How to configure an internal Elastic Load Balancer (ELB) or Network Load Balancer (NLB) with an Istio Ingress Gateway in Rancher v2.3+

Table of Contents


When configuring an Istio Ingress Gateway, a LoadBalancer type service is commonly configured to provide external access to the cluster.

By default Kubernetes will provision an internet-facing Classic Load Balancer (CLB). The below steps provide guidance on the annotations needed to configure an internal CLB or Network Load Balancer (NLB) using private subnets.


Note: When using Load Balancers with the AWS cloud provider, it is important tag the private and public subnets in the VPC so that kube-controller-manager can correctly discover the specific subnets intended for use.

For example the and keys configured respectively, with the value of 1.


Enable the Istio Ingress Gateway

If the not already enabled, enable the Istio Ingress Gateway. In the drop down list for 'Service Type of Ingress Gateway', select LoadBalancer.

Use an internal Load Balancer

When editing the Istio Ingress Gateway, click the drop down for Custom Answers.

Paste the below in the Variable field, this will automatically populate the value:

gateways.istio-ingressgateway.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal" = "true"

Use an NLB

To use an NLB, click 'Add Answer' and paste the below in the Variable field:

gateways.istio-ingressgateway.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-type" = nlb

Note: An NLB can be used as an internet-facing loadbancer by using only the above annotation, without adding the aws-load-balancer-internal annotation.


Istio install options documentation

Kubernetes load balancer documentation

Was this article helpful?
1 out of 1 found this helpful



Please sign in to leave a comment.