Load Balancer and Network Policy
When traffic is forwarded to the pods from the NSX load balancer virtual server, the
source IP is the tier-1 router's uplink port's IP address. This address is on the private
tier-1 transit network, and can cause the CIDR-based network policies to disallow traffic
that should be allowed.
To avoid this issue, the network policy must be configured such that the tier-1 router's
uplink port's IP address is part of the allowed CIDR block. This internal IP address
will be visible as an annotation (
ncp/internal_ip_for_policy
) on the Ingress and Service resources. For example, if the external IP address of the
virtual server is 4.4.0.5 and the IP address of the internal tier-1 router's uplink port
is 100.64.224.11, the status will be:
status: loadBalancer: ingress: - ip: 4.4.0.5
The annotation on the Ingress and service of type
LoadBalancer resource will be:
The IP address 100.64.224.11 must belong to the allowed CIDR in thencp/internal_ip_for_policy: 100.64.224.11
ipBlock
selector of the
network policy. For example,
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy ... ingress: - from: - ipBlock: cidr: 100.64.224.11/32