Anthos Service Mesh 1.10 has reached end of life and is no longer supported. See Upgrading from earlier versions.

View the latest documentation or select another available version:

Setting up a multi-cluster mesh on-premises

Stay organized with collections Save and categorize content based on your preferences.

This guide explains how to set up Anthos Service Mesh with multiple Anthos clusters on VMware and on bare metal. You can extend this process to incorporate any number of clusters into your mesh.

This guide assumes that you already have Anthos clusters on VMware or on bare metal installed using the steps provided in Installing Anthos Service Mesh on premises. If you have a previous version of Anthos Service Mesh installed, refer to Upgrading Anthos Service Mesh on-premises. This guide refers to the clusters as cluster1 on network1 and cluster2 on network2. It also uses environment variables to define the cluster contexts as CTX_CLUSTER1 and CTX_CLUSTER2.

A multi-cluster Anthos Service Mesh configuration can solve several crucial enterprise scenarios, such as scale, location, and isolation. For more information, see Multi-cluster use cases. In addition, you should optimize your applications to get the most benefit from a service mesh. For more information, see Preparing an application for Anthos Service Mesh.


Before you begin, this guide assumes you are using new or existing clusters that were created by using the steps described in Installing Anthos Service Mesh on premises.

  • The requirements for this guide are in addition to those listed in Installing Anthos Service Mesh on premises.

  • You will need the configuration package used previously to install Anthos Service Mesh on your cluster. If you need another copy, you can download it by using the command:

    kpt pkg get \ asm

Installing the east-west gateway

  1. Install a gateway in cluster1 that is dedicated to east-west traffic. By default, this gateway will be public on the Internet. Production systems may require additional access restrictions, for example firewall rules, to prevent external attacks.

    asm/istio/expansion/ \
    --mesh mesh1 --cluster cluster1 --network network1 --revision asm-1106-2 | \
    istioctl --context="${CTX_CLUSTER1}" install -y -f -
  2. Install a gateway in cluster2 that is dedicated to east-west traffic for cluster1.

    /asm/istio/expansion/ \
    --mesh mesh1 --cluster cluster2 --network network2 | \
    istioctl --context="${CTX_CLUSTER2}" install -y -f -

Exposing services

Since the clusters are on separate networks, you need to expose all services (*.local) on the east-west gateway in both clusters. While this gateway is public on the Internet, services behind it can only be accessed by services with a trusted mTLS certificate and workload ID, just as if they were on the same network.

  1. Expose services via the east-west gateway for cluster1.

    kubectl --context="${CTX_CLUSTER1}" apply -n istio-system -f \
  2. Expose services via the east-west gateway for cluster2.

    kubectl --context="${CTX_CLUSTER2}" apply -n istio-system -f \

Enabling endpoint discovery

  1. Install a remote secret in cluster2 that provides access to cluster1's API server.

    istioctl x create-remote-secret \
    --context="${CTX_CLUSTER1}" \
    --name=cluster1 | \
    kubectl apply -f - --context="${CTX_CLUSTER2}"
  2. Install a remote secret in cluster1 that provides access to cluster2's API server.

    istioctl x create-remote-secret \
    --context="${CTX_CLUSTER2}" \
    --name=cluster2 | \
    kubectl apply -f - --context="${CTX_CLUSTER1}"

What's next?