When traffic is forwarded to the pods from the NSX load balancer virtual server, the source IP is the tier-1 router's uplink port's IP address. This address is on the private tier-1 transit network, and can cause the CIDR-based network policies to disallow traffic that should be allowed.

To avoid this issue, the network policy must be configured such that the tier-1 router's uplink port's IP address is part of the allowed CIDR block. This internal IP address will be visible as an annotation (ncp/internal_ip_for_policy) on the Ingress and Service resources.

For example, if the external IP address of the virtual server is and the IP address of the internal tier-1 router's uplink port is, the status will be:
      - ip:
The annotation on the Ingress and service of type LoadBalancer resource will be:
The IP address must belong to the allowed CIDR in the ipBlock selector of the network policy. For example,
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    - from:
      - ipBlock: