Authorization policy for restriction based on Client IP not working

ankita · August 9, 2021, 6:59am

Deployed Istio 1.10 on AKS cluster.
We are using Azure Application Gateway as the frontend and Istio gateway as the backend.
Traffic from the internet will be routed like this :

Traffic >> Azure Application Gateway >> Istio gateway >> Microservice

We have some microservices which we want to be accessible from VPN.
Therefore we are using Authorization policy which will check the Client IP and restrict the access to microservice based on Client IP.

Below Authorization policy will restrict the access to http://hostName/httpbin if not accessed from given IP.

Authorization policy :

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ip-restriction-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: DENY
  rules:
    - from:
      - source:
          notIpBlocks: [ "24.198.223.80" ]
      to:
        - operation:
            paths: [ "/httpbin/*" ]

But this policy is not getting applied as we can see from the istio gateway logs, two ips are sent as Client IP, i.e, 24.198.223.80,172.48.28.4

One more IP of proxy server is getting appended to Client IP.
Does anyone handle such a scenario?

Topic		Replies	Views
Restrict Access by Gateway/Service using source ip	11	6929	September 21, 2020
Authorization Policy IP allow/deny not working on services different than ingress-gateway Security security	5	4829	August 10, 2020
Authorization Policy not filtering traffic towards my service Networking security	3	641	February 15, 2022
Ingress gateway IP whitelist with AuthorizationPolicy	7	3432	March 11, 2020
Authorizationpolicy does not work	1	577	March 6, 2020

Authorization policy for restriction based on Client IP not working

Related Topics