How to restrict traffic from source IPs to TKGI cluster service with NSX-T loadbalancer
search cancel

How to restrict traffic from source IPs to TKGI cluster service with NSX-T loadbalancer

book

Article ID: 398051

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

You have TKGI cluster with NSX-T loadbalancer, you want to restrict traffic to loadbalancer-type service source IP range - only allow traffic from the specified source IP addresses/ranges. 

Environment

TKGI with NSX-T

Resolution

Firewall rules can be manually configured on NSX-T to allow/disallow traffic from specified source IP addresses/ranges. But it is highly recommended to make use of loadBalancerSourceRanges attribute with Kubernetes service object.This feature is only supported in Policy mode. Please refer NSX Container Plugin document - Service of Type LoadBalancer. The service definition would be like

kind: Service
metadata:
  name: nginx-service-lb
  labels:
    app: nginx
spec:
  type: LoadBalancer
  loadBalancerSourceRanges:
    - "###.###.###.###/24"
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
      name: tcp
...

 

Powered by Wolken Software