Azure kubernetes - Istio controller with Internal load balancer

Question

I have an Azure kubernetes cluster with Istio service mesh.

Currently the Istio controller is associated with a public load balancer IP. I want to configure the Istio with with Internal load balancer. I would be using the firewall mapping for public IP to Internal LB.

How do I configure the Istio controller to use the internal load balancer?

Answer 1

With istio 1.7 you can use the IstioOperator.

Create a values.yml:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: default #or demo
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
        k8s:
          serviceAnnotations:
            service.beta.kubernetes.io/azure-load-balancer-internal: "true"

Now install istio with the command istioctl install -f values.yml.

The ingress gateway will now get an internal loadbalancer with an ip of the clusters vnet as external ip. By this the cluster is only available from inside the vnet or from vnets peered with the clusters one.

If you want to have a fix ip, chose an unused one (here e.g. 10.30.09.20) from the clusters VNet and add:

[...]
  k8s:
    serviceAnnotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: "true"
      service.beta.kubernetes.io/azure-load-balancer-ipv4: 10.30.09.20

You can check if an ip address is available/unused with the az cli:

az network vnet check-ip-address -g MyResourceGroup -n MyVnet --ip-address 10.30.09.20