How to create private(internal) ingressgateway with AKS

jknott-ahead · January 31, 2019, 1:10pm

Our company only uses private internal traffic and by default Istio creates external ingress gateway. How to configure this to use an internal(private) ip address for the ingress gateway with AKS

zachseils · January 31, 2019, 4:14pm

You need to add the AKS annotation for a internal load balancer to the istio-ingressgateway Service:

helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set gateways.istio-ingressgateway.serviceAnnotations.'service\.beta\.kubernetes\.io/azure-load-balancer-internal'="true" > aks-istio.yaml

jknott-ahead · February 5, 2019, 3:45pm

zachseils:

helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set gateways.istio-ingressgateway.serviceAnnotations.'service\.beta\.kubernetes\.io/azure-load-balancer-internal'="true" > aks-istio.yaml

Thank you, I will give it a try

RoyKimYYZ · January 24, 2020, 4:49pm

zachseils:

helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set gateways.istio-ingressgateway.serviceAnnotations.'service\.beta\.kubernetes\.io/azure-load-balancer-internal'="true" > aks-istio.yaml

How to do this with istioctl manifest apply --set

omerfsen · August 15, 2020, 6:17pm

I had issues with syntax of the command because of special characters and not to make mistake what i did (with istioctl 1.6.8)

istioctl profile dump default > istioctl-default-profile.yaml

diff -ruN istioctl-default-profile.yaml custom-default-profile-1.6.8.yml

--- istioctl-default-profile.yaml       2020-08-15 19:15:05.993632690 +0100
+++ custom-default-profile-1.6.8.yml    2020-08-14 19:36:19.724440529 +0100
@@ -87,6 +87,8 @@
             apiVersion: apps/v1
             kind: Deployment
             name: istio-ingressgateway
+        serviceAnnotations:
+          service.beta.kubernetes.io/azure-load-balancer-internal: "true"
         resources:
           limits:
             cpu: 2000m

and then run istioctl install -f custom-default-profile-1.6.8.yml

omerfsen · August 15, 2020, 6:20pm

This command fails with following (weirdly same command sometimes works but produces wrong service annotations thus External-IP waits on pending status)

Error: failed to apply manifests: could not unmarshal merged YAML: unknown field "gateways" in v1alpha1.IstioOperatorSpec

Even

--set gateways.istio-ingressgateway.serviceAnnotations.'service\.beta\.kubernetes\.io/azure-load-balancer-internal'="true"
did not work with istioctl 1.6.8

tonedefdev · September 17, 2020, 10:47pm

I was able to get Istio installed on AKS using a private IP by passing istioctl install -f ./custom_install_options.yaml where the config file looks like:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
values:
  gateways:
    istio-ingressgateway:
      serviceAnnotations:
        service.beta.kubernetes.io/azure-load-balancer-internal: "true"
      loadBalancerIP: 10.0.0.100 #available ip from the AKS subnet

Topic		Replies	Views
How to setup Istio with Private AKS Cluster?	4	3035	September 7, 2020
Internal Load Balance for Azure AKS	1	1225	May 18, 2020
Change load balancer external IP in AKS Networking	3	1005	August 30, 2023
Istio Ingress gateway unable to connect To AKS Application Gateway Networking	0	887	July 6, 2021
Use ISTIO-Ingressgateway external IP	1	1050	November 11, 2022

How to create private(internal) ingressgateway with AKS

Related Topics