Istio with AWS ALB and TLS to istio-ingressgateway

Hi there,

I want to use AWS ALB to offload my ssl. I want to use an official Amazon certificate for that. In my backend, which is served by istio-ingressgateway I will use self signed certificates to encrypt the connection from ALB to istio-ingressgateway.

Client → ALB offloading TLS → ALB opens new TLS connection to istio-ingressgateway — :x:—> istio-ingressgateway

Unfortunately ALB doesn’t support SNI to the backends. Is it possible to connect to the istio-ingressgateway with a kind of default certificate and then select the service via host header?

Best regards

This is my configuration of one service. The other services are configured the same way but with other host. Without ALB the services are reachable directly via istio-ingressgateway.

kind: Gateway
  name: echoserver-tls-gateway
    istio: ingressgateway
  - port:
      number: 443
      name: https
      protocol: HTTPS
      mode: SIMPLE
      credentialName: echoserver-tls-credential
    - ""
kind: VirtualService
  name: echoserver-tls
  - ""
  - echoserver-tls-gateway
  - match:
    - uri:
        prefix: /
    - destination:
          number: 80
        host: echoserver-tls

Yes it is possible. We use Terraform to do our deployments with a public and private ALB that routes traffic to two separate istioingress controllers. We use ExternalDNS and a wildcard cert for our ALB then we define an ingress manifest to tell it that it uses class alb.

Is your istio-ingressgateway using TLS (connection from ALB to istio-ingressgateway)? And if yes, could you provide your yaml from Ingress, Gateway and VirtualService?

I’ve done that too with Ingress for ALB with Wildcard certificate. But I couldn’t get TLS working for my Gateway, because ALB doesn’t speak SNI to the backends.

Did you resolve this? I’m seeing the same issue.

Unfortunately not… We are using AWS NLB right now with TCP passthrough mode.

@fhopeman How are you using NLB with it?
Client → NLB TCP 80 → NLB opens new TLS connection to istio-ingressgateway?
Am I correct here?

If and when you’ve time please have a look here - AWS load-balancer with TLS ingress-gateway · Issue #31421 · istio/istio · GitHub

Ok please ignore above, figured it out. Thanks for replying.