When traffic is forwarded to the pods from the NSX load balancer virtual server, the source IP is the tier-1 router's uplink port's IP address. This address is on the private tier-1 transit network, and can cause the CIDR-based network policies to disallow traffic that should be allowed.
To avoid this issue, the network policy must be configured such that the tier-1 router's uplink port's IP address is part of the allowed CIDR block. This internal IP address will be visible as an annotation (ncp/internal_ip_for_policy) on the Ingress and Service resources.
For example, if the external IP address of the virtual server is 4.4.0.5 and the IP address of the internal tier-1 router's uplink port is 100.64.224.11, the status will be:
status:
loadBalancer:
ingress:
- ip: 4.4.0.5
The annotation on the Ingress and service of type LoadBalancer resource will be:
ncp/internal_ip_for_policy: 100.64.224.11The IP address 100.64.224.11 must belong to the allowed CIDR in the ipBlock selector of the network policy. For example,
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
...
ingress:
- from:
- ipBlock:
cidr: 100.64.224.11/32
