I've taken over an EKS cluster where Istio automatically created a single ELB with a LoadBalancer resource. Now, the security team has asked me to set up WAF on the load balancer, which means switching to an ALB. I've managed to set one up using the AWS Load Balancer Controller and configured it to forward traffic to the modified Istio ingress gateway Service with NodePort. However, every time I make external requests, I keep receiving a 502 error. I've reached out to AWS Support, and they don't see any issues with the Load Balancer. Despite trying very verbose Istio logging, I can't pinpoint where the problem lies. What should I do next to troubleshoot this? Thanks for the help!
2 Answers
You should check to make sure all health checks are functioning well, especially those associated with the Gateway service. A 502 error usually indicates a routing issue between the Gateway and the services it's supposed to reach. I'd also recommend getting the Kiali dashboard set up; it really helps visualize your network flow and could shed some light on where things might be going wrong.
I've got a similar setup working in two of my clusters. My configuration goes like this: ALB -> Ingress -> Istio Gateway (using ClusterIP) -> Virtual Service -> Service. I switched from NodePort to ClusterIP due to issues like the one you're facing. Maybe give ClusterIP a try? It might solve the 502 problem you're encountering.
I appreciate the suggestion! I was just trying NodePort since I've seen examples recommending it. I'll definitely consider switching to ClusterIP.
Thanks for the tip! I confirmed that the ALB health checks are passing. I'm using the same ingress gateway manifest that worked before, just with NodePort changed. Does ALB require me to manually specify target groups? That seems like a headache if I have to adjust rules with every deployment.