Kong on AKS and IP restriction suddenly started blocking traffic

I run Kong/KIC on AKS cluster

• Kubernetes 1.25.5
• Kong 3.0
• KIC 2.7
• Kong Helm charts 2.15.3

I use the ip-restriction plugin:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: ip-restriction-allow-contoso-vpn
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  allow:
  # VPN
  - 123.456.789.1
  # AKS LB
  - 987.654.321.1
plugin: ip-restriction

Everything worked fine for months and suddenly routes and services that were restricted with the plugin stopped working with Kong Error: Your IP address is not allowed.

The only things that I changed in my cluster were

• re-deployment of the Kong stack
• updated Kong Helm chart from 2.13.1 to 2.14.0 and then to 2.15.3 (as part of troubleshooting of Kong Proxy Service not reachable from outside with Kubernetes AKS 1.24.6 · Issue #694 · Kong/charts · GitHub).

Additionally, IP Restriction - Plugin | Kong Docs doesn’t mention any breaking changes and my AKS LP IP has not changed.

What could break my setup? Is this possible the charts upgrades or perhaps AKS LBS fiddling with X-Forwarded-For headers?

Well, this is embarrassing! Several months ago I manually applied this according to the Preserving Client IP Address - v2.9.x | Kong Docs guide:

kubectl patch -n kong service kong-kong-proxy -p '{"spec":{"externalTrafficPolicy":"Local"}}'

and I had not recorded this setting in my IasC - at that time, I had no idea how to set it on kong-kong-proxy service in my kind: HelmRelease manifest deploying Kong and KIC.

I have figured it out, I think, so I now can record it in my IasC:

kind: HelmRelease
metadata:
  name: kong
  namespace: kong
...
spec:
  values:
    proxy:
      enabled: true
      type: LoadBalancer
      externalTrafficPolicy: Local
...

Apologies for the noise!