This page describes features that are supported in Anthos Service Mesh 1.7.8. For the supported features in previous versions of Anthos Service Mesh, see the archive documentation:
Support for Anthos Service Mesh follows the Anthos Version Support Policy. Google supports the current and previous two (n-2) minor versions of Anthos Service Mesh. The following table shows the supported versions of Anthos Service Mesh and the earliest end-of-life (EOL) date for a version.
|Release version||Release date||Earliest EOL date|
|1.4||December 20, 2019||Unsupported (September 18, 2020)|
|1.5||May 20, 2020||Unsupported (February 17, 2021)|
|1.6||June 30, 2020||Unsupported (March 30, 2021)|
|1.7||November 3, 2020||December 10, 2021|
|1.8||December 15, 2020||December 10, 2021|
|1.9||March 4, 2021||December 10, 2021|
|1.10||June 24, 2021||March 24, 2022|
|1.11||October 6, 2021||July 6, 2022|
Anthos Service Mesh 1.6, 1.5, and 1.4 are no longer supported. You must upgrade to Anthos Service Mesh 1.7 or later. For information on how to upgrade, see Upgrade Anthos Service Mesh.
For more information about our support policies, refer to Getting support.
Upgrade path for 1.4
Anthos Service Mesh 1.4 is no longer supported. You must upgrade to Anthos Service Mesh 1.5 or later. See the following guides for more information to help plan your upgrade:
Upgrading from 1.4 to 1.5:
Upgrading from 1.5 to 1.6:
Upgrading from 1.6 to 1.7:
When you install Anthos Service Mesh, you use a configuration profile that is suitable for your platform:
asm-gcp: This profile configures the features for a mesh containing one or more GKE clusters in the same Google Cloud project.
asm-gcp-multiprojectbeta: This profile configures the features for a mesh with multiple GKE clusters in different Cloud projects.
asm-multicloud: This profile configures the features for a mesh on the following environments:
- Anthos clusters on VMware
- Anthos clusters on AWS
- Amazon Elastic Kubernetes Service (Amazon EKS)
- Microsoft Azure Kubernetes Service (Microsoft AKS)
When you install Anthos Service Mesh, you use a configuration profile that is suitable for your platform. The supported features differ between the profiles. In the following tables, any feature with the icon indicates that the feature is either enabled by default or enabled in the profile. Supported optional indicates that you can override the profile and enable the feature, as described in Enabling optional features.
The default and optional features are fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support. Any feature with the icon indicates either the feature isn't available or it isn't supported.
For more information about the
install_asm script, see
Installation, migration, and upgrade on GKE.
|Migration from Istio and the Istio on GKE add-on|
|Enabling optional features|
|Migration from Istio and the Istio on GKE add-on|
|Enabling optional features|
Note that you use the
asm-multicloud when installing or upgrading
Anthos Service Mesh on environments that aren't on Google Cloud, as described in the
- Installing Anthos Service Mesh on premises
- Installing Anthos Service Mesh on Anthos clusters on AWS
- Installing Anthos Service Mesh on attached Kubernetes clusters
Certificate distribution/rotation mechanisms
|workload certificate management using Envoy SDS|
|external certificate management on ingress gateway using Envoy SDS||Supported optional||Supported optional|
Certificate authority (CA) support
|Anthos Service Mesh certificate authority (Mesh CA)|
|Integration with custom CAs|
|Authorization v1beta1 policy|
|mTLS PERMISSIVE mode||Supported optional||Supported optional||Supported optional|
|mTLS STRICT mode||Supported optional||Supported optional||Supported optional|
|Cloud Monitoring (HTTP in-proxy metrics)|
|Cloud Monitoring (TCP in-proxy metrics)|
|Mesh telemetry (in-proxy edge data)|
|Prometheus metrics export to customer-installed Prometheus, Grafana, and Kiali dashboards||Compatible||Compatible|
|Custom adapters/backends, in or out of process|
|Arbitrary telemetry and logging backends|
If you enable metrics export to Prometheus, you can install your own instance of the Prometheus, Grafana, and Kiali dashboards. The integration between Anthos Service Mesh and the third-party telemetry add-ons is supported.
|Direct Envoy to
||Supported optional||Supported optional||Supported optional|
|Cloud Trace||Supported optional||Supported optional|
|Jaeger tracing (allows use of customer-managed Jaeger)||Compatible||Compatible||Compatible|
|Zipkin tracing (allows use of customer-managed Zipkin)||Compatible||Compatible||Compatible|
The integration between Anthos Service Mesh and the third-party telemetry add-ons is supported.
Traffic interception/redirection mechanism
|Traditional use of
|Istio Container Network Interface (CNI)|
|TCP byte streams (Note 1)|
- Although TCP is a supported protocol for networking, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services in the Cloud Console.
- Services that are configured with Layer 7 capabilities for the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka, Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by using TCP byte stream support. If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Anthos Service Mesh's routing logic), then the protocol isn't supported.
|Egress directly out from sidecars|
|Egress using egress gateways||Supported optional||Supported optional||Supported optional|
|Service entry resource|
|Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules|
|custom Envoy filters|
Load balancer for the Istio ingress gateway
|Public load balancer|
|Google Cloud Internal load balancer||Supported optional||Supported optional||Not supported. See the links below.|
For information on configuring load balancers, see the following:
- Setting up your load balancer for Anthos clusters on VMware
- Use an internal load balancer with Azure Kubernetes Service (AKS)
- Amazon EKS Load Balancing
Load balancing policies
Anthos Service Mesh supports multi-primary deployments for GKE clusters in the same Google Cloud project and for GKE clusters in different Cloud projects (referred to as multi-project in the following table). For multi-project deployments, all the clusters must be in a shared Virtual Private Cloud (VPC).
The profile that you use when installing Anthos Service Mesh on a GKE cluster for a multi-primary deployment depends on whether the clusters are in the same or different projects:
- When the clusters are in the same project, you use the
- When the clusters are in different projects, you use the
Notes on terminology
A primary cluster is a cluster with a control plane. A single mesh can have more than one primary cluster for high availability or to reduce latency. In the Istio 1.7 documentation, a multi-primary deployment is referred to as a replicated control plane.
A remote cluster is a cluster that connects to a control plane residing outside of the cluster. A remote cluster can connect to a control plane running in a primary cluster or to an external control plane.
Anthos Service Mesh uses a simplified definition of network based on general connectivity. Workload instances are on the same network if they are able to communicate directly, without a gateway.
|Anthos Service Mesh dashboards in the Cloud Console|
|Grafana dashboards||Optionally installed, customer-managed||Installed, customer-managed|
|Kiali||Optionally installed, customer-managed||Installed, customer-managed|
As a convenience, the
asm-multicloud profile installs an instance of Grafana
and Kiali, but Cloud Support can't provide help managing these these
third-party products. See their documentation for help setting up and managing
Only the following environments are supported with Anthos Service Mesh 1.7.8. All other environments are unsupported.
|GKE on Google Cloud||
We recommend that you enroll GKE clusters in a
channel. When enrolling, use the Regular release channel because other
channels might be based on a GKE version that isn't
supported. Anthos Service Mesh 1.7.8 supports the following
GKE versions: 1.15, 1.16, and 1.17.
Note that GKE version 1.14 is not supported with
Anthos Service Mesh 1.7.8.
For more information about the GKE versions included in each release channel see the following:
|Anthos clusters on VMware||Anthos 1.5, Kubernetes version 1.17|
|Anthos clusters on AWS||
|Amazon EKS||Kubernetes version 1.17|
|Microsoft AKS||Kubernetes version 1.17|