I have an Azure kubernetes cluster with Istio service mesh.
Currently the Istio controller is associated with a public load balancer IP. I want to configure the Istio with with Internal load balancer. I would be using the firewall mapping for public IP to Internal LB.
How do I configure the Istio controller to use the internal load balancer?
With istio 1.7 you can use the IstioOperator.
Create a values.yml:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: default #or demo
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
serviceAnnotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
Now install istio with the command istioctl install -f values.yml.
The ingress gateway will now get an internal loadbalancer with an ip of the clusters vnet as external ip. By this the cluster is only available from inside the vnet or from vnets peered with the clusters one.
If you want to have a fix ip, chose an unused one (here e.g. 10.30.09.20) from the clusters VNet and add:
[...]
k8s:
serviceAnnotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-load-balancer-ipv4: 10.30.09.20
You can check if an ip address is available/unused with the az cli:
az network vnet check-ip-address -g MyResourceGroup -n MyVnet --ip-address 10.30.09.20