Unhealthy targets when provisioning ALB Ingress with Istio Ingress Gateway as backend

Networking
1

The EKS nodes targets show unhealthy when deploying ALB ingress in AWS with Load Balancer Controller.

Istio Ingress Gateway is provisioned as NodePort and I have obtained the correct port which in my case is 32403. The nodes security groups allow traffic on 32403 from load balancer.

Here is the ingress, which creates the following:

  • ALB
  • only one listener on 443
  • listener rule 1 - /healthz/ready/* that forwards to target group 1
  • listener rule 2 - /* that forwards to target group 2
  • listener rule 3 - Request is not otherwise routed - returns 404

Not sure what I’m missing but shouldn’t there be a listener for 15201 as well?

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/load-balancer-name: k8s-lb
    alb.ingress.kubernetes.io/load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket=recp-entres-cb-alblogs,access_logs.s3.prefix=lb-logs,routing.http.drop_invalid_header_fields.enabled=true,deletion_protection.enabled=true
    alb.ingress.kubernetes.io/security-groups: sg-xxxxxxxxxxx
    alb.ingress.kubernetes.io/manage-backend-security-group-rules: "true"
    alb.ingress.kubernetes.io/subnets: subnet-xxxxxxxxxxx, subnet-xxxxxxxxxxx, subnet-xxxxxxxxxxx
    alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
    alb.ingress.kubernetes.io/healthcheck-port: "32403"
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-west-1:11111111111111:certificate/7773d18b-842c-488e-91ea-a36gh9866232
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
    alb.ingress.kubernetes.io/shield-advanced-protection: 'false'
  name: gateway-ingress
  namespace: istio-ingress
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      - backend:
          service:
            name: istio-ingressgateway
            port:
              number: 15021
        path: /healthz/ready
        pathType: Prefix
      - backend:
          service:
            name: istio-ingressgateway
            port:
              number: 443
        path: /
        pathType: Prefix