I want to use AWS ALB to offload my ssl. I want to use an official Amazon certificate for that. In my backend, which is served by istio-ingressgateway I will use self signed certificates to encrypt the connection from ALB to istio-ingressgateway.
Client → ALB offloading TLS → ALB opens new TLS connection to istio-ingressgateway — —> istio-ingressgateway
Unfortunately ALB doesn’t support SNI to the backends. Is it possible to connect to the istio-ingressgateway with a kind of default certificate and then select the service via host header?
This is my configuration of one service. The other services are configured the same way but with other host. Without ALB the services are reachable directly via istio-ingressgateway.
--- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: echoserver-tls-gateway spec: selector: istio: ingressgateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: echoserver-tls-credential hosts: - "echoserver-tls.example.com" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: echoserver-tls spec: hosts: - "echoserver-tls.example.com" gateways: - echoserver-tls-gateway http: - match: - uri: prefix: / route: - destination: port: number: 80 host: echoserver-tls