Istio ingress gateway enalbe proxy protocol v2 in AWS network loadbalance

Create the Network Loadbalance and specific the annotations

 1name: "istio-ingressgateway"
 2        service:
 3          # type: ClusterIP
 4            annotations:
 5              service.beta.kubernetes.io/aws-load-balancer-name: "istio-ingress-gateway"
 6              service.beta.kubernetes.io/aws-load-balancer-ssl-cert: >-
 7                              arn:aws:acm:us-east-1:xxxxxxxxxx:certificate/xxxxxxxxx
 8              service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
 9            #  service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-2-2017-01
10              service.beta.kubernetes.io/aws-load-balancer-type: "external"
11              service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
12              service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
13              service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
14              service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
15              service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
16              service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "preserve_client_ip.enabled=true"
17              service.beta.kubernetes.io/aws-load-balancer-attributes: "deletion_protection.enabled=true, load_balancing.cross_zone.enabled=true"
18            ports:
19            - name: http2
20              port: 80
21              protocol: TCP
22              targetPort: 80
23            - name: https
24              port: 443
25              protocol: TCP
26              targetPort: 443
27            - name: tcp-kafka
28              port: 9095
29              protocol: TCP
30              targetPort: 9095
31        imagePullPolicy: "IfNotPresent"

Create the EnvoyFilter to support x-forward-for header and propagation

 1apiVersion: networking.istio.io/v1alpha3
 2kind: EnvoyFilter
 3metadata:
 4  name: enable-forwared-for
 5  namespace: istio-system
 6spec:
 7  configPatches:
 8  - applyTo: NETWORK_FILTER
 9    match:
10      listener:
11        filterChain:
12          filter:
13            name: envoy.filters.network.http_connection_manager
14    patch:
15      operation: MERGE
16      value:
17        name: envoy.http_connection_manager
18        typed_config:
19          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
20          skip_xff_append: false
21          use_remote_address: true
22          xff_num_trusted_hops: 1

Create the EnvoyFilter to enable the proxy protocol support

 1apiVersion: networking.istio.io/v1alpha3
 2kind: EnvoyFilter
 3metadata:
 4  name: internal-ingressgateway-proxy-protocol
 5  namespace: istio-system
 6spec:
 7  workloadSelector:
 8    labels:
 9      app: istio-ingressgateway
10  configPatches:
11  - applyTo: LISTENER
12    patch:
13      operation: MERGE
14      value:
15        listener_filters:
16        - name: envoy.filters.listener.proxy_protocol
17        - name: envoy.filters.listener.tls_inspector