In EKS, I have an ALB Ingress with 2 application on the same Istio Gateway. For one of the applications I want to allow access (based on URL) only from specific subnets. Using Istio AuthorizationPolicy I can either block or allow everything but it won’t work with specific subnets.
For the code below, it allows any ranges outside the ones specified. In fact, if I specify any subnets smaller than /17 (such as /18, /19, etc) it does not work at all. Strange behaviour.
Now I’m thinking that the only way would be to create 2 Ingresses and use the ALB security groups to allow/deny traffic.
Any advice or any other way of doing this?
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: ingress-policy namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway action: ALLOW rules: - from: - source: remoteIpBlocks: ["10.51.55.0/24", "10.0.0.0/16"] to: - operation: hosts: - app2.domain.com