I want to restrict access for my azure Kubernetes nginx ingress only for a particular location (api path) , only to be accessed from azure front door

Abhishek Singh 376 Reputation points
2024-02-03T06:06:14.8266667+00:00

I want to restrict access of my azure Kubernetes nginx ingress only for a particular location (api path) , only to be accessed from azure front door. I have a configuration snippet, but how to apply it to only a particular path

nginx.ingress.kubernetes.io/configuration-snippet: |
if ($http_x_azure_fdid !~* "xxxxx-xxx-xxx-xxxxxx")
{
return 403;
}
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
546 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,781 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anveshreddy Nimmala 510 Reputation points Microsoft Vendor
    2024-02-05T04:26:03.6466667+00:00

    Hello @Abhishek Singh,Welcome to microsoft Q&A,Thankyou for posting your query here. you can use the annotation to add a custom Nginx configuration snippet to your Ingress resource. Here's an example YAML file that applies the configuration snippet to requests to the path /api and only allows access from Azure Front Door.

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: myapp-ingress
      annotations:
        nginx.ingress.kubernetes.io/configuration-snippet: |
          location /api {
            if ($http_x_azure_fdid !~* "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx") 
            {
              return 403;
            }
          }
    spec:
      rules:
      - http:
          paths:
          - path: /api
            pathType: Prefix
            backend:
              service:
                name: myapp-service
                port:
                  number: xx
    

    The snippet restricts access to requests to the path /api and checks the X-Azure-FDID header of incoming requests. If the header does not match the specified pattern, the server will return a 403 Forbidden response. Hope this answer helps you , please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!.