diff --git a/infrastructure/commons/istio/main.tf b/infrastructure/commons/istio/main.tf
index 3f8c27c5..f3858e12 100644
--- a/infrastructure/commons/istio/main.tf
+++ b/infrastructure/commons/istio/main.tf
@@ -88,5 +88,14 @@ resource "helm_release" "istio_ingressgateway" {
 
   values = [local.helm_values]
 
-
+  set = [
+    {
+      name  = "replicaCount"
+      value = var.istio_ingressgateway_replicas
+    },
+    {
+      name  = "autoscaling.minReplicas"
+      value = var.istio_ingressgateway_replicas
+    },
+  ]
 }
diff --git a/infrastructure/commons/istio/variables.tf b/infrastructure/commons/istio/variables.tf
index cc29466b..87b6b1fc 100644
--- a/infrastructure/commons/istio/variables.tf
+++ b/infrastructure/commons/istio/variables.tf
@@ -31,6 +31,17 @@ variable "istiod_replicas" {
   }
 }
 
+variable "istio_ingressgateway_replicas" {
+  description = "Number of istio-ingressgateway replicas. Set to 2+ to avoid PDB blocking node drains. Applied to both replicaCount and autoscaling.minReplicas to prevent the HPA from scaling back to 1. The Istio gateway Helm chart installs the gateway with a default PodDisruptionBudget (minAvailable=1), so a single replica blocks node rolling updates with PodEvictionFailure — same class of bug as the istiod single-replica issue."
+  type        = number
+  default     = 2
+
+  validation {
+    condition     = var.istio_ingressgateway_replicas >= 1
+    error_message = "istio_ingressgateway_replicas must be at least 1."
+  }
+}
+
 ###############################################################################
 # SERVICE CONFIGURATION
 ###############################################################################