ISTIO Multi Cluster on two different network

Hi I am using Istio 1.16 and installing multi cluster service mesh. My clusters are located in two different networks. Its a multi primary installation. But Two clusters are unable to sync. Got error message like

controller=multicluster secret
2023-07-14T06:18:10.969969Z info processing secret event for secret istio-system/istio-remote-secret-YYYY-c1
2023-07-14T06:18:10.970003Z info Adding cluster cluster=YYYY-c1 secret=istio-system/istio-remote-secret-YYYY-c1
2023-07-14T06:18:15.971734Z info kube Initializing Kubernetes service registry “YYYY-c1”
2023-07-14T06:18:15.971856Z info kube Creating WorkloadEntry only config store for YYYY-c1
2023-07-14T06:18:25.972417Z error kube failed to list CRDs: Get “https://Y.Y.Y.Y:6443/apis/”: context deadline exceeded
2023-07-14T06:18:25.972452Z info initializing Kubernetes credential reader for cluster YYYY-c1
2023-07-14T06:18:25.972492Z error Adding cluster: initialize cluster failed: 1 error occurred:
* failed creating config configStore for cluster YYYY-c1: Get “https://Y.Y.Y.Y:6443/apis/”: context deadline exceeded

    cluster=YYYY-c1 secret=istio-system/istio-remote-secret-YYYY-c1

2023-07-14T06:18:25.972500Z info Number of remote clusters: 0
2023-07-14T06:18:25.972524Z error controllers error handling istio-system/istio-remote-secret-YYYY-c1, retrying (retry count: 4): error adding secret istio-system/istio-remote-secret-YYYY-c1: 1 error occurred:
* Adding cluster_id=YYYY-c1 from secret=istio-system/istio-remote-secret-YYYY-c1: 1 error occurred:
* failed creating config configStore for cluster YYYY-c1: Get “https://Y.Y.Y.Y:6443/apis/”: context deadline exceeded

Please help me to understand the issue and how to resolve the error.

I have used the Istio guidelines for installation.

Looking forward to hear from you


Hello, did you find a solution please ?

No. I am waiting for someone to help me. Anything from your side.

Have you done the whitelisting of the cluster API servers?
Have you done all what mentioned here?

I have done that and observed that istiod is trying to access the remote cluster API directly. Can it be configured to access the API through Load Balancer IP?

We have opened the firewall to the other cluster api server from the source cluster subnet.