Configuring Istio Ingress with AWS NLB

Ingress AWS Network Load Balancer

This post provides instructions to use and configure ingress Istio with AWS Network Load Balancer.

Network load balancer (NLB) could be used instead of classical load balancer. You can see the comparison between different AWS loadbalancer for more explanation.

Prerequisites

The following instructions require a Kubernetes 1.9.0 or newer cluster.

IAM Policy

You need to apply policy on the master role in order to be able to provision network load balancer.

  1. In AWS iam console click on policies and click on create a new one:

    Create a new policy
    Create a new policy
  2. Select json:

    Select json
    Select json
  3. Copy/paste text below:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "kopsK8sNLBMasterPermsRestrictive",
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeVpcs",
                    "elasticloadbalancing:AddTags",
                    "elasticloadbalancing:CreateListener",
                    "elasticloadbalancing:CreateTargetGroup",
                    "elasticloadbalancing:DeleteListener",
                    "elasticloadbalancing:DeleteTargetGroup",
                    "elasticloadbalancing:DescribeListeners",
                    "elasticloadbalancing:DescribeLoadBalancerPolicies",
                    "elasticloadbalancing:DescribeTargetGroups",
                    "elasticloadbalancing:DescribeTargetHealth",
                    "elasticloadbalancing:ModifyListener",
                    "elasticloadbalancing:ModifyTargetGroup",
                    "elasticloadbalancing:RegisterTargets",
                    "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
                ],
                "Resource": [
                    "*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeVpcs",
                    "ec2:DescribeRegions"
                ],
                "Resource": "*"
            }
        ]
    }
    
  4. Click review policy, fill all fields and click create policy:

    Validate policy
    Validate policy
  5. Click on roles, select you master role nodes, and click attach policy:

    Attach policy
    Attach policy
  6. Your policy is now attach to your master node.

Generate the Istio manifest

To use an AWS nlb load balancer, it is necessary to add an AWS specific annotation to the Istio installation. These instructions explain how to add the annotation.

Save this as the file override.yaml:

gateways:
  istio-ingressgateway:
    serviceAnnotations:
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"

Generate a manifest with Helm:

$ helm template install/kubernetes/helm/istio --namespace istio -f override.yaml > $HOME/istio.yaml