Hey @celitcfunk
I just created an account to answer your question as I’d seen the same behaviour at work when setting up some Istio Ingress Gateways on AWS (we already had gateways configured in our On-Prem data centre).
The SSL ping health check will fail from the ELBs as it’s hitting the cluster IP directly rather than via a specific host - this causes the Envoy Proxy in your Pod to not recognise the traffic and fails to serve a correct response back to the health check.
Another way to product the intended behaviour would be to add the wildcard * value to your hosts list in your Gateway resource type. This causes the envoy proxy to correctly respond the the ELB health check, and traffic works as you’d expect.
This also probably isn’t the best way to solve the problem, but it does mean you can use the SSL health check type for your load balancer serving HTTPS traffic. I haven’t had a further play around beyond this to see if there is a way to correctly isolate/serve ELB health check connections.