on-prem
- Use an internal load balancer with Azure Kubernetes Service (AKS)
- Amazon EKS Load Balancing
Load balancing policies
Anthos Service Mesh supports multi-primary deployments for GKE on Google Cloud clusters in the same Google Cloud project and for GKE on Google Cloud clusters in different Cloud projects (referred to as multi-project in the following table). For multi-project deployments, all the clusters must be in a shared Virtual Private Cloud (VPC).
The profile that you use when installing Anthos Service Mesh on a GKE on Google Cloud cluster for a multi-primary deployment depends on whether the clusters are in the same or different projects:
- When the clusters are in the same project, you use the
- When the clusters are in different projects, you use the
Notes on terminology
A primary cluster is a cluster with a control plane. A single mesh can have more than one primary cluster for high availability or to reduce latency. In the Istio 1.7 documentation, a multi-primary deployment is referred to as a replicated control plane.
A remote cluster is a cluster that connects to a control plane residing outside of the cluster. A remote cluster can connect to a control plane running in a primary cluster or to an external control plane.
Anthos Service Mesh uses a simplified definition of network based on general connectivity. Workload instances are on the same network if they are able to communicate directly, without a gateway.
|Anthos Service Mesh dashboards in the Cloud Console|
|Grafana dashboards||Optionally installed, customer-managed||Installed, customer-managed|
|Kiali||Optionally installed, customer-managed||Installed, customer-managed|
As a convenience, the
asm-multicloud profile installs an instance of Grafana
and Kiali, but Cloud Support can't provide help managing these these
third-party products. See their documentation for help setting up and managing
Anthos Service Mesh 1.7.3 supports the following environments:
|GKE on Google Cloud||
We recommend that you enroll GKE clusters in a
channel. When enrolling, use the Regular release channel because other
channels might be based on a GKE version that isn't
supported. Anthos Service Mesh 1.7.3 supports the following
GKE versions: 1.15, 1.16, and 1.17.
Note that GKE version 1.14 is not supported with
Anthos Service Mesh 1.7.3.
For more information about the GKE versions included in each release channel see the following:
|GKE on-prem||Anthos 1.5, Kubernetes version 1.17|
|GKE on AWS||Anthos 1.5, Kubernetes version 1.17|
|Amazon EKS||Kubernetes version 1.17|
|Microsoft AKS||Kubernetes version 1.17|