K
Q

Configuring Inbound security rules of Azure Load Balancer

3/25/2020

I have created a AKS and deployed a simple web server on it with following yaml.
Azure LoadBalancer gives a public IP address to it automatically and works fine.

Now I would like to limit the source IP address so I can access it from a specify IP address only.
I've tried adding a Azure Firewall to the virtual network of AKS (aks-vnet-XXXXXXX) with some network rule but doesn't work.

Creating a NAT rule in Firewall and redirects packets to the LoadBalancer works
but I can still access the pod with the Public IP address of the LoadBalancer.

Any suggestions?

apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  type: LoadBalancer
  selector:
    app: nginx
  ports:
    - name: http
      port: 80
      targetPort: 80

---
apiVersion: apps/v1
kind: Deployment
(skipped something not important)
    spec:
      containers:
      - name: nginx
        image: nginx:1.17.6
        ports:
        - containerPort: 80
-- Chlorinds
azure
azure-kubernetes
azure-load-balancer

Similar Questions

Where does k8s master server resides?
is there any limit to create ingress gateways
Error while starting POD in a newly created kubernetes cluster (ContainerCreating)
What version of the gitlab-runner herm chart matches with GitLab version 10.8.7-ee?

1 Answer

3/25/2020

What you're trying to achieve can be done with NSG (Network Security Group) applied to the subnet where your AKS cluster resides: https://docs.microsoft.com/en-us/azure/aks/concepts-security#network-security

More generic approach with a fine-grained control will require creation of Ingress Controller, creation of an Ingress object for your service and applying ingress.kubernetes.io/whitelist-source-range annotation to it.

-- Anton Matsiuk
Source: StackOverflow