Want to restrict CIDR IP addresses for a LoadBalancer type service in Amazon EKS? We can help you.
Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.
Today, let us see how we can restrict the CIDR IP addresses.
Restrict CIDR IP addresses for LoadBalancer Amazon EKS
If we create a service of type:LoadBalancer, then it allow requests from the source 0.0.0.0/0 by default.
If the load balancer is in a public subnet, then requests routes to worker nodes from anywhere on the internet.
Moving ahead, let us see the steps our Support Techs use in this situation.
Set up the environment
1. Initially, we create an Amazon EKS cluster.
2. Then we create and launch worker nodes.
3. After that, we go ahead and set up kubectl, AWS CLI and the AWS Load Balancer Controller.
The AWS Load Balancer Controller supports NLB ip mode and NLB instance mode.
Our Support Techs recomends it best to use the AWS Load Balancer Controller when we provision a new NLB.
Restrict CIDR IP addresses
1. Here, first, in the service manifest file (svc.yaml), we add the .spec.loadBalancerSourceRanges field.
For example, like this:
apiVersion: v1 kind: Service metadata: labels: app: nginx name: nginx annotations: service.beta.kubernetes.io/aws-load-balancer-type: "external" service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance" service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: app: nginx type: LoadBalancer loadBalancerSourceRanges: - "xxx.xxx.x.x/16"
2. Then, in order to apply the manifest file, we run the following command:
$ kubectl apply -f svc.yaml
3. We run the AWS CLI command to confirm that the inbound rules on the security group are modified:
$ aws ec2 describe-security-groups --group-ids sg-XXXXXXXXXXXXXXXXX ... "CidrIp": "188.8.131.52/16" ...
Finally, we need to consider a couple of things. They are:
If we have NLB ip mode, then the .spec.loadBalancerSourceRanges field is ignored by default.
So, we need to use:
This will enable Client IP preservation.
Then for a service with a NLB type, we consider the maximum security group limit.
In short, we saw how our Support Techs go ahead and restrict CIDR IP addresses.