When traffic is forwarded to the pods from the NSX load balancer virtual server, the source IP is the tier-1 router's uplink port's IP address. This address is on the private tier-1 transit network, and can cause the CIDR-based network policies to disallow traffic that should be allowed.
To avoid this issue, the network policy must be configured such that the tier-1 router's uplink port's IP address is part of the allowed CIDR block. This internal IP address will be visible as an annotation (ncp/internal_ip_for_policy) on the Ingress and Service resources.
status: loadBalancer: ingress: - ip: 22.214.171.124
ncp/internal_ip_for_policy: 100.64.224.11The IP address 100.64.224.11 must belong to the allowed CIDR in the ipBlock selector of the network policy. For example,
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy ... ingress: - from: - ipBlock: cidr: 100.64.224.11/32