Posted in Software Engineering

Istio Ingress and DNS

Istio ingress provides external access to your mesh. You can follow official documentation to find you $INGRESS_HOST:$INGRESS_PORT combination. It works perfect, but what if the service client knows nothing about the mesh implementation? All he needs is to use a unique hostname to reach a specific service.

For example, you have myapp service running in myns namespace. The goal is to expose this service outside the K8s cluster with its unique DNS name from your domain. Let’s assume that you are the owner of domain. In this case, the exposed myapp service URL would be:

Let’s follow the steps on how we can achieve this in AWS cloud by configuring:

  • Istio Gateway
  • AWS Route 53
  • Istio VirtualService

1. Issue Certificates for Istio Ingress

You can follow this guide to issue certificates or ask your security team to provide you ones.

We’re looking for a ‘*’ wildcard certificate in your domain to match all the service endpoints

In this demo, we’ll use * certificate and the guide above:

./ * <password>

2. Import certificate to Istio ingress trust store

We’ll continue with TLS but you can also use mTLS instead

$ kubectl create -n istio-system secret tls istio-ingressgateway-certs --key *\* --cert *\*

3. Configure Istio Gateway Object

Create a Gateway object that expects connections to * hosts

cat <<EOF | kubectl apply -f -
kind: Gateway
  name: my-istio-gateway
  namespace: istio-system
    istio: ingressgateway # use istio default ingress gateway
  - port:
      number: 443
      name: https
      protocol: HTTPS
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    - "*"

4. Create AWS ELB with TCP listener or NLB

Create the AWS Load Balancer and configure the listener 443 port. Use K8s minions as target hosts and 31390 port (default Istio ingress TLS port)

5. Configure Route 53 with ELB/NLB record

Navigate to Route 53 page in AWS

NOTE: hosted zone must be added to AWS

Choose hosted zone and create a Record Set

Configure the Record Set with wildcard name and add ELB/NLB DNS name from step 4. to Alias Target

6. Configure Istio VirtualService Object for Myapp

In this step, we’ll configure the mapping between the external resolvable DNS name

cat <<EOF | kubectl apply -f -
kind: VirtualService
  name: myapp
  namespace: myns
  - ""
  - my-istio-gateway.istio-system.svc.cluster.local
  - route:
    - destination:
          number: 8443
        host: myapp.myns.svc.cluster.local

This VirtualService will listen for requests and convert them to https://myapp.myns.svc.cluster.local:8443 internal cluster calls


Use REST client test tool for testing

curl -o /dev/null -s -w '%{http_code}\n'


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s