Istio ingress gateway support tls without SNI

I am setting up istio gateway as a NLB loadbalancer service and using NLB to terminate TLS. On the istio gateway side, I have a self-signed certificate. I notice that NLB doesn’t send SNI during TLS handshake to istio gateway and that causes HTTPs requests to fail. Is there a configuration option I can make on the istio gateway side to make this work?

This seems more like a networking API configuration, @Costin_Manolache, @rshriram.

Have you tried setting * as hosts for the GW ? (I’m just thinking out loud here…)

@prune Thanks, we figured it out. ingress gateway matches the most specific host first so “" works for us. Yes, using "” as hosts works for non-SNI traffic. Thanks to @rshriram for the information.

Can you have multiple gateways defined in multiple namespaces with a wildcard “*” for the host?

I have a l7 proxy sitting in front of out ingress gateway to handle a limitation in our NAT implementation.
We NAT public to private ip all with destination address 443. We have a L7 proxy direct to ingress gateway of associated K8s cluster based on host headers.

Unfortunately the L7 Proxy doesn’t support SNI health checks so need a fallback as it does a client TLS connection for whitelisting.

I setup a “healthcheck” gateway / vs / svc / pod to response for the health check of the cluster’s ingress gateway. However when trying to setup another gateway in another namespace on port 443 with a different certificate it receives no traffic. Only the health check gateway with the wildcard host on port 443 is receiving traffic.

I’m using istio 1.5.1.

Any help would be appreciated.