Integrations with Open Service Mesh on Azure Kubernetes Service (AKS)

The Open Service Mesh (OSM) add-on integrates with features provided by Azure and some open source projects.

Important

Microsoft has announced the retirement of the Open Service Mesh (OSM) add-on for AKS. The upstream OSM project has also been retired by the Cloud Native Computing Foundation (CNCF). Identify any existing OSM configurations and migrate them to equivalent Istio configurations. For migration steps, see Migration guidance for Open Service Mesh (OSM) configurations to Istio.

Important

Integrations with open source projects aren't covered by the AKS support policy.

Ingress

Ingress allows for traffic external to the mesh to be routed to services within the mesh. With OSM, you can configure most ingress solutions to work with your mesh, but OSM works best with one of the following solutions:

[Application Gateway for Containers][application-gateway-for-containers]
Application Routing
NGINX ingress
Contour ingress

Use the Azure Application Gateway for Containers with the OSM add-on for HTTP ingress

Create a namespace and deploy the application service

Installing the AGIC ingress controller.
Create a namespace for the application service using the kubectl create ns command.
```
kubectl create ns httpbin
```
Add the namespace to the mesh using the osm namespace add OSM CLI command.
```
osm namespace add httpbin
```

Deploy the application service to the namespace using the kubectl apply command.

export RELEASE_BRANCH=release-v1.2
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/$RELEASE_BRANCH/manifests/samples/httpbin/httpbin.yaml -n httpbin

Verify the pods are up and running and have the envoy sidecar injected using the kubectl get pods command.
```
kubectl get pods -n httpbin
```
Your output should look similar to the following example output:
```
NAME                      READY   STATUS    RESTARTS   AGE
httpbin-7c6464475-9wrr8   2/2     Running   0          6d20h
```

List the details of the service using the kubectl get svc command.

kubectl get svc -n httpbin

Your output should look similar to the following example output:

NAME      TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)     AGE
httpbin   ClusterIP   10.0.92.135   <none>        14001/TCP   6d20h

Deploy the ingress configurations and verify access to the application service

Deploy the following Gateway, HTTPRoute, and IngressBackend configurations to allow external clients to access the httpbin service on port 14001 using the kubectl apply command.

kubectl apply -f <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway-01
  namespace: httpbin
  annotations:
    alb.networking.azure.io/alb-namespace: <alb-namespace>
    alb.networking.azure.io/alb-name: <alb-name>
spec:
  gatewayClassName: azure-alb-external
  listeners:
  - name: httpbin-listener
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: httpbin-route
  namespace: httpbin
spec:
  parentRefs:
  - name: gateway-01
  rules:
  - backendRefs:
    - name: httpbin
      port: 14001
---
kind: IngressBackend
apiVersion: policy.openservicemesh.io/v1alpha1
metadata:
  name: httpbin
  namespace: httpbin
spec:
  backends:
 - name: httpbin
    port:
      number: 14001 # targetPort of httpbin service
      protocol: http
  sources:
 - kind: IPRange
    name: 10.0.0.0/8
EOF

Verify the Gateway and HTTPRoute resources were successfully deployed using the kubectl get gateway and kubectl get httproute commands. Make note of the external fully qualified domain name on the Gateway resource.

# Gateway resource
kubectl get gateway gateway-01 -n test-infra -o yaml
# HTTPRotue resource
kubectl get httproute contoso-route -n test-infra -o yaml

Your Gateway output should look similar to the following example output:

status:
  addresses:
  - type: Hostname
    value: xxxx.yyyy.alb.azure.com
  conditions:
  - lastTransitionTime: "2023-06-19T21:04:55Z"
    message: Valid Gateway
    observedGeneration: 1
    reason: Accepted
    status: "True"
    type: Accepted
  - lastTransitionTime: "2023-06-19T21:04:55Z"
    message: Application Gateway For Containers resource has been successfully updated.
    observedGeneration: 1
    reason: Programmed
    status: "True"
    type: Programmed
  listeners:
  - attachedRoutes: 0
    conditions:
    - lastTransitionTime: "2023-06-19T21:04:55Z"
      message: ""
      observedGeneration: 1
      reason: ResolvedRefs
      status: "True"
      type: ResolvedRefs
    - lastTransitionTime: "2023-06-19T21:04:55Z"
      message: Listener is accepted
      observedGeneration: 1
      reason: Accepted
      status: "True"
      type: Accepted
    - lastTransitionTime: "2023-06-19T21:04:55Z"
      message: Application Gateway For Containers resource has been successfully updated.
      observedGeneration: 1
      reason: Programmed
      status: "True"
      type: Programmed
    name: https-listener
    supportedKinds:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute

Verify the IngressBackend object was successfully deployed using the kubectl get ingressbackend command.
```
kubectl get ingressbackend -n httpbin
```
Your output should look similar to the following example output:
```
NAME      STATUS
httpbin   committed
```
Verify you can access the httpbin service using the external IP address of the ingress service and the following curl command.
```
fqdn=$(kubectl get gateway gateway-01 -n httpbin -o jsonpath='{.status.addresses[0].value}')
curl -sI http://$fqdn/get
```
Confirm you receive a response with status 200.

Metrics observability

Metrics observability allows you to view the metrics of your mesh and the deployments in your mesh. With OSM, you can use Prometheus and Grafana for metrics observability, but those integrations aren't covered by the AKS support policy.

You can also integrate OSM with Azure Monitor.

Before you can enable metrics on your mesh to integrate with Azure Monitor, make sure you have the following prerequisites:

Enable Azure Monitor on your cluster.
Enable the OSM add-on for your AKS cluster.
Onboard your application namespaces to the mesh.

Enable metrics for a namespace in the mesh using the osm metrics enable command.
```
osm metrics enable --namespace myappnamespace
```

Create a ConfigMap in the kube-system namespace that enables Azure Monitor to monitor your namespaces. For example, create a monitor-configmap.yaml with the following contents to monitor the myappnamespace:

kind: ConfigMap
apiVersion: v1
data:
  schema-version: v1
  config-version: ver1
  osm-metric-collection-configuration: |-
    # OSM metric collection settings
    [osm_metric_collection_configuration]
      [osm_metric_collection_configuration.settings]
          # Namespaces to monitor
          monitor_namespaces = ["myappnamespace"]
metadata:
  name: container-azm-ms-osmconfig
  namespace: kube-system

Apply the ConfigMap using the kubectl apply command.
```
kubectl apply -f monitor-configmap.yaml
```
Navigate to the Azure portal and select your AKS cluster.
Under Monitoring, select Logs.
In the Monitoring section, query the InsightsMetrics table to view metrics in the enabled namespaces. For example, the following query shows the envoy metrics for the default namespace:
```
InsightsMetrics
|     where Name contains "envoy"
|     extend t=parse_json(Tags)
|     where t.namespace == "default"
```

Automation and developer tools

OSM can integrate with certain automation projects and developer tooling to help operators and developers build and release applications. For example, OSM integrates with Flagger for progressive delivery and Dapr for building applications. The OSM integrations with Flagger and Dapr aren't covered by the AKS support policy.

External authorization

External authorization allows you to offload authorization of HTTP requests to an external service. OSM can use external authorization by integrating with Open Policy Agent (OPA), but that integration isn't covered by the AKS support policy.

Certificate management

OSM has several types of certificates it uses to operate on your AKS cluster. OSM includes its own certificate manager called Tresor, which is used by default. Alternatively, OSM allows you to integrate with Hashicorp Vault and cert-manager, but those integrations aren't covered by the AKS support policy.

Next steps

This article covered the Open Service Mesh (OSM) add-on integrations with features provided by Azure and some open source projects. To learn more about OSM, see About OSM in AKS.

Last updated on 2025-11-27