Egress-gateway with TLS origination gives 503 TLS WRONG_VERSION_NUMBER

Hi all,

Hoping to get some help or insight into the right direction. We have a service which is hosted behind Cloudfront and only responds on 443. Our k8s cluster has been whitelisted by cloud front, so we want to use Istio as a proxy, however TLS termination is done on the load balancer and therefore we can’t do a simple passthrough. So, the end goal is:

GCP LB (443/80) => Istio-ingress (80) => SE, VS, DR => istio-egress (80->443) => Cloudfront (443).

This was failing so I broke it down to simpler parts to troubleshoot and even doing the TLS origination via egress-gw gives me a 503. If I do the CNN example from the documentation, then everything works. If I take that example verbatim and swap out the urls for the cloudfront service, then I start getting 503 errors with TLS ERROR WRONG_VERSION_NUMBER.

Any idea what could be causing this and what further I can attempt to solve the issue. Pulling at straws already as it seems forcing TLS version does nothing and I have no decent logs in Cloudfront to go on.

Thanks in advance