Azure kubernetes - Istio controller with Internal load balancer

Question

I have an Azure kubernetes cluster with Istio service mesh.

Currently the Istio controller is associated with a public load balancer IP. I want to configure the Istio with with Internal load balancer. I would be using the firewall mapping for public IP to Internal LB.

How do I configure the Istio controller to use the internal load balancer?

Can you please help me with the sample? Or redirect me to the resource s. — One Developer, Sep 29 '20 at 06:17
5 seconds in google: https://learn.microsoft.com/en-us/azure/aks/internal-lb — 4c74356b41, Sep 29 '20 at 08:21
@KarthikeyanVijayakumar, Did you manage to solve the issue with the annotation? — Piotr Malec, Sep 29 '20 at 14:44

Chris · Accepted Answer · 2023-04-26T05:58:13.963

With istio 1.7 you can use the IstioOperator.

Create a values.yml:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: default #or demo
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
        k8s:
          serviceAnnotations:
            service.beta.kubernetes.io/azure-load-balancer-internal: "true"

Now install istio with the command istioctl install -f values.yml.

The ingress gateway will now get an internal loadbalancer with an ip of the clusters vnet as external ip. By this the cluster is only available from inside the vnet or from vnets peered with the clusters one.

If you want to have a fix ip, chose an unused one (here e.g. 10.30.09.20) from the clusters VNet and add:

[...]
  k8s:
    serviceAnnotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: "true"
      service.beta.kubernetes.io/azure-load-balancer-ipv4: 10.30.09.20

You can check if an ip address is available/unused with the az cli:

az network vnet check-ip-address -g MyResourceGroup -n MyVnet --ip-address 10.30.09.20

Azure kubernetes - Istio controller with Internal load balancer

1 Answers1

Linked