HTTP/2 Flow Control

We are trying to expose a gRPC service outside of an EKS Cluster, this service works with gRPC Streaming and we are working to test our service reliability in case of high load.

When we expose the service behind an AWS NLB without istio sidecar and ingressgateway (client → NLB → POD with no sidecar) , our service handle backpressure and our client stops the streaming correctly.

If we add istio ingressgateway and sidecar into the equation the client never stops streaming data, same client that without istio in place behaved correctly.
(client → NLB → Ingressgateway → POD with sidecar )

The NLB dedicated to istio ingressgateway is configured to expose the same ports that is configured on the istio gateway and that we are routing to the pod on the istio virtual service.

The NLB Is configured to handle TLS only for port 443

which is not used in this scenario, our grpc server is exposed using port 10037.

no other envoyfilters configured

The server runs nodejs 16

What am I missing ?


istioctl version
client version: 1.13.5
control plane version: 1.14.2
data plane version: 1.14.2 (39 proxies), 1.13.6 (2 proxies)

The istio ingressgateway i'm referring to is running 1.14.2