How to setup Istio with Private AKS Cluster?

Hello Guys,

Is there any links/articles/leads on how to setup Istio with Private AKS Cluster ?
To be more specific, Istio deploys Gateways with External IP’s but the idea of a Private AKS cluster is to not have any EXTERNAL IP’s.
How do we create Istio G/W with only INTERNAL IP on an AKS cluster by using istioctl ?

Hi

I believe you can add serviceAnnotations: to your gateway to use internal loadbalancer over public loadbalancer. Below example is for google cloud.

So how do we change the annotations for a default profile ? Should I create a dump of the default profile and add annotations to ingressGateways block ? Is that the best way to do it ?

You should be able to add annotations using the value overrides with IstioOperator config:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-operator
spec:
components:
ingressGateways:
- enabled: true
k8s:
overlays:
- kind: Service
name: istio-ingressgateway
patches:
- path: spec.type
value: LoadBalancer
values:
gateways:
istio-ingressgateway:
serviceAnnotations:
service.beta.kubernetes.io/azure-load-balancer-internal: “true”

You can use this to generate manifest and verify if the annotations are being added to the ingress service.

MS link for adding the annotations for internal LB: https://docs.microsoft.com/en-us/azure/aks/internal-lb#create-an-internal-load-balancer

Great! I was able to spin it up with a custom manifest file. Here is what I did:

  1. Installed Istio Operator: https://istio.io/latest/docs/setup/install/operator/
  2. Created a dump of the “demo” profile.
  3. Added the required annotation to the ingressGateways block along with required ports and created a custom manifest file.
  4. Applied it using istioctl.