AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I restrict CIDR IP addresses for the LoadBalancer type service in Amazon EKS?

3 minute read

I want to restrict CIDR IP addresses for a Kubernetes service of type LoadBalancer in Amazon Elastic Kubernetes Service (Amazon EKS).

Resolution

If you create a LoadBalancer type service, then its security group allows requests from 0.0.0.0/0 by default. If your load balancer is in a public subnet, then it routes requests from anywhere on the internet to worker nodes. To restrict the source instead of 0.0.0.0/0, use loadBalancerSourceRanges.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Set up your environment

To set up your environment, complete the following steps:

Create an Amazon EKS cluster.
Create and launch your worker nodes.
Set up kubectl.
Set up the AWS CLI.
Set up the AWS Load Balancer Controller.

Note: For LoadBalancer type services, AWS Load Balancer Controller supports loadBalancerSourceRanges for the Network Load Balancer in instance mode starting from version 2.2.0 or later. For Network Load Balancer IP mode, version 2.0.0 or later is required. You must activate client IP preservation.

Important: To allocate a new Network Load Balancer for LoadBalancer type services, it's a best practice to use the AWS Load Balancer Controller instead of the Kubernetes Service load balancer controller. For the latest version of the AWS Load Balancer Controller, see aws-load-balancer-controller on the GitHub website.

Restrict CIDR IP addresses

To specify the loadBalancerSourceRanges, add the loadBalancerSourceRanges field or use an annotation.

(Recommended) Add the loadBalancerSourceRanges field

Complete the following steps:

In your svc.yaml file, add the .spec.loadBalancerSourceRanges field to the spec section:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx
  name: nginx
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "external"
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance" # or "ip"
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
    # For NLB IP mode only - required for loadBalancerSourceRanges to work:
    service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: LoadBalancer
  loadBalancerSourceRanges:
  - "[IP_ADDRESS]"

To apply your svc.yaml file, run the following command:

kubectl apply -f svc.yaml

To confirm that the source IP restrictions were applied, run the following command:
```
kubectl logs -f YOUR_ALB_CONTROLLER_POD -n YOUR_NAMESPACE
```
Note: Replace YOUR_ALB_CONTROLLER_POD with the name of your Pod and YOUR_NAMESPACE with your namespace.
To confirm that the inbound rules on the security group are modified, run the following command:
```
aws ec2 describe-security-groups --group-ids YOUR_SECURITY_GROUP_ID
```
Note: Replace YOUR_SECURITY_GROUP_ID with the name of your security group ID. AWS Load Balancer Controller adds the configured load balancer source ranges to the security group's inbound rules.
Example output:
```
    "CidrIp": "YOUR_CIDR_BLOCK"
```

If you use a Network Load Balancer in IP mode, then the .spec.loadBalancerSourceRanges field is ignored by default. To use source range restrictions, use the following annotation to turn on client IP preservation:

service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true

Note: For a service with a Network Load Balancer type, you can increase the maximum security group quota. The controller creates rules on the worker node's security group for each node port and subnet CIDR range. For more information, see Ingress traffic on the Kubernetes website.

(Alternative) Use an annotation

You can also use an annotation in your service manifest file svc.yaml.

Example annotation:

service.beta.kubernetes.io/load-balancer-source-ranges: YOUR_IP_ADDRESS

For more information, see Access control on the Kubernetes website.

Related information

Learn how access control works in Amazon EKS

Topics: Containers
Tags: Amazon Elastic Kubernetes Service
Language: English

AWS OFFICIALUpdated 23 days ago

1 Comment

This article was reviewed and updated on 2026-03-25

MODERATOR

AWS Official

replied 22 days ago

Relevant content

How to use Elastic IP for AWS ECS with Farget without using Network Loadbalancer
Accepted Answer
Ellon Berhanu
asked 3 years ago
Enabling SSL Policies for EKS Cluster without Loadbalancer
rePost-User-1886335
asked 3 years ago
EKS: "There are no available nodes for LoadBalancer"
Accepted Answer
Elon
asked 4 years ago
How I can disable "Kubernetes built-in service controller" to avoid creating load balancers automatically in my EKS
Daniel
asked 3 years ago
Why can't I hit the service endpoint via EC2 Loadbalancer from a public IP
rePost-User-2054947
asked 2 years ago
How do I choose specific IP address subnets for Pods in my Amazon EKS cluster?
AWS OFFICIALUpdated 8 months ago
How do I lock down API access to specific IP addresses in my Amazon EKS cluster?
AWS OFFICIALUpdated a year ago
How do I resolve and monitor insufficient IP addresses in my Amazon EKS clusters?
AWS OFFICIALUpdated 6 months ago
How do I expose the Kubernetes Services that are running on my Amazon EKS cluster?
AWS OFFICIALUpdated 8 months ago
Analyzing IP Address Allocation for EKS Auto Mode Clusters
EXPERT
Guillermo
published a month ago