Why subdomain tcp routing on EKS istio classic LB doesnt work as expected?

Question

The configuration:

1. route 53 *.mydomainname.com point to the classic LB.
2. istio ingress configured on the classic LB.
3. Gateway + virtual Services to route specific subdomains

here are the yaml:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 9999 
      name: aa
      protocol: TCP
    hosts:
      - "a.example.com"
      - "b.example.com"
---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: sv1
  namespace: default
spec:
  hosts:
    - "a.example.com"
  gateways:
    - my-gateway
  tcp:
    - route:
      - destination:
          host: svc1 #k8s service on the default namespace
          port:
            number: 8000
        weight: 100

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: sv1
  namespace: default
spec:
  hosts:
    - "b.example.com"
  gateways:
    - my-gateway
  tcp:
    - route:
      - destination:
          host: svc2
          port:
            number: 8000
        weight: 100

I would expect a.example.com traffic should flow to svc1, and b.example.com traffic to svc2. In fact all the traffic *.example.com routes to svc1. What am i missing? How can I make it work?

Answer 1

Standard TCP routing does not support host matching. Host matching is typically applicable to HTTP services but it can also be used for TCP services using TLS with SNI.

So that's why all your endpoints on that specific port end up in svc1.

For reference check:

https://istio.io/latest/docs/reference/config/networking/gateway/#Server