How to set AWS ALB instead of ELB in Istio?

Step 1 : Change istioingresssgateway service type as nodeport

Step 2 : Install ALB ingress controller

Step 3 : Write ingress.yaml for istioingressgateway as follows:

apiVersion: extensions/v1beta1kind: Ingressmetadata:  namespace: istio-system  name: ingress  labels:    app: ingress  annotations:    kubernetes.io/ingress.class: alb    alb.ingress.kubernetes.io/scheme: internet-facing    alb.ingress.kubernetes.io/subnets: <subnet1>,<subnet2>spec:  rules:    - http:        paths:          - path: /*            backend:              serviceName: istio-ingressgateway              servicePort: 80

alb.ingress.kubernetes.io/subnets annotation can be avoided if you labelled subnet of vpc with :

kubernetes.io/cluster/: owned

kubernetes.io/role/internal-elb: 1 (for internal ELB)

kubernetes.io/role/elb: 1 (for external ELB)

or else you can provide two subnet values and each subnet should be in different availability zone in the above yaml

It worked in Istio 1.6

Current accepted answer is correct. However I would like to give a slight update to it.Once AWS alb controller is installed and configured there are several steps one should take to make it work and be usable:

1. Use istioctl manifest generate command to generate a list of manifests
2. Find istio-ingressgateway service configuration
3. Update it to be of a NodePort type
4. Update ports configuration to have a pre-defined mapping of Node and Target ports. Note the status-port NodePort
5. Apply these manifests instead of installing/updating istio using istioctl install command. In some cases it might be better to rely on istio helm installation though
6. Update ingress configuration to have the following annotations

      alb.ingress.kubernetes.io/healthcheck-port: 'PORT'      alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready      alb.ingress.kubernetes.io/healthcheck-protocol: HTTP```where PORT equals to the istio status-port NodePort value This way, you update ALB default configuration for the healthcheck to check Istio healthcheck 

I can confirm solution by tibin_tomy worked for me on Istio 1.7.4. Additionally I used ClusterIP under step 1 instead of NodePort.

Step1 - Change istioingresssgateway service type to ClusterIP (Installing Istio using IstioOperator):

apiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata:  namespace: istio-system  name:      istiospec:  profile: default  components:    ingressGateways:      - name: istio-ingressgateway        k8s:          service:            type: ClusterIP # Disable classic load balancer creation (default), routing to here will be done via Kubernetes Ingress resource

NOTE: Deploy "Ingress" in the same namespace as istio-ingressgateway (istio-system by default).For example if istio-ingressgateway is in namespace istio-system and Ingress is in namespace system, then aws-alb-ingress-controller errors with:

"kubebuilder/controller "msg"="Reconciler error" "error"="failed toreconcile targetGroups due to failed to load serviceAnnotation due tono object matching key "system/istio-ingressgateway" in local store""controller"="alb-ingress-controller""request"={"Namespace":"system","Name":"sonata-ingress"}"