I managed to configure AWS ALB to point to istio ingress gateway using what is described here https://stackoverflow.com/a/62463576/2429333
How I understand it works right now is:
Client -> ALB -> Istio ingress gateway -> application pods
and with an LB created with using serviceAnnotations on Istio service it is:
Client -> ELB/NLB -> application pods
Is that correct? If so how can I use ALB with Istio and get rid of that additional network hop?
If you followed that stack overflow, then the alb ingress controller is running on your cluster.
All you need to do is create an ingress yaml similar to the one that points to the istio ingress gateway, but instead of the backend being istio ingress gateway, set the backend to be the name of your application pod.
Note that, at least how I understand it, this will connect directly to the specific backend pod and you will lose the ability to set up service mesh routing and destination rules, because all of that routing happens on the envoy proxy where the request comes from, and the alb doesn’t have an envoy proxy if you bypass the ingress gateway.
Thank you for your answer it gave me some insight. To make sure, e.g. when I use Istio with ingress gateway Service of nodeType: LoadBalancer (default setup without ALB as a separate Ingress) I still have an ELB/NLB that is routing traffic to istio ingress-gateway service (but somehow setup automatically for me), correct? I don’t have any optimization coming from the fact that annotation is directly on the Service resource, right? I just wanted to make sure that my current setup is correct and optimal for an ALB scenario.