Istio Ingress Gateway with GKE Ingress and Google Managed Certificates

I am trying to setup HTTPS with Istio Ingress Gateway. It seems there are a number of approaches that you can take.

In my demo project I have setup demo profile of Istio(v1.5.1) with istioctl cli tool on GKE. As istio-ingressgateway is a LoadBalancer, I used a GKE Ingress with it. The benefit of using GKE ingress in front of Istio ingress-gateway is that I can now use Google Managed SSL certificates. It’s a very easy and straight forward setup. And it works fine.

My questions are,

  1. Is this setup recommended? In Istio doc there is already a guide on how to use Kubernetes Ingress and Cert Manager with Istio ingress-gateway.
  2. Will I lose out any of the Istio Traffic routing features. Can I still use Gateway and VirtualService?
  3. Will the mTLS still work properly?
  4. Are there any security issues with this setup?

I am new in these topics and would really appreciate your opinions and suggestions.

So you will have GKE ingress setup and get benefits of Google managed certificates. I don’t think the features you mentioned below will be broken, the difference becomes you move the public facing tls from Istio gateway to k8s ingress. those features, you listed, is not affected.