Bobcares

Restrict CIDR IP addresses for LoadBalancer Amazon EKS

by | Sep 2, 2021

Want to restrict CIDR IP addresses for a LoadBalancer type service in Amazon EKS? We can help you.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how we can restrict the CIDR IP addresses.

Restrict CIDR IP addresses for LoadBalancer Amazon EKS

If we create a service of type:LoadBalancer, then it allow requests from the source 0.0.0.0/0 by default.

If the load balancer is in a public subnet, then requests routes to worker nodes from anywhere on the internet.

Moving ahead, let us see the steps our Support Techs use in this situation.

  • Set up the environment

1. Initially, we create an Amazon EKS cluster.

2. Then we create and launch worker nodes.

3. After that, we go ahead and set up kubectl, AWS CLI and the AWS Load Balancer Controller.

The AWS Load Balancer Controller supports NLB ip mode and NLB instance mode.

Our Support Techs recomends it best to use the AWS Load Balancer Controller when we provision a new NLB.

  • Restrict CIDR IP addresses

1. Here, first, in the service manifest file (svc.yaml), we add the .spec.loadBalancerSourceRanges field.

For example, like this:

apiVersion: v1
kind: Service
metadata:
labels:
app: nginx
name: nginx
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
type: LoadBalancer
loadBalancerSourceRanges:
- "xxx.xxx.x.x/16"

2. Then, in order to apply the manifest file, we run the following command:

$ kubectl apply -f svc.yaml

3. We run the  AWS CLI command to confirm that the inbound rules on the security group are modified:

$ aws ec2 describe-security-groups --group-ids sg-XXXXXXXXXXXXXXXXX
...
"CidrIp": "143.231.0.0/16"
...

Finally, we need to consider a couple of things. They are:

If we have NLB ip mode, then the .spec.loadBalancerSourceRanges field is ignored by default.

So, we need to use:

service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true

This will enable Client IP preservation.

Then for a service with a NLB type, we consider the maximum security group limit.

Conclusion

In short, we saw how our Support Techs go ahead and restrict CIDR IP addresses.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.