You can configure a Kubernetes service of type LoadBalancer to allow load balancer traffic based on the source IP address of the incoming request, and to only allow local pod traffic.

Minimum Requirements

You can use the externalTrafficPolicy and LoadBalancerSourceRanges features with a Kubernetes service of type LoadBalancer on a Tanzu Kubernetes cluster that meets the following minimum requirements:
Component Minimum Requirement More Information
vCenter Server and ESXi vSphere 7.0 Update 2 See the Release Notes.
Supervisor Cluster v1.19.1+vmware.2-vsc0.0.8-17610687 See Update the Supervisor Cluster by Performing a vSphere Namespaces Update.
Load Balancer

NSX-T Data Center v3.1

See Networking for vSphere with Tanzu.
Tanzu Kubernetes Release One of the latest Tanzu Kubernetes releases. See List of Tanzu Kubernetes releases.

About Support for Local Traffic Policy and Source IP Ranges

If you are using NSX-T Data Center networking, you can configure a Kubernetes Service of Type LoadBalancer to allow external traffic policy and load balancer source IP ranges. The externalTrafficPolicy feature lets you restrict pod traffic to the local node. The LoadBalancerSourceRange feature lets you specify source IP addresses to allow or block.

Example Service for Local Traffic Only

The following load balancer service specification configures the load balancer instance with the externalTrafficPolicy parameter set to Local. The result is that pod traffic is routed to only those nodes that have local pods running.

apiVersion: v1
kind: Service
metadata:
  name: local-only
spec:
  selector:
    app: testApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  externalTrafficPolicy: Local
  type: LoadBalancer

The feature works using a NSX-T health check monitor. From an NSX-T administration perspective, it is important to be aware of the internal operations of this feature.

An NSX-T health check monitor watches the Kubernetes Health Check NodePort allocated by kube-proxy for the server pool that corresponds to the Service of Type LoadBalancer. The NSX-T health check monitor sends HTTP GET requests to the target Health Check NodePort. The kube-proxy on a node returns the HTTP status code 500 when there are no local pods running. Nodes that do not have local pods will be marked DOWN by NSX-T and appear as such in NSX Manager. Traffic will be routed to only those nodes that have local pods running.

Example Service to Allow Traffic Based on Source IP Ranges

The following load balancer service specification configures the loadBalancerSourceRanges parameter with an array of allowed source IP CIDRs. Only inbound requests emanating from these source IP ranges will be allowed; all other inbound traffic will be dropped.

apiVersion: v1
kind: Service
metadata:
  name: allow-based-on-source-IPs
spec:
  selector:
    app: testApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  loadBalancerSourceRanges:
  - 10.0.0.0/24
  - 10.1.0.0/24
  type: LoadBalancer