How to allow trafic from some ip ranges to aks external loadbalancer

Question

I'm trying to allow traffic from only some ip ranges to an loadbalancer in an AKS, so I am trying with calico using a GlobalNetworkPolicy but its not working, what i'm doing wrong?

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: deny-lb-port-80
spec:
  applyOnForward: true
  preDNAT: true
  ingress:
  - action: Log
  - action: Deny
    destination:
      nets:
      - balancerIP
      ports:
      - 80
    protocol: TCP
    source: {}
  order: 800
  types:
  - Ingress
---
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: allowlist
spec:
  applyOnForward: true
  preDNAT: true
  ingress:
  - action: Log
  - action: Allow
    destination:
      nets:
      - balancerip
      ports:
      - 80
    protocol: TCP
    source:
      nets:
        - allowedipranges
  order: 500
  types:
  - Ingress

Answer 1

Normally i use GlobalNetworkPolicy to deny ingress globally and then use an Kubernetes Network Policy to overwrite the GlobalNetworkPolicy inside the Namespace:

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: default-global-deny-all-ingress
spec:
  namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system", "tigera-operator"}
  order: 3000 # normal NPs (order: 1000) should have higher order
  types:
    - Ingress
  ingress:
    # allow collect metrics from Kubernetes Metrics Server
    - action: Allow
      protocol: TCP
      destination:
        selector: 'k8s-app == "metrics-server"'
        ports:
          - 443
    # Deny all ingress
    - action: Deny
      source:
        nets:
          - 0.0.0.0/0

Kubernetes Network Policy, for example allow internet for the nginx ingress controller:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-allow-internet
  namespace: ingress-nginx
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
  ingress:
    # Allow ingress from the internet
    - from:
        - ipBlock:
            cidr: 0.0.0.0/0