Removing status-port from exposed ports of a ingressgateway load balancer

When setting up Istio with an ingress-gateway load balancer it tries to expose several ports. Additionally to my desired 80 and 433 there is also 15021 “status-port” by default (see manifests). In version 1.9 and earlier there were even more ports exposed.

The only information I found is that this status-port seem to be an Envoy port which can be used for health checks and it is said important to be the first in the list because of AWS ELB health-checks.

I have a lot of concerns with this limited information :sweat_smile::

  1. if I’m happy with my app responding on ports 80/443 being used for my monitoring health-checks is it ok to not expose a status-port. This is even more important if I have a public load balancer and want to limit public ports as much as possible because of security reasons.
  2. The comment in manifests stays that the first port is used for AWS ELB health checks. Is it relevant only for Classic AWS Load Balancer? Application and Network load balancers use target health checks (for every port being in use) rather than a one global check as far as I know. Or am I missing something?
  3. Question to maintainers (hopefully they read): if 1 and 2 are correct - port is not mandatory and is important for a Classic load balancer only - does it make sense to remove it from defaults and describe a process of exposing it in additional docs?
  4. Also suggestion to maintainers: It would be really nice to have a more dense documentation on these ports. It took me a long time to find only a limited information on port 15021. It is mentioned in several places as status port or health-check port but no detailed information how and if I should use it and if I can remove it.

Thanks in advance.

Did you ever get clarity on this question (whether port 15021 is necessary to remain exposed in NLB / ALB )? I am wondering the same.