Route filtering based on client IP

Hello, I’ve got the consul api gateway setup and was trying to play around with more complex routing rules. Specifically, I am using path based routing and trying to set up an IP allowlist for certain api paths. This is what my yaml looks like at the moment:

kind: HTTPRoute
  name: route-to-eks-service-a
  - name: api-gateway
  - matches:
    - path:
        type: PathPrefix
        value: /api/serviceA
    - kind: Service
      name: eks-service-a
      port: 3001

I wanted to then use the HTTPRouteFilter to only route traffic coming from a specific list of IP addresses. Based on my research I don’t believe this is supported, however I figured I would ask here incase I missed something. If it is the case that this feature is not supported my next question would be, is this something that is in the roadmap?

Any advice would be greatly appreciated, thanks!

Hi @immabird,

Using client IP (aka source IP) to make routing decisions is not currently support by the Kubernetes Gateway API spec nor have we added it to our implementation of that spec.

Earlier versions of the Gateway API spec did provide a way to configure a list of Source IP addresses, but it was removed from the newer versions of the spec because the spec was too vague on how it was to be used (e.g. was it an allow or a disallow list). However, it will likely be added back to the spec in the future.

It is likely we will add support for allowed Source IP lists in the future, but we don’t have a timeframe for when that might be. The timing will be influenced by if and when the Kubernetes working group is likely to add it back to the spec.

Let us know if you have any other questions.

Hey, thanks for your quick reply. I actually have one more question, do you know if it is possible to work around this limitation by configuring the envoy proxy directly? This documentation is what sparked my thought.