In EKS, I have an ALB Ingress with 2 application on the same Istio Gateway. For one of the applications I want to allow access (based on URL) only from specific subnets. Using Istio AuthorizationPolicy I can either block or allow everything but it won’t work with specific subnets.
For the code below, it allows any ranges outside the ones specified. In fact, if I specify any subnets smaller than /17 (such as /18, /19, etc) it does not work at all. Strange behaviour.
Now I’m thinking that the only way would be to create 2 Ingresses and use the ALB security groups to allow/deny traffic.
Any advice or any other way of doing this?
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
remoteIpBlocks: ["10.51.55.0/24", "10.0.0.0/16"]
to:
- operation:
hosts:
- app2.domain.com