In an EKS setup, I have 2 applications on the same cluster. For security reasons I need to use security groups to block/allow specific traffic to each, hence the need for 2 ALBs. The question is:
Can I use the same gateway for both hosts even though, for each application the traffic is sent through a different ALB?
Yes, but using two ALBs you will need to do two things:
- The istio ingress gateway will need to be switched to NodePort service types
- Create 2 Ingress resources with the alb.ingress annotations for the AWS ALB controller
Using the annotations on the ingress resources you can also specify which subnets and security groups to attach to.
It will end up looking like this:
┌──────────┐ ┌──────────┐
│ AWS ALB │ │ AWS ALB │
└────┬─────┘ └────┬─────┘
│ │
┌────▼───────┐ ┌────▼───────┐
│K8S Ingress │ │K8S Ingress │
└────┬───────┘ └────┬───────┘
│ │
│ │
┌─────▼──────────────────────▼─────────┐
│ │
│ IngressGateway (nodePort) │
└─────┬──────────────────────┬─────────┘
│ │
┌────▼─────────┐ ┌────▼─────────┐
│VirtualService│ │VirtualService│
└────┬─────────┘ └────┬─────────┘
│ │
┌────▼───┐ ┌────▼───┐
│Service │ │Service │
└────┬───┘ └────┬───┘
│ │
┌────▼───────┐ ┌────┴───────┐
│Pods │ │Pods │
│(your app) │ │(your app) │
└────────────┘ └────────────┘
This is not the only way, but the ALB controller from AWS only creates ALBs for nodePort ingress types, and creates NLBs for everything else it seems.
Another option is to not share the ingressgateway and just duplicate it.