Additional Annotation Support for AKS-Managed Istio Ingress Gateway

Is your feature request related to a problem? Please describe. In our environment, we use the AKS-managed Istio Ingress gateway. We are encountering an issue where the Azure Load balancer associated with the ingress gateway reports a "Degraded" status due to failed health probes on port 80. Our configuration only requires port 443 for incoming traffic, and we do not wish to expose port 80. Since the load balancer defaults to probing on port 80, health checks fail, causing a degraded status.

Describe the solution you'd like We are aware that AKS has recently rolled out support for certain annotations on the ingress service as part of 2024-09-18 release. These annotation includes: service.beta.kubernetes.io/azure-load-balancer-internal-subnet service.beta.kubernetes.io/azure-shared-securityrule service.beta.kubernetes.io/azure-allowed-service-tags service.beta.kubernetes.io/azure-load-balancer-ipv4 service.beta.kubernetes.io/azure-load-balancer-resource-group service.beta.kubernetes.io/azure-pip-name

We would like AKS to expand the range of supported annotation to include _service.beta.kubernetes.io/port_80_no_lbrule=true. This would prevent the Azure Load Balancer from attempting health probes on port 80. I have manually applied this annotation, and it successfully changes the load balancer's status. However, the annotation is automatically removed every few minutes due to AKS managed Istio automation

Describe alternatives you've considered As an alternative, we have configured the Istio ingress gateway to listen on port 80 andy direct the traffic to the port 443. This configuration resolves the Azure Load Balancer degraded status, as it allows health probes to pass. However, we prefer using the _service.beta.kubernetes.io/port_80_no_lbrule=true. annotation to prevent the load balancer from probing port 80 altogether.

Thank you for your support.

Azure / AKS

Additional Annotation Support for AKS-Managed Istio Ingress Gateway #4646