External Virtual Machine mTLS using Istio Mesh

Hi!, i’m new using Istio Mesh, i’m doing some tests, i have the following architecture:

(Sorry for links i am a new user and i can only put 4 links, all links belongs to https://istio.io)

EC2 VM1 [ istio-agent, installed (with this: /latest/docs/setup/install/virtual-machine/#configure-the-virtual-machine)

EC2 VM2 [ istio-agent, installed (with this: /latest/docs/setup/install/virtual-machine/#configure-the-virtual-machine)

EKS [ Installed like this: ( /latest/docs/setup/install/virtual-machine/ )

  • VM1 has an Nginx installed.
  • VM1 and VM2 are onboarded in Istio mesh ( /latest/docs/setup/install/virtual-machine/#configure-the-virtual-machine )
  • Inside the EKS i tried this example and works fine ( /latest/docs/tasks/security/authentication/authn-policy/#setup )
  • Global enabled Peer Auth ( /latest/docs/tasks/security/authentication/authn-policy/#globally-enabling-istio-mutual-tls-in-strict-mode )
$ while true; do for from in "foo" "bar" "legacy"; do for to in "foo" "bar"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..me
tadata.name})" -c sleep -n ${from} -- curl http://httpbin.${to}:8000/ip -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done; done

sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 200
sleep.bar to httpbin.foo: 200
sleep.bar to httpbin.bar: 200
sleep.legacy to httpbin.foo: 000
command terminated with exit code 56
sleep.legacy to httpbin.bar: 000
command terminated with exit code 56

As you can see it’s working good, and the legacy can not communicate using mTLS, witch is good.
I also tried to comunicate from VMs:

ubuntu@VM1:~$ curl httpbin.foo.svc.cluster.local:8000 -s -o /dev/null -w "%{http_code}\n"

ubuntu@VM2:~$ curl httpbin.foo.svc.cluster.local:8000 -s -o /dev/null -w "%{http_code}\n"

So, EC2 VMs looks like are using mTLS too and its working.

The problem comes here:

ubuntu@VM2:~$ curl VM1.ec2.internal -s -o /dev/null -w "%{http_code}\n"
ubuntu@VM2:~$ curl VM1.ec2.internal -vvv
* Rebuilt URL to: VM1.ec2.internal/
*   Trying VM1...
* Connected to VM1.ec2.internal (VM1) port 80 (#0)
> GET / HTTP/1.1
> Host: VM1.ec2.internal
> User-Agent: curl/7.58.0
> Accept: */*
< HTTP/1.1 503 Service Unavailable
< content-length: 95
< content-type: text/plain
< date: Wed, 01 Nov 2023 20:50:55 GMT
< server: envoy
* Connection #0 to host VM1.ec2.internal left intact
upstream connect error or disconnect/reset before headers. reset reason: connection termination

The curious thing, it’s if i delete the peer auth, then it works (but i assume without mTLS, something that i do not want)

ubuntu@VM2:~$ curl VM1.ec2.internal -s -o /dev/null -w "%{http_code}\n"

Do you know what i missing?