Istio ingress with AWS ALB?


if we are using AWS CLB(classic load balancer) as istio ingress gateway we are unable to attach multiple SSL certs.

we are using below url to create AWS CLB ingress gateway.


so is there any way we can create AWS application load balancer where we can add multiple certs or if there is any other use case how we can attach multiple certs please share us reference urls which will help us to implement.

You are relying on istio to create the AWS load balancer? and you want to terminate SSL at said AWS load balancer? You can always disable Istio from creating it and setup the AWS LB yourself unless i am understanding incorrectly?

thanks alot @nick_tetrate for responding.

currently we create ingress gateway using istio it creates AWS classic load balancer which has limitation for multiple certs.

we are creating ingress gateway using istio so that we can use istio features to route traffic to all the k8 services exposed via cluster IP which is gr8 feature and which will avoid to create new Load balancer for each k8 service and reduce cloud cost.

so if we disable istio then we need to expose all our k8 service as load balancer type which we dont want to create unless we have some technical blocker with istio or if you have any other way to achieve this usecase where we can have one LB please let us know.

I was not suggesting that you disable istio. Just dont have istio create the AWS load balancer and set one up outside of the istio setup process. Another alternative is to not terminate SSL at the ELB and instead host multiple certificates on the istio ingress gateway.

@nick_tetrate i need usecase using istio in AWS EKS and managing multiple certs.

if we create ingress gateway using istio with AWS cloud provider( it creates AWS classic load balancer where we open http/https ports and a certificate is attached to https.

but when we want to use different certificate with istio credential name its not working its still taking the certificate attached to AWS classic load balancer https port.

@anilcs0405 if you have any usecase as per above conservation can you please share.


can you please provide your thoughts on this and let me know if you need any help on problem statement as per above conversation.

There are two ways you can achieve this.

  1. If you are certificates are managed by ACM , you can add multiple domain names to the certificate (SAN). ELB will take care of offloading the certificate.
  2. You can migrate from ELB to ALB. This needs an installation alb ingress controller.,AWS%20Certificate%20Manager%20(ACM).

firstly thanks @tejesh_s for your response.

1)first approach is not a good practice to add multiple domains due to some security reasons we have different ACM certs for each app.
2)currently we are exposing our k8 service as default cluster IP if we are migrating to ALB ingress controller we need to expose it has NODE PORT service which is not recommended.

So can you please share us any other istio usecase with AWS with one load balancer as ingress and we can add multiple certs related to different domain.

@Bairava_Surya Why 2) is not recommended? Could you elaborate a bit more on your use case? I’m doing something similar, trying to expose app services with istio and ALB.


Below is my exact usecase

We have many applications and each application has its own cert.

We are exposing k8 service as load balancer type and ignress gateway as AWS classic load balancer where we can attach only one cert i.e wild card cert(*).

Can you please tell us how to handle this usecase so that each application will have own cert .

@spikecurtis can you please help me as per above usecase with AWS cloud provider

you can use TLS passthrough on the ELB and ingress gateway and allow each app to host their own certificate, you would have to route based on SNI though.