TLS when using AWS NLB. Port 443 target group is unhealthy

[moore-nathan]

Trying to setup the kubernetes gateway api and use https on AWS with a NLB.

I want to have the NLB do the TLS termination as we are attaching the TLS cert to it from Certificate Manager. Doing this so far though the target group for the TLS:443 listener is Unhealthy: Health checks failed.
I have already reviewed the security groups and even tested them with opening up all ports and sources, but still does not work.
Looking for assistance in resolving this issue.

Setting up the Gateway with the following annotations

service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-subnets: "our-subnets"
external-dns.alpha.kubernetes.io/hostname: "*.ourhostname.com"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:region:account-number:certificate/xxx"
service.beta.kubernetes.io/aws-load-balancer-scheme: internal

Using the istio implementation, and the listeners HTTP and TLS with passthrough (also tried HTTPS without specifying tls). Ref:

spec:
  gatewayClassName: istio
  listeners:
    - name: default
      port: 80
      protocol: HTTP
      allowedRoutes:
        namespaces:
          from: All
    - name: tls
      port: 443
      protocol: TLS
      tls:
        mode: Passthrough
      allowedRoutes:
        namespaces:
          from: All

• Gateway CRD versions: v1.1.0
• Istio version: 1.23.2
• AWS Load Balancer Controller: v2.9.1
• Kubernetes version: 1.30

[robscott]

Hey @moore-nathan, this looks like a question that's specific to Istio's implementation, mind asking there instead?

[moore-nathan]

Yeah no problem. Issue for other's viewing Istio #53903