Istio with AWS ALB and TLS to istio-ingressgateway

fhopeman · January 31, 2021, 5:32pm

Hi there,

I want to use AWS ALB to offload my ssl. I want to use an official Amazon certificate for that. In my backend, which is served by istio-ingressgateway I will use self signed certificates to encrypt the connection from ALB to istio-ingressgateway.

Overview:
Client → ALB offloading TLS → ALB opens new TLS connection to istio-ingressgateway — —> istio-ingressgateway

Unfortunately ALB doesn’t support SNI to the backends. Is it possible to connect to the istio-ingressgateway with a kind of default certificate and then select the service via host header?

Best regards
Fabian

This is my configuration of one service. The other services are configured the same way but with other host. Without ALB the services are reachable directly via istio-ingressgateway.

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: echoserver-tls-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: echoserver-tls-credential
    hosts:
    - "echoserver-tls.example.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: echoserver-tls
spec:
  hosts:
  - "echoserver-tls.example.com"
  gateways:
  - echoserver-tls-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        port:
          number: 80
        host: echoserver-tls

jknott2021 · January 31, 2021, 9:09pm

Yes it is possible. We use Terraform to do our deployments with a public and private ALB that routes traffic to two separate istioingress controllers. We use ExternalDNS and a wildcard cert for our ALB then we define an ingress manifest to tell it that it uses class alb.

fhopeman · February 1, 2021, 7:02am

Is your istio-ingressgateway using TLS (connection from ALB to istio-ingressgateway)? And if yes, could you provide your yaml from Ingress, Gateway and VirtualService?

I’ve done that too with Ingress for ALB with Wildcard certificate. But I couldn’t get TLS working for my Gateway, because ALB doesn’t speak SNI to the backends.

a8j8i8t8 · March 10, 2021, 11:36am

Did you resolve this? I’m seeing the same issue.

fhopeman · March 13, 2021, 10:04am

Unfortunately not… We are using AWS NLB right now with TCP passthrough mode.

a8j8i8t8 · March 15, 2021, 10:50am

@fhopeman How are you using NLB with it?
Client → NLB TCP 80 → NLB opens new TLS connection to istio-ingressgateway?
Am I correct here?

If and when you’ve time please have a look here - AWS load-balancer with TLS ingress-gateway · Issue #31421 · istio/istio · GitHub

a8j8i8t8 · March 16, 2021, 9:25am

Ok please ignore above, figured it out. Thanks for replying.

Topic		Replies	Views
HTTPS for ALB ingress gateway and Istio ingress gateway Networking	6	7823	April 21, 2022
Certs termination on ALB. Is connection form ALB to gateway encripted? Security	9	4692	February 11, 2019
Istio ingress gateway support tls without SNI Security	6	2650	September 18, 2023
How to terminate SSL at ELB and at istio ingressgateway	7	9745	July 24, 2019
503 errors when using TLS on gateway Networking	5	3416	June 22, 2020

Istio with AWS ALB and TLS to istio-ingressgateway

Related Topics