Version 1.9

Google-managed control plane supported features

This page describes the supported features and limitations for Anthos Service Mesh with a Google-managed control plane. For the list of Anthos Service Mesh supported features for Anthos Service Mesh with a customer-managed control plane, see Customer-managed control plane.

The following limitations apply:

  • GKE clusters must be in one of these available fully-managed regions:
    • asia-east1
    • asia-southeast1
    • europe-north1
    • europe-west1
    • europe-west4
    • us-central1
    • us-east1
    • us-east4
    • us-west1
    • us-west2
    • us-west3
    • us-west4
  • GKE version must be compatible with Anthos Service Mesh 1.9: GKE 1.16 to 1.20.
  • GKE private clusters are not supported.
  • GKE clusters with Autopilot are not supported.
  • Environments other than GKE (Compute Engine, VMs, Kubernetes or Anthos on-prem) are not supported.
  • Migrations/upgrades are supported only from Anthos Service Mesh versions 1.9+ installed with Mesh CA. Installations with Citadel must first migrate to Mesh CA.
  • Scale is limited to 1000 services and 3000 workloads per cluster.
  • Only multi-primary deployment option for multi-cluster is supported: primary-remote deployment option for multi-cluster is not.
  • istioctl ps is not supported, however you can use istioctl pc with the pod name and namespace instead.
  • Istio APIs not supported:
    • Envoy filters
    • Istio Operator API
  • You can use the Google-managed control plane without an Anthos subscription, but certain UI elements and features in Google Cloud Console are only available to Anthos subscribers. For information about what is available to subscribers and non-subscribers, see Anthos and Anthos Service Mesh UI differences.

Google-managed control plane supported features

Install, upgrade, and roll back

Feature Support status
Installation on new GKE clusters - the resulting installation uses Stackdriver and Mesh CA
Upgrades from ASM 1.9 versions that use Mesh CA
Direct (skip-level) upgrades from Anthos Service Mesh versions prior to 1.9 (see notes for indirect upgrades)
Direct (skip-level) upgrades from Istio OSS (see notes for indirect upgrades)
Direct (skip-level) upgrades from Istio-on-GKE add-on (see notes for indirect upgrades)
Enabling optional features


Feature Support status
GKE 1.16 to 1.20 in one of these regions: asia-east1, asia-southeast1, europe-north1, europe-west1, europe-west4, us-central1, us-east1, us-east4, us-west1, us-west2, us-west3, us-west4
GKE 1.14
GKE private clusters
Environments other than GKE (Compute Engine, VMs, Kubernetes or Anthos on-prem, Amazon EKS, Microsoft AKS)


Feature Support status
1000 services and 3000 workloads per cluster

Platform environment

Feature Support status
Single network

Deployment model

Feature Support status

Notes on terminology

  • A multi-primary configuration means that the configuration must be replicated in all clusters.

  • A primary-remote configuration means that a single cluster contains the configuration and is considered the source of truth.

  • Anthos Service Mesh uses a simplified definition of network based on general connectivity. Workload instances are on the same network if they are able to communicate directly, without a gateway.


Certificate distribution/rotation mechanisms

Feature Support status
workload certificate management using Envoy SDS
external certificate management on ingress gateway using Envoy SDS

Certificate authority (CA) support

Feature Support status
Anthos Service Mesh certificate authority (Mesh CA)
Citadel CA
Integration with custom CAs

Authorization policy

Feature Support status
Authorization v1beta1 policy

Authentication policy

Feature Support status
mTLS STRICT mode Supported optional

Request authentication

Feature Support status
JWT authentication



Feature Support status
Cloud Monitoring (HTTP in-proxy metrics)
Cloud Monitoring (TCP in-proxy metrics)
Mesh telemetry (in-proxy edge data)
Prometheus metrics export to Grafana and Kiali (Envoy metrics only) Supported optional
Custom adapters/backends, in or out of process
Arbitrary telemetry and logging backends

Access logging

Feature Support status
Cloud Logging
Direct Envoy to stdout Supported optional


Feature Support status
Cloud Trace Supported optional
Jaeger tracing (allows use of customer-managed Jaeger)
Zipkin tracing (allows use of customer-managed Zipkin)

Note that Cloud Support can't provide help managing third-party telemetry products.


Traffic interception/redirection mechanism

Feature Support status
Traditional use of iptables using init containers with CAP_NET_ADMIN
Istio Container Network Interface (CNI)
Whitebox sidecar

Protocol support

Feature Support status
TCP byte streams (Note 1)


  1. Although TCP is a supported protocol for networking, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services in the Cloud Console.
  2. Services that are configured with Layer 7 capabilities for the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka, Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by using TCP byte stream support. If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Anthos Service Mesh's routing logic), then the protocol isn't supported.

Envoy deployments

Feature Support status
Ingress gateway
Egress directly out from sidecars
Egress using egress gateways Supported optional

CRD support

Feature Support status
Sidecar resource
Service entry resource
Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules
Custom Envoy filters
Istio Operator

Load balancer for the Istio ingress gateway

Feature Support status
Public load balancer
Google Cloud Internal load balancer Supported optional

Load balancing policies

Feature Support status
round robin
least connections
Consistent Hash

User interface

Feature Support status
Anthos Service Mesh dashboards in the Cloud Console
Cloud Monitoring
Cloud Logging

Installation of the Zipkin and Kiali addon components can no longer be done using istioctl install. If you enable Envoy metrics export to Prometheus, you can install your own instance of Grafana and Kiali, but Cloud Support can't provide help managing these these third-party products.


Feature Support status
istioctl compatible with Anthos Service Mesh 1.9.x
istioctl ps