独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

Istio Service Mesh with ALB in EKS

Prerequisites

As you can see we create 3 domains, 1 “domain.cloud” which is public and twice the same domain name “internal-domain.cloud” one public(just for ACM SSL cert verification using cname) and one internal associated with EKS VPC for internal DNS resolutions within VPC.

Once each of the prerequisites above is completed let's proceed ahead with the implementation.

2. Install Istio with default profile and type NodePort, verify Istio installation using kubectl get po -n istio-system, you should see pods running.

3. Next, attach a label to the application namespace, in this case, its called “learn”. This labelling will tell Istio to inject a proxy sidecar to pods running in the namespace. You will need to delete existing pods in the namespace, if you deployed the application before labelling the namespace.

5. Create a k8s secret containing key.pem and cert.pem. We will use it with Istio Gateway to implement traffic encryption.

7. Now we have to configure traffic routing for Istio using the gateway and virtual services, apply the manifest files mentioned below,

Istio Virtual Service resource is created per application:

Once ingress is installed, it will provision an internet-facing AWS Application Load Balancer, bind it with ACM certificate for HTTPS traffic and forward traffic to Istio resources inside EKS cluster. You can get generated manifest of Ingress resource using

9. Now you might be wondering why we created a wildcard SSL ACM in previous step 6 and in above step 8 we only attach a subdomain, how we can use a single Ingress to expose multiple services?
So to answer that due to templating issues we cannot pass the wildcard domain in the helm chart above, so for fixing that what we do is once the ingress is created we edit the ingress resource to configure annotations for the wildcard domain:

go to spec.rules.host and it will currently be like below:

change it to the wildcard domain:

that is replace dummy.some-domain.cloud to wildcard ‘*.some-domain.cloud’ (don't forget the single inverted comma)

10. Last step is to create a wild card route 53 entry for your internet-facing ALB, so whenever any virtual service with the subdomain DNS is created it will get by default get routed to ALB and from there the Istio Gateway to Virtual service and will serve the traffic.

11. The final step to verify that your services are running fine, here in the above example I created and exposed two services publicly one Java service via the domain “java.some-domain.cloud” and nginx home page using “nginx.some-domain.cloud”, lets test both applications if they are accessible.

Java application:

Nginx application:

As you can see both services are deployed and accessible over their respective endpoints.

In the previous example, we created Istio with a public internet-facing ALB, in various production environments there is a requirement to create internal domains that are not exposed over the internet and accessible within only VPC and your VPN like internal UI dashboard etc for that you need to create an Internal ALB with Istio, so I will show how this can be achieved.

Post these changes we can deploy the helm chart for the Ingress installation.

Here as you can see I create a new ingress using the ‘helm-internal’ chart.

5. Like in step 9 in previous, we need to edit ingress annotations to change the host to a wildcard internal domain(*.some-internal-domain.cloud):

6. Once ingress is installed, it will provision AWS Application Load Balancer, bind it with ACM certificate for HTTPS traffic and forward traffic to Istio resources inside EKS cluster. You can get generated manifest of internal ALB Ingress resource using:

Once the helm finishes it will create an internal application load balancer like below:

7. Follow step 10 in the previous example to create a wildcard route 53 domain entry towards your ALB.

As you can see in the red highlighted box, the DNS is added to the privately hosted zone domain.

8. Finally we need to test if its working, as DNS is added to the domain hosted in the private hosted zone it won't resolve and also as it's attached to a private ALB it won't connect, here I’m testing to access it from my local terminal over the internet and as you can see it can't connect.

So to test it , you need to access the domain from inside any of the EC2 created within the VPC where the EKS is hosted or if it's behind a VPN, you can test it out:

As you can see I call my internal hosted domain java application via a curl request within EC2 and I’m getting a response.

PS: if external service entry is needed then add the “ServiceEntry” as mentioned in this link.

If you check any of the default installations of Istio in EKS it will only let you create a Classic Load Balancer in AWS and also it's not production ready.

Here in this article, I showed how to create a Production ready External internet facing and Internal Application Load Balancer with Istio Gateway for routing the traffic also showed how to expose multiple services using a single ALB ingress attached with wildcard SSL from ACM.

Add a comment

What is your view?

Send

Related posts:

What is Paradise? Part 3

So we may have missed a day or two so let me catch you guys up to speed as to what happened! I GOT A JOB! I was hired at another Fitness Center near me, it is more of a studio than a Big brand name…

Escaping the Font Rabbit Hole

My first website template design started off well. I knew I wanted to create a theme for a restaurant. I had brand target words to aim for which were Fresh, Responsible, and Elegant.Additionally I…

2018 MLB Predictions

Normally I have an outlet for my predictions but this year I am doing them independently. MLB season predictions are incredibly tough because you’re trying to predict a season based off what a team…