Version 1.11

Managed Anthos Service Mesh supported features

This page describes the supported features and limitations for managed Anthos Service Mesh. For the list of Anthos Service Mesh supported features for Anthos Service Mesh with an in-cluster control plane, see In-cluster control plane.

The following limitations apply:

  • GKE clusters must be in one of the supported regions.
  • GKE version must be a supported version.
  • Only the platforms listed in Environments are supported.
  • Migrations/upgrades are supported only from Anthos Service Mesh versions 1.9+ installed with Mesh CA. Installations with Istio CA (previously known as Citadel) must first migrate to Mesh CA.
  • Scale is limited to 1000 services and 5000 workloads per cluster.
  • Only multi-primary deployment option for multi-cluster is supported: primary-remote deployment option for multi-cluster is not.
  • istioctl ps is not supported, however you can use istioctl pc with the pod name and namespace instead.
  • Unsupported Istio APIs:

    • Envoy filters

    • IstioOperator API

    You can use the migration tool included with the asmcli to automatically convert IstioOperator configurations to be compatible with Google-managed control plane. For more information, see Migrate from IstioOperator.

  • You can use the Google-managed control plane without an Anthos subscription, but certain UI elements and features in Google Cloud Console are only available to Anthos subscribers. For information about what is available to subscribers and non-subscribers, see Anthos and Anthos Service Mesh UI differences.

Google-managed control plane supported features

Install, upgrade, and roll back

Feature Stable Regular Rapid
Installation on new GKE clusters - the resulting installation uses Stackdriver and Mesh CA
Upgrades from ASM 1.9 versions that use Mesh CA
Direct (skip-level) upgrades from Anthos Service Mesh versions prior to 1.9 (see notes for indirect upgrades)
Direct (skip-level) upgrades from Istio OSS (see notes for indirect upgrades)
Direct (skip-level) upgrades from Istio-on-GKE add-on (see notes for indirect upgrades)
Enabling optional features

Environments

Feature Stable Regular Rapid
GKE 1.18+ in one of the supported regions
GKE clusters with Autopilot
GKE private clusters with public endpoint access, with or without Master Authorized Network (MAN) enabled. In private clusters, the GKE control plane (master) has a private and public endpoint. There are three configuration combinations to control access to the cluster endpoints:
  • Public endpoint access disabled: creates a private cluster with no client access to the public endpoint. The Google-managed control plane requires the public endpoint access to be enabled. Note that this doesn't mean that the public endpoint is externally accessible. For more information, see Endpoints in private clusters.
  • Public endpoint access enabled, authorized networks enabled: creates a private cluster with limited access to the public endpoint.
  • Public endpoint access enabled, authorized networks disabled: create a private cluster with unrestricted access to the public endpoint.
Compute Engine VMs
Environments outside of Google Cloud (Anthos on-premises, Anthos on other public clouds, Amazon EKS, Microsoft AKS, or other Kubernetes clusters)

Scale

Feature Stable Regular Rapid
1000 services and 5000 workloads per cluster

Platform environment

Feature Stable Regular Rapid
Single network
Multi-network
Single-project
Multi-project

Deployment model

Feature Stable Regular Rapid
Multi-primary
Primary-remote

Notes on terminology

  • A multi-primary configuration means that the configuration must be replicated in all clusters.

  • A primary-remote configuration means that a single cluster contains the configuration and is considered the source of truth.

  • Anthos Service Mesh uses a simplified definition of network based on general connectivity. Workload instances are on the same network if they are able to communicate directly, without a gateway.

Security

Certificate distribution/rotation mechanisms

Feature Stable Regular Rapid
workload certificate management
external certificate management on ingress gateway

Certificate authority (CA) support

Feature Stable Regular Rapid
Anthos Service Mesh certificate authority (Mesh CA)
Istio CA
Integration with custom CAs

Authorization policy

Feature Stable Regular Rapid
Authorization v1beta1 policy

Authentication policy

Feature Stable Regular Rapid
Auto-mTLS
mTLS PERMISSIVE mode
mTLS STRICT mode Supported optional Supported optional Supported optional

Request authentication

Feature Stable Regular Rapid
JWT authentication

Telemetry

Metrics

Feature Stable Regular Rapid
Cloud Monitoring (HTTP in-proxy metrics)
Cloud Monitoring (TCP in-proxy metrics)
Prometheus metrics export to Grafana and Kiali (Envoy metrics only) Supported optional Supported optional Supported optional
Custom adapters/backends, in or out of process
Arbitrary telemetry and logging backends

Access logging

Feature Stable Regular Rapid
Cloud Logging
Direct Envoy to stdout Supported optional Supported optional Supported optional

Tracing

Feature Stable Regular Rapid
Cloud Trace
Jaeger tracing (allows use of customer-managed Jaeger)
Zipkin tracing (allows use of customer-managed Zipkin)

Note that Cloud Support can't provide help managing third-party telemetry products.

Networking

Traffic interception/redirection mechanism

Feature Stable Regular Rapid
Traditional use of iptables using init containers with CAP_NET_ADMIN
Istio Container Network Interface (CNI)
Whitebox sidecar

Protocol support

Feature Stable Regular Rapid
IPv4
HTTP/1.1
HTTP/2
TCP byte streams (Note 1)
gRPC
IPv6

Notes:

  1. Although TCP is a supported protocol for networking, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services in the Cloud Console.
  2. Services that are configured with Layer 7 capabilities for the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka, Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by using TCP byte stream support. If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Anthos Service Mesh's routing logic), then the protocol isn't supported.

Envoy deployments

Feature Stable Regular Rapid
Sidecars
Ingress gateway
Egress directly out from sidecars
Egress using egress gateways Supported optional Supported optional Supported optional

CRD support

Feature Stable Regular Rapid
Sidecar resource
Service entry resource
Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules
Custom Envoy filters
Istio Operator

Load balancer for the Istio ingress gateway

Feature Stable Regular Rapid
Public load balancer
Google Cloud Internal load balancer Supported optional Supported optional Supported optional

Load balancing policies

Feature Stable Regular Rapid
round robin
least connections
random
passthrough
Consistent Hash
locality-weighted

Regions

GKE clusters must be in one of the following regions or any zone within the following regions.

Region Location
asia-east1 Taiwan
asia-east2 Hong Kong
asia-northeast1 Tokyo
asia-northeast2 Osaka
asia-northeast3 Seoul, South Korea
asia-southeast1 Singapore
asia-southeast2 Jakarta
asia-south1 Mumbai, India
asia-south2 Delhi, India
australia-southeast1 Sydney
australia-southeast2 Melbourne
europe-central2 Warsaw, Poland
europe-north1 Finland
europe-west1 Belgium
europe-west2 London, UK
europe-west3 Frankfurt, Germany
europe-west6 Zurich, Switzerland
europe-west4 Netherlands
northamerica-northeast1 Montreal
southamerica-east1 Sao Paulo, Brazil
us-central1 Iowa
us-east1 South Carolina
us-east4 Northern Virginia
us-west1 Oregon
us-west2 Los Angeles
us-west3 Las Vegas
us-west4 Salt Lake City

User interface

Feature Stable Regular Rapid
Anthos Service Mesh dashboards in the Cloud Console
Cloud Monitoring
Cloud Logging

Tooling

Feature Stable Regular Rapid
istioctl compatible with Anthos Service Mesh 1.9.x
istioctl ps