[BUG] problems accessing VirtualGateway through NLB w/ ingress walkthrough
joshuabaird opened this issue · 3 comments
Important note on security disclosures: If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions here or email AWS security directly.
Describe the bug
I'll start by saying this may not be a bug, but I have deployed the templates as defined in the instructions and can't seem to get this working, nor does it seem I'm looking in the correct place(s) for logs, hints, etc.
If I try to access the VirtualGateway through the NLB provided, I get an "empty reply":
$ curl -k https://colorgateway.default.svc.cluster.local/color2/tell
curl: (52) Empty reply from server
If I SSH into the bastion host, I can hit the target (the Envoy instance for the Virtual Gateway) directly with success:
[ec2-user@ip-10-0-5-162 ~]$ curl -s http://colorgateway.default.svc.cluster.local:9080/color1/teller
white
It seems as if something is "breaking" between the NLB and the VirtualGateway Envoy instance. I don't see any info/hints in the Envoy logs (even with logging levels bumped to DEBUG/TRACE).
Platform
ECS
To Reproduce
Steps to reproduce the behavior:
- Go to https://github.com/aws/aws-app-mesh-examples/tree/master/walkthroughs/howto-ingress-gateway'
- Follow the instructions to deploy the CloudFormation templates
- Attempt to connect to the NLB endpoint to verify the VirtualGateway configuration
- See error
Expected behavior
Querying the NLB endpoint for the Virtual gateway should route to the VirtualNode(s) and return a 200.
Config files, and API responses
If applicable config files and responses from our API.
Additional context
Add any other context about the problem here.
It looks like this is because the VirtualGateway was configured without TLS termination enabled. Funny, because colorgateway-vg.json does specify the TLS configuration. I'll try to reproduce.
@joshuabaird Are you facing this issue still? I am not able to reproduce this.
Closing this issue since it is not reproducible. @joshuabaird Please feel free to re-open this if you run into the same issue.