Has anyone set up E2E encryption with Istio Gateway and AWS?

0
1
Asked By CuriousCoder912 On

I'm curious if anyone has successfully configured end-to-end (E2E) encryption using an Istio Gateway on AWS. Specifically, I'm using an ACM certificate on the Network Load Balancer (NLB) and a self-signed certificate on the Istio Gateway. However, I keep encountering 'Empty Reply From Server' errors. To give you some context, terminating SSL on the NLB and then sending plain text to the Gateway works fine. I also tried TCP passthrough from the NLB to the Gateway, but the browser presents the self-signed certificate at the Gateway, which isn't ideal. Any advice or guidance would be appreciated!

4 Answers

Answered By WildCardWarrior On

I manage a wildcard certificate on a shared gateway per cluster, and I don’t hit any rate limits with cert-manager. You can also ask for rate limit increases if needed. I faced some challenges with proxy mode and the number of hops in a gateway API with NLB, but I can share my configuration with you if that helps!

CuriousCoder912 -

I might get in trouble for suggesting a wildcard cert, though! Still, I appreciate the offer!

Answered By TLSExpert007 On

If possible, I'd recommend using cert-manager to generate a Let's Encrypt certificate and terminating TLS at the Gateway instead of the NLB. However, at my workplace, we aren't allowed to use Let's Encrypt, so I have a similar setup to yours with the ACM certificate on the NLB and a self-signed one on the Gateway. Happy to assist further if you need! I've been using Istio for about five years now.

Answered By TechSavvy123 On

I use an ACM certificate directly on the Istio Gateway and don’t decrypt on the NLB at all. Have you tried accessing each component directly? Also, why opt for a self-signed certificate in the first place?

CuriousCoder912 -

Honestly, I chose a self-signed certificate because it's straightforward and has less operational overhead. My goal is just to get everything working smoothly before refining it. I was hesitant to use Let's Encrypt due to potential rate limits when scaling up.

Answered By CloudNovice89 On

I’m not too familiar with AWS, but if I understand correctly, the NLB is a Layer 4 (L4) load balancer. If you’re using a self-signed certificate on your ingress, the NLB must trust that certificate's issuer, or you might run into errors when trying to connect.

CuriousCoder912 -

It’s an L4 load balancer, so your assumption is on point! That's helpful to consider.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.