New to AWS here, Trying to expose API and having issues.
I have an API deployed to AWS's EKS cluster, where my API is connected to a clusterIP service.
That clusterIP service is attached to a Virtual Service(VS) exposing API's port and a fixed Hostname with routes as a prefix, this VS is connected to a Gateway (ingressgateway) describing both HTTP(80) and HTTPS(443) for all (* asterisk as hosts) connections.
Post that all our HTTP and HTTPS requests are mapped to 2 node ports under istio-ingressgateway hosted under the istio-system namespace.
Now, these 2 exposed nodePorts are consumed by the target groups registered over the same nodePorts, and these target groups are listened to by our NLB.
The NLB is connected to a DNS entry in Route53 by its NLB's DNS Name of CNAME(also tried with A) type.
Now, I am trying to access my API from the browser using the above setup, but whenever I try to (with A-type) I get 500: internal server error but no errors on my API's pods. And CNAME no results, it just gives timeout.
I followed the same process as how another API is deployed on the same cluster, but the other API is working fine, whereas my API is not accessible.
Edit 1: try capturing the error with CloudWatch, but we got the not-so-informative error:
{
"requestId": "e0etYh9BvHcES6A=",
"IP": "<ip-address>",
"requestTime": "16/Jan/2023:05:19:17 +0000",
"httpMethod": "GET",
"routeKey": "$default",
"status": "500",
"protocol": "HTTP/1.1",
"responseLength": "35"
}
Edit 2: was able to make it work.
Solution: as our NLB is configured with an internal scheme, we needed to connect it with the API gateway other than that the route53 record needed to be configured with an A scheme and once the changes were in place, we are able to access our API from browser.
Questions:
- Is this the proper way to expose an API from the EKS cluster with an NLB and istio-ingressgateway service?
- Are we only allowed to have one service routed via istio-ingressgateway under
istio-system? Do we need to write a new one for another API?
Looks like the issue is related to the NLB being configured with an internal scheme and not being connected to the API Gateway. The Route 53 record need to be configured with an A scheme instead of CNAME.