This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 40%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
I have an AKS setup with an NGINX load balancer and everything works perfectly, all the ingresses work and all the networking is flawless.
For security purposes I need to block access to the server via load balancer IP, is there a way to do so? I searched all over Google and the consensus seems to be that there just isn't a way to do so in K8S.
When the IP is accessed via HTTP, everything is fine and NGINX responds with a 404. But when the IP is accessed via HTTPS (even thought I explicitly disabled listening on port 443 in NGINX), I'm served a fake k8s certificate, which I belive is not served by NGINX, but by the K8S service (or am I wrong?)
Did you install Nginx ingress similar to this manual?
https://learn.microsoft.com/en-us/azure/aks/ingress-basic?tabs=azure-cli
Yes, that exactly how I have it set up, in the guide too though, there doesn't seem to be any mention of blocking direct IP access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 24%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
you can use this loadBalancerSourceRanges:
for more information : https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard#restrict-inbound-traffic-to-specific-ip-ranges
I'm not trying to block some IPs from accessing the services, I'm trying to block the server from being exposed on the IP directly, so that it's accessible only via domain names
Try to disable all IP and whitelist your system or own ip which you are looking for to be access. As if you block one IP might it get hit through other IP.