Best Practices for Restricting Application Entry and Exit IPs in the Cloud In real-world cloud-native deployments, it’s common to require strict control over both the entry (ingress) and exit (egress) points of your services. On cloud platforms, the most straightforward way is to use network-level controls like Network Security Groups (NSGs) or firewalls to restrict access based on source or destination IPs. These mechanisms, however, typically apply globally, not on a per-service basis.
If you need fine-grained IP restrictions at the Kubernetes Service level, here are the main approaches:
LoadBalancer Service (loadBalancerSourceRanges)
For Services of type: LoadBalancer, you can directly restrict which IP CIDRs are allowed to reach the service using the loadBalancerSourceRanges field in the Service definition.
This restriction is automatically reflected in the underlying cloud load balancer (SG/NSG/firewall rule).
This is the most cloud-native way to implement service-level ingress allowlisting.
Copy code
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: LoadBalancer
ports:
- port: 80
loadBalancerSourceRanges:
- 203.0.113.0/24
- 192.0.2.0/24
Istio AuthorizationPolicy
With Istio, you can use AuthorizationPolicy to restrict allowed source IPs at the service proxy (Envoy) level.
This can enforce both external and internal (in-mesh) access control, not only for entrypoints but for any in-mesh traffic as well.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-specific-ips
spec:
selector:
matchLabels:
app: my-app
action: ALLOW
rules:
- from:
- source:
ipBlocks: ["203.0.113.0/24"]
Kubernetes NetworkPolicy
NetworkPolicy is a native Kubernetes resource that can define both ingress and egress rules based on IP addresses or CIDR ranges. It supports granular traffic control between Pods or between Pods and external endpoints. Their effectiveness depends on the CNI plugin being used.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-egress
spec:
podSelector:
matchLabels:
app: my-app
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/16
Istio Egress-Gateway
Egress Gateway is a powerful component in Istio that allows you to centralize and control all egress traffic leaving the mesh. With Egress Gateway, you can flexibly define which external services can be accessed, enforce policies, monitoring, even do advanced tracing or DLP.
All outbound traffic from mesh workloads is routed through a dedicated Envoy Gateway. You can implement allow/deny rules at the Gateway and/or use other Istio policies. Egress Gateway can work together with NetworkPolicy and cloud firewall for multi-layer security.
Summary Table
| Method | Direction | Granularity | Typical Use |
|---|---|---|---|
| NSG / Cloud Firewall | Ingress/Egress | VPC/Cluster (global) | Macro control, main defense-in-depth |
| loadBalancerSourceRanges | Ingress | Per Service | Service-level white-list for LB Services |
| AuthorizationPolicy | Ingress/Internal | Per Workload/Proxy | Service mesh access, Layer 7 control |
| NetworkPolicy | Ingress/Egress | Per Pod/Namespace | Pod traffic control, cluster microsegmentation |
| Egress Gateway | Egress | Mesh-wide, Policy Custom | Fine-grained egress with monitoring and enforcement |
Best Practice
Combine multiple layers for maximum security: use NSGs/firewalls for global defense, loadBalancerSourceRanges for entry points, NetworkPolicy for intra-cluster rules, and Istio AuthorizationPolicy/Egress Gateway for service mesh traffic governance and egress auditing.