Extending Alibaba Cloud Service Mesh (ASM): EnvoyFilter, Lua, Wasm, External Processing, and Custom Authorization Services

Alibaba Cloud Service Mesh (ASM) is a fully managed service mesh platform compatible with the open‑source Istio, providing traffic routing, authentication, and observability to reduce developer and operations burden.

While ASM offers many built‑in capabilities, custom requirements such as traffic labeling, bespoke authentication, body manipulation, or logging often need extensions beyond the standard features.

ASM’s extension mechanisms are language‑agnostic, enforced at the cluster level, and decoupled from business code, leveraging Envoy’s seven‑layer data‑plane (gateway, sidecar, waypoint) which can be extended via EnvoyFilter, Lua scripts, Wasm plugins, External Processing filters, or custom authorization services.

1. EnvoyFilter – a Kubernetes resource that modifies or adds Envoy filters; powerful but requires deep knowledge of Envoy and careful configuration to avoid incompatibilities.

2. Lua – lightweight scripting embedded in an Envoy Lua filter; suitable for simple HTTP‑level logic but limited to HTTP, cannot import external libraries, and complex scripts become hard to maintain.

3. Wasm – WebAssembly modules compiled from languages like Rust, C++, or Go; run in a sandbox with near‑native speed, support TCP streams and body streaming, and can use third‑party libraries, though GC languages may increase memory usage.

4. External Processing – a native Envoy HTTP filter (since Envoy 1.23) that calls an external service at configurable request phases, allowing header/body manipulation and custom responses, but introduces extra latency and only works for HTTP.

5. Custom Authorization Service – an external HTTP/gRPC service invoked by Envoy’s auth filter; language‑agnostic and stable, ideal for authentication/authorization scenarios, but limited to request‑side modifications and adds deployment overhead.

ASM also provides a plugin marketplace where many of these extensions are available as pre‑built plugins, encouraging users to check for existing solutions before developing custom ones.

Overall, Envoy’s extensibility makes ASM a flexible foundation for cloud‑native microservice architectures, and its extension capabilities continue to evolve.