Loadbalancer Source Range

When using an Ingress with ingress.appscode.com/type: LoadBalancer annotation, you can specify the IP ranges that are allowed to access the load balancer by using spec.loadBalancerSourceRanges. This field takes a list of IP CIDR ranges, which will be forwarded to Kubernetes, that will use to configure firewall exceptions. This feature is currently supported on Google Compute Engine, Google Container Engine and AWS. This field will be ignored if the cloud provider does not support the feature.

Assuming 10.0.0.0/8 is the internal subnet. In the following example, a load balancer will be created that is only accessible to cluster internal ips. This will not allow clients from outside of your Kubernetes cluster to access the load balancer.

apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  namespace: default
spec:
  rules:
  - host: appscode.example.com
    http:
      paths:
      - backend:
          serviceName: test-service
          servicePort: '80'
  loadBalancerSourceRanges:
  - 10.0.0.0/8

In the following example, a load balancer will be created that is only accessible to clients with IP addresses from 130.211.204.1 and 130.211.204.2.

apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  namespace: default
spec:
  rules:
  - host: appscode.example.com
    http:
      paths:
      - backend:
          serviceName: test-service
          servicePort: '80'
  loadBalancerSourceRanges:
  - 130.211.204.1/32
  - 130.211.204.2/32

NB: Currently there is a bug in Kubernetes due to which changing loadBalancerSourceRanges does not change SecurityGroup in AWS.

Take your team where it needs to go.

Create your cluster in minutes. Our team is here to help and would be happy to chat with you.