We’re investigating using Istio on AWS EKS and have a question regarding exposing the health of a service exposed outside of the cluster using an Ingress Gateway with a Network Load Balancer (NLB). At the moment, the health of the NLB would reflect the health of the envoy proxies (ingress proxies). What we need is the health of the NLB to reflect the health of the service behind all the layers (e.g. via NLB -> node_IP:NodePort -> envoy ingress -> Istio config -> service X pods readinessProbe). Is this possible?
The reason we think this is important is that several other AWS services use the health of elastic load balancers to infer the health of the endpoint, e.g. Route53 or Global Accelerator.
We’ve found some old issues about something that sounds similar but unfortunately never have all the detail. E.g. https://github.com/istio/istio/issues/9385 and https://github.com/istio/istio/issues/12503.
We currently use other ingress solutions (using either ALB Ingress Controller or NLB) but they get traffic straight into the service without Istio, meaning we won’t be able to do all the nice things the Istio way, like canary deploys or A/B testing.
FYI we’re on k8s 1.17 and Istio 1.7.1.
Any thoughts/help is appreciated.