0

I have a SOLR cluster set up with a Service of type LoadBalancer to expose port 8983. A requirement is SSL termination, so I have set up an nginx ingress controller with a route through to the back end service. All of this is working as expected, however I would now like to restrict access to only certain IPs.

When I tried to use the nginx.ingress.kubernetes.io/whitelist-source-range annotation, I noticed that the requests all come from the internal IP of the node, and not from the client as expected. Does this mean traffic needs to be filtered before it gets to the AKS cluster? If so, what is the best method of doing that, as it seems like modifying the automatically-created NSG is not recommended.

Owen Martin
  • 3
  • 1

1 Answers1

0

To get the external IP passed through properly so you can filter it you need to set service.spec.externalTrafficPolicy field to Local in Nginx.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • Thanks! For extra clarity I had to set that field on the loadbalancer used by nginx not the route itself [https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#:~:text=spec.,have%20good%20overall%20load%2Dspreading.](docs) – Owen Martin Jan 04 '21 at 14:15