2018 Posts1

Configuring Istio Ingress with AWS NLB

Ingress AWS Network Load Balancer

By Julien SENON / April 20, 2018

This post provides instructions to use and configure ingress Istio with AWS Network Load Balancer2.

Network load balancer (NLB) could be used instead of classical load balancer. You can see the comparison between different AWS loadbalancer for more explanation.

Prerequisites

The following instructions require a Kubernetes 1.9.0 or newer cluster.

Warning Usage of AWS nlb on Kubernetes is an Alpha feature and not recommended for production clusters.

IAM Policy

You need to apply policy on the master role in order to be able to provision network load balancer.

  1. In AWS iam console click on policies and click on create a new one:

    Create a new policy
    Create a new policy

  2. Select json:

    Select json
    Select json

  3. Copy/paste text below:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "kopsK8sNLBMasterPermsRestrictive",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcs",
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcs",
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
        }
    ]
}

  4. Click review policy, fill all fields and click create policy:

    Validate policy
    Validate policy

  5. Click on roles, select you master role nodes, and click attach policy:

    Attach policy
    Attach policy

  6. Your policy is now attach to your master node.

Rewrite Istio Ingress Service

You need to rewrite ingress service with the following:

apiVersion: v1
kind: Service
metadata:
  name: istio-ingress
  namespace: istio-system
  labels:
    istio: ingress
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
  externalTrafficPolicy: Local
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
    name: http
  - port: 443
    protocol: TCP
    targetPort: 443
    name: https
  selector:
    istio: ingress
  type: LoadBalancer

See also

Deploy a custom ingress gateway using cert-manager3

Describes how to deploy a custom ingress gateway using cert-manager manually.

Control Ingress Traffic4

Describes how to configure Istio to expose a service outside of the service mesh.

Securing Gateways with HTTPS5

Describes how to configure Istio to expose a service outside of the service mesh, over TLS, mutual TLS or JWT authentication.

Incremental Istio Part 1, Traffic Management6

How to use Istio for traffic management without deploying sidecar proxies.

Introducing the Istio v1alpha3 routing API7

Introduction, motivation and design principles for the Istio v1alpha3 routing API.

Traffic Mirroring with Istio for Testing in Production8

An introduction to safer, lower-risk deployments and release to production.


Introducing the Istio v1alpha3 routing API

Istio Soft Multi-tenancy Support