AKS Ngnix Ingress Controller with Istio service mesh

Networking
#1

Hi All,

We already have configured AKS with Ngnix Ingress Controller and now we are exploring service mesh implementation in AKS. For now, we are exploring Istio and Consul. Please help/guide me in below options for ingress -

  1. Ngnix Controller with Istio service mesh
  2. Istio gateway with Istio service mesh

Which of the above option is recommended? If we want to continue with Ngnix, how to configure it to talk to service mesh? Can it have mTLS with Pods proxy (envoy)? With Ngnix, will we be able to use all service mesh features?

I am kind of new to service mesh and Istio and will appreciate your quick help/guidance… I would to have a call if possible to discuss it. Many thanks…

#2

I am also working with AKS, Nginx ingress controller and Istio service mesh. I must say all the features work perfectly without any issue.

  1. I did try various options like Nginx Ingress object -> Istio Ingress Gateway -> microservices pods(service mesh). Till Istio Ingress Gateway traffic is based on TLS(public certificates), from Istio Ingress gateway to pods of microservices based on MTLS(can be istio private certificates).
  2. Also, I did try passthrough TLS option till pod, and it worked perfectly well too.

For both the above option, you have to enable passthrough on the ingress object, and all the required annotations are present on Nginx ingress controller documentation. Just to add, start. your Nginx ingress controller with --enable-ssl-passthrough option.

Just to add things are weird when you use Azure app gateway with Azure app gateway ingress controller(agic).

#3

Thanks @Abhishek_Sharma1…as I have just started learning it, a call with you will be of big help…Can we talk?

#4

Sure, also I have some examples lying on my Github for all this, I will package together in the repo and you can have a look.

#5

Thanks @Abhishek_Sharma1… Can you please share your contact details? My email ID is mohd.aslam1@gmail.com

#6

I hope I’m not committing thread necromancy, but this is where I’m having trouble setting things up. I have an application gateway that needs to route traffic to the istio ingress pod but must maintain end to end TLS. I’m brand new to istio, never used it before last week. Could I get a hand from someone getting this working? I don’t even know what my backend pools should be for my app gateway.

Thanks in advance

#7

What i believe that still needs to be tested is that traffic till Application gateway will use its certificate and TLS will terminate there and after that communication will be encrypted again using the TLS certificate setup at Istio Ingress gateway level. With it, one will have end-to-end TLS.

#8

We’re having a problem in that we can’t get our app gateway to send traffic to the itsio ingress controller, which I was told that it does not appear as a regular ingress controller in Azure. I created an internal load balancer and set that as the backend for the app gateway, but I don’t know what IP to set the backend of the internal kubernetes load balancer to in order to reach itsio.

#9

How do we get traffic from the application gateway to the itsio ingress controller? What does our backend pool in the appllication gateway need to look like?

#10

Even we need to test and more interesting is to test the WAG backend with path based routing we setup at Istio ingress…Any help anyone!

#11

Were you able to get a kubernetes load balancer for the ingress controller to have a private ip as both the cluster IP and the external IP? I needed the external IP to be private so that we could point our application gateway to it.

#12

I’m sorry, I meant the istio-ingressgateway service. The external IP is always public and we can’t get istio to give us a load balancer that has a private IP.