[BUG] problems accessing VirtualGateway through NLB w/ ingress walkthrough

Question

[BUG] problems accessing VirtualGateway through NLB w/ ingress walkthrough

joshuabaird opened this issue 3 years ago · comments

Important note on security disclosures: If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions here or email AWS security directly.

Describe the bug
I'll start by saying this may not be a bug, but I have deployed the templates as defined in the instructions and can't seem to get this working, nor does it seem I'm looking in the correct place(s) for logs, hints, etc.

If I try to access the VirtualGateway through the NLB provided, I get an "empty reply":

$ curl -k https://colorgateway.default.svc.cluster.local/color2/tell
curl: (52) Empty reply from server

If I SSH into the bastion host, I can hit the target (the Envoy instance for the Virtual Gateway) directly with success:

[ec2-user@ip-10-0-5-162 ~]$ curl -s http://colorgateway.default.svc.cluster.local:9080/color1/teller
white

It seems as if something is "breaking" between the NLB and the VirtualGateway Envoy instance. I don't see any info/hints in the Envoy logs (even with logging levels bumped to DEBUG/TRACE).

Platform
ECS

To Reproduce
Steps to reproduce the behavior:

Go to https://github.com/aws/aws-app-mesh-examples/tree/master/walkthroughs/howto-ingress-gateway'
Follow the instructions to deploy the CloudFormation templates
Attempt to connect to the NLB endpoint to verify the VirtualGateway configuration
See error

Expected behavior
Querying the NLB endpoint for the Virtual gateway should route to the VirtualNode(s) and return a 200.

Config files, and API responses
If applicable config files and responses from our API.

Additional context
Add any other context about the problem here.

Josh Baird · Answer 1 · Fri Jan 08 2021 04:54:28 GMT+0800 (China Standard Time)

It looks like this is because the VirtualGateway was configured without TLS termination enabled. Funny, because colorgateway-vg.json does specify the TLS configuration. I'll try to reproduce.

Rajal · Answer 2 · Fri Sep 24 2021 03:09:06 GMT+0800 (China Standard Time)

@joshuabaird Are you facing this issue still? I am not able to reproduce this.

Rajal · Answer 3 · Fri Oct 15 2021 07:37:34 GMT+0800 (China Standard Time)

Closing this issue since it is not reproducible. @joshuabaird Please feel free to re-open this if you run into the same issue.