Deny specific IP

I have a very specific use case which I’m not able to solve.
We have istio deployed, with the minimal profile, and we use strict mTLS throughout a namespace.
The workloads have unrestricted access to the public internet from within the mesh, that’s why we use OutboundTrafficPolicy.Mode=ALLOW_ANY.
We would like to add a rule/authorization to deny access from within the mesh to a specific IP.
Does anyone know how this can be achieved without switching to REGISTRY_ONLY?
Many thanks

Currently authorization policy is enforced only on inbound traffic meaning you can not use it alone to reject outbound request.

However, you could still achieve this if you could deploy an egress gateway in the mesh and force your workload outbound traffic to go through it, and then you can apply the authorization policy on the egress gateway, see Istio / Egress Gateways for more details about configuring the egress gateway and its security implications (you will need separate k8s NetworkPolicy to make sure the workload won’t be able to bypass the egress gateway)

1 Like

Thanks for the answer.
In the end, we came to the same conclusion. And actually, it is even recommended in the istio docs to also use network policies for extra security configurations.