Having issue in installing istio on private eks cluster

Question

I installed istio in an eks cluster which is in private subnet. after istalling istio launches and nlb with type internal. for that, I can't get traffic from open internet to cluster. I also created an ALB to forward traffic from open internet to nlb created by istio using target group . getting health check failed in target group for port 80 . if I set 15021 and health check api /healthz/ready, i will receive traffic only for health check api.

How can I get traffic from open internet to my cluster ?

Answer 1

Not sure if this is a complete answer but this is how I did it for a demo project a while ago, and it might give you some ideas for your own solution. First create a gateway resource associated to a domain name from Route 53:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-ingress-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTP
    hosts:
    - "*.mydomain.com"

Then I created a load balancer patch that maps to a managed certificate for the wildcard domain and its subdomains. The wildcard cert is issued by AWS certificate manager:

metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-2:090109105180:certificate/dc694f17-9ca0-4c83-be8c-f23382b59137
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: tcp

Apply resources which in effect creates an API gateway, with nothing exposed yet:

INGRESS_PATCH=$(cat ./loadbalancer-patch.yaml)
kubectl -n istio-system patch service istio-ingressgateway --patch "$INGRESS_PATCH"
kubectl -n istio-system apply -f gateway.yaml

CLUSTER_ADDRESS=$(kubectl -n istio-system get svc istio-ingressgateway -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")
echo "The cluster's external address is $CLUSTER_ADDRESS"

Then expose a component like this:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myapiroute
spec:
  hosts:
  - api.mydomain.com
  gateways:
  - istio-system/istio-ingress-gateway
  http:
  - route:
    - destination:
        host: myapi
        port:
          number: 3000

Then add an A record in route 53 that maps the CLUSTER_ADDRESS to the API subdomain, and wait a few minutes for the subdomain to become available.