Ext_authz does not check traffic routed to itself

I am using the CUSTOM action in authz policy to implement external authorization, as in Better External Authorization.

Specifically, I implemented a grpc AuthorizationServer, listed it as an extension provider in the mesh, and configured VirtualServices. To verify it does work, I also added some logging. The logging basically prints out the received Check requests.

The deployment is shown in the picture below. The AuthorizationServer is provided by the container of service A.

What puzzled me is that, while my AuthorizationServer does check traffic going to service B, it does not check traffic going to service A.

Can anyone give a hint?

Sorry, after 2 days of fumbling, I finally noticed that someone had created a NodePort service for serviceA. This NodePort somehow interfered with ext_authz.

After I deleted the NodePort, traffic going to serviceA also came under AuthorizationServer’s Check.

Thanks for your time.