AKS (Azure Kubernetes Service) Ingress IP Filtering/Whitelisting issue

For security purpose, I had requirements to secure some endpoints with IP filtering from our AKS cluster. Out of the box, the nginx ingress controller provide a way to do that.

Normally you must set the variable controller.service.externalTrafficPolicy=Local via the helm chart so the client ip is available to nginx which is then available to whitelist.

The thing is in the current version of AKS, as of date of 2019–02–19, kubernetes version 1.12.5… is not that simple, there is a bug with the NATing when your are not using the 10.0.0.0/8 as vnet and a subnet within that range.

The first time I tried to setup the IP Filtering, my cluster Vnet was within the 172.x.0.0/16 and I wasn’t able to make it work. After some research I found out about a bug on github.

The issue is still open but I’ve tested it and it was success. I’ve recreate my cluster using the 10.0.0.0/8 as vnet and 10.0.1.0/16 as subnet. After installing nginx ingress helm chart with controller.service.externalTrafficPolicy=Local and the proper annotations on the ingress manifest my service was now rejecting requests outside the whitelisting range.

Hope I can save you some digging, enjoy!

References

• https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
• https://medium.com/@maninder.bindra/using-nginx-ingress-controller-to-restrict-access-by-ip-ip-whitelisting-for-a-service-deployed-to-bd5c86dc66d6
• https://github.com/Azure/AKS/issues/785