Open in app

Sign in

Write

Sign in

How to integrate AWS ALB with istio v1.0

Chuan-Yen Chiang
4 min readAug 25, 2018

--

It’s been awhile not writing any post here. Recently, I spent a lot of time to migrate existing backend services from Node.js to Golang, design and implement new architect from monolithic to micro-service and service-mesh. Also, spent sometime to take a look and on Dart and Flutter. Implemented some stuff with Dart and Flutter (github, if interesting).

Let’s go back to the main course. As mention before, I am in charge of backend architecture and infrastructure. All changes I have made can summarize into 3 major parts:

  • Containerized all services and formed all services in Helm template
  • Kubernetes to manage all services
  • Istio, service mesh

I am fascinated by Istio before and always try to integrate Istio into our production environment. Because it offers a lot of out-of-box benefits and make monitoring every single request, traffic flow much easier and transparent than before.

Here, I am going to share my experience on integrate AWS application load-balancer and Istio.

Pre-requirement:

  • aws-alb-ingress-controller: You need to install and familiar with this tool, it will help you to deploy AWS application load-balancer.
  • Download Istio v1.0

In this post, we use helm to deploy all of our services.

Step 1: Before you install Istio with helm chart

  • set global.k8sIngressSelector=ingressgateway
  • set ingress.enable=false

There are many way to capture traffic flow from internet to Kubernetes. But, if we want to integrate with AWS alb than we need to start our own ingress control with aws-alb-ingress-controller.

  • set gateways.enabled=true, gateways.istio-ingressgateway.type=NodePort

This is very important part to set gateways.istio-ingressgateway.type into NodePort, because AWS application load-balancer will route all traffic to specific port and not a ip address.

  • than, install Istio into your cluster

Step 2: Create Your AWS application load-balancer

Here is an example yaml file to create an ALB, make sure your aws-alb-ingress-controller is up and running.

Here are few things need to be careful:

  • Make sure your istio-ingress and istio-ingressgateway are in the same namespace
  • Make sure your servicePort number is described in istio-ingressgateway service.
  • The istio-ingressgateway actually is like a istio-proxy(envoy proxy) and it will route all traffic to Istio service mesh. Just like a gatekeeper.

Step 3: Create Gateway to tell pilot You are here

After you create a Ingress, the ALB will be created by aws-alb-ingress-controller. And will route traffic with hostname “your.hostname.com” to serviceBackend: istio-ingressgateway with port:80

Now, we need to create another gateway to tell pilot that please forward all hostname with “your.hostname.com” from istio-ingressgateway to me.

Here, you can put your gateway into your favorite namespace.

Step 4: Create VirtualService

After we created a gate to capture traffic flow from istio-ingressgateway. Now, we need to deal with request and route every request into their destination. Create a VirtualService and define what information we need to route a request into a right destination. In this istio-virtualservice.yaml, we simply say, every request from gateways: magic-gateway(we have created on previous step) and hosts: “your.hostname.com” also uri is match “/”, please go to host: gordon-house at port: 8080.

Step 5: Create a Service and Deployment for your Service

Finally, a familiar part is raising up. There is nothing fancy here, just create a service for your deployment and make sure the name and port number of your service is exactly same as mentioned in VirtualService we just created.

Here, I create a simple deployment with httpbin for the demo.

After finish step 1 to 5, your request should work from ALB to your service. Here is a big picture of step 1 to 5:

Step 6 (optional): If your service need to connect to external service like AWS ElastiCache?

All egress from your service will be restricted which is good for security matter. So, if you want to connect external resource outside your service mesh (Istio), kubernetes cluster. You need to create 2 more things to allow traffic from your service to other external service:

  • VirtualService: define which request that need to be take care.
  • ServiceEntry: define a destination for a specific request.

Here is a simple example to demonstrate how to connect AWS ElastiCache (Redis).

First, define a VirtualService of a destination for specific hosts or ip address, here we use hostname as example.

Than, define ServiceEntry to declare a request with specific hostname and port number could go outside of service mesh.

Now, your service should connect to AWS ElastiCache(Redis) and able to get data.

In conclusion, Istio is a powerful tool, but require more work on initial stage. For example, we need to fully understand what traffic will go inside the mesh and what will go outside the mesh. Missing any single configuration of your service may result unexpected consequences. Before move your services to Istio, this is good to make a checklist to document every managed hostname, api path and external(third party) service.

Thank you for reading, any comments are welcome!

Istio
AWS
Application Load Balancer
Redis
Elasticache

--

--

Chuan-Yen Chiang

Written by Chuan-Yen Chiang

50 Followers

Senior Cloud Engineer @ Volvo Cars

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams