Azure Application Gateway, ISTIO and TLS

0
votes

I am dealing with the SSL connection from the Azure Web Appplication Firewall to the Kubernetes Cluster via ISTIO.

The connection from the client to the Azure WAF is already TLS encrypted.

As far as I understand, I have to encrypt the data again in the WAF. Can I use the same certificates that I already used for the connection to the WAF?

Here I would proceed as described in this article: application-gateway-end-to-end-ssl-powershell

Then I have to deposit the same certificates in Istios Ingress Gateway. As mentioned here: Configure a TLS ingress gateway

> cat <<EOF | kubectl apply -f -
>  
> 
>    apiVersion: networking.istio.io/v1alpha3
>     kind: Gateway
>     metadata:
>       name: mygateway
>     spec:
>       selector:
>         istio: ingressgateway # use istio default ingress gateway
>       servers:
>       - port:
>           number: 443
>           name: https
>           protocol: HTTPS
>         tls:
>           mode: SIMPLE
>           serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
>           privateKey: /etc/istio/ingressgateway-certs/tls.key
>         hosts:
>         - "httpbin.example.com"
>     EOF

Is that correct so far?

2
azuresslistio

2 Answers

0
votes

you need to use the same certificate you specified in the application gateway (so the certificate application gateway expects) in the istio gateway. your gateway configuration looks valid, as long as the cert is the same and host is the same.

0
votes

For me, finally it worked. I have a situation, Application Gateway deployed with its own VirtualNetwork and Subnet. So i made Vnet Peering and thought it would be enough. But it didn't. After some days of struggling, i have found out my VirtualNetwork Subnet is the same as docker network inside AKS. When i have recreated ApplicationGateway with new subnet, which does not cover any part of docker subnet, it worked.