We found a workaround, yes. Thanks to this discussion: Istio Operator 1.6.8, install issues, NLB + Target groups being recreated
It seems like the issue came down to NLB and the way it connects to backend targets via NodePorts. Anytime our Istio Ingress got assigned a new NodePort, the NLB would temporarily drop connections.
So we solved the problem by adding specific node ports to our configuration, so that we’d just avoid the problem. Here’s an example showing what we added to our config… note that I’ve edited this down to just show the relevant bits:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
ingressGateways:
- enabled: true
k8s:
service:
ports:
- name: status-port
port: 15021
targetPort: 15021
nodePort: 30000 # we made this number up, range is 30000-32767
- name: http2
port: 80
targetPort: 8080
nodePort: 30001 # we made this number up, range is 30000-32767
- name: https
port: 443
targetPort: 8443
nodePort: 30002 # we made this number up, range is 30000-32767