Istio Ingress with AWS NLB IP mode

Question

I've been trying to deploy istio ingress with nlb for my cluster. Currently I'm using the service annotation to attach the nlb with my istio ingress. I have a test server behind the cluster to test my curl command against the nlb, and all the routing has been set up. For all the curl I'm testing with http on port 80.

So the issue I'm running into is that, if I set my load balancer type as nlb with

service.beta.kubernetes.io/aws-load-balancer-type: "nlb",
service.beta.kubernetes.io/aws-load-balancer-security-groups: "<some security group",
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true",
service.beta.kubernetes.io/aws-load-balancer-internal: "false",
service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "false",

it works, and the curl test will pass, but if I want to turn on the ip mode with

service.beta.kubernetes.io/aws-load-balancer-type: "nlb-ip",
service.beta.kubernetes.io/aws-load-balancer-security-groups: "<some security group",
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true",
service.beta.kubernetes.io/aws-load-balancer-internal: "false",
service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "false",

the curl will just get timed out when trying to establish tcp connection.

I'm wondering, is there anything specific I need to set when turning on the nlb-ip mode for the nlb?

Thanks!!

Answer 1

It turns out that the EC2 security group is blocking my IP address...

The previously working version was either not setting the security group correctly, or not using my client IP adress as the source IP.