HTTP 404 When "AUTHORITY" and "REQUESTED_SERVER_NAME" are different

Hi there,

I have a use case where a request is sent by Azure App Gateway (APW) to Istio.

Problem Statement:
The flow of the request is like below
User :arrow_right: AGW (test.abc.com) [overriding the backend hostname] :arrow_right: Istio (sandpit.abc.com)

This is what is I see in “istio-ingressgateway” pod’s log

[2021-06-16T18:24:10.794Z] "GET /online/api/health HTTP/1.1" 404 NR "-" 0 0 0 - "10.xxx.xx.36" "-" "c5571349-6ea1-4745-8a9f-13a542c42b25" "test.abc.com" "-" - - 10.xxx.9.118:8443 10.xxx.xx.36:30099 sandpit.abc.com -

It looks like the handshake happens on host SNI “sandpit.abc.com” and Authority is being passed as “test.abc.com”. This might confuse Istio in the selection of Virtual Services hence 404 NR

Setup:

  1. Gateway is configured to handle both hosts test.abc.com and sandpit.abc.com
  2. Virtual Service is configured to handle both hosts test.abc.com and sandpit.abc.com

When a request is sent directly to

  1. test.abc.com - Works
  2. sandpit.abc.com - Works
  3. AGW (sandpit.abc.com) :arrow_right: Istio (sandpit.abc.com) - works

Inference:
When “AUTHORITY” and “REQUESTED_SERVER_NAME” are same Istio responds with HTTP 200 else HTTP 404

Question:
Is there any way to modify “REQUESTED_SERVER_NAME” before the request is processed by Istio? or is there any solution to make this setup work