Load Balancer and Network Policy

When traffic is forwarded to the pods from the NSX load balancer virtual server, the source IP is the tier-1 router's uplink port's IP address. This address is on the private tier-1 transit network, and can cause the CIDR-based network policies to disallow traffic that should be allowed.

To avoid this issue, the network policy must be configured such that the tier-1 router's uplink port's IP address is part of the allowed CIDR block. This internal IP address will be visible as an annotation (

ncp/internal_ip_for_policy

) on the Ingress and Service resources.

For example, if the external IP address of the virtual server is 4.4.0.5 and the IP address of the internal tier-1 router's uplink port is 100.64.224.11, the status will be:

    status:
      loadBalancer:
      ingress:
      - ip: 4.4.0.5

The annotation on the Ingress and service of type LoadBalancer resource will be:

    ncp/internal_ip_for_policy: 100.64.224.11

The IP address 100.64.224.11 must belong to the allowed CIDR in the

ipBlock

selector of the network policy. For example,

    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    ...
    ingress:
    - from:
      - ipBlock:
         cidr: 100.64.224.11/32

Load Balancing

Content feedback and comments

VMware NSX Container Plugin 3.0

Load Balancer and Network Policy