Source ip not preserved for TCP services

I need to support allow/deny policies based on origin ips for TCP services.

I’m using rbac network filters through EnvoyFilter to accomplish this task, but it’s only giving results at ingress level and not when applying configuration to other workloads.

I stumbled upon a similar problem when trying to do this for http services through ipBlocks using
AuthorizationPolicy, but was able to preserve ips at specific workloads by relying on the remoteIp option using http rbac filters, as per Authorization Policy IP allow/deny not working on services different than ingress-gateway.

I was expecting to get the same functionality for tcp services, but looks like i’m missing something. The following envoyfilter was used on a single-node mongodb deployment. Tested on EKS using NLB and externalTrafficPolicy already set to local.

kind: EnvoyFilter
apiVersion: networking.istio.io/v1alpha3
metadata:
  labels:
    app: mongodb-deployment
  name: mongodb-rbac-network-envoyfilter
spec:
  configPatches:
    - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
      match:
        context: SIDECAR_INBOUND
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.network.rbac
          typed_config:
            "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC"
            stat_prefix: mongodb
            rules:
              action: DENY
              policies:
                policy-default-DENY-27017:
                  permissions:
                    - any: true
                  principals:
                    - remote_ip:
                        address_prefix: 166.116.206.108
                        prefix_len: 32
  workloadSelector:
    labels:
      app.kubernetes.io/instance: mongodb