Kong on AKS and IP restriction suddenly started blocking traffic

I run Kong/KIC on AKS cluster

  • Kubernetes 1.25.5
  • Kong 3.0
  • KIC 2.7
  • Kong Helm charts 2.15.3

I use the ip-restriction plugin:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
  name: ip-restriction-allow-contoso-vpn
  namespace: kong
    kubernetes.io/ingress.class: kong
  # VPN
  - 123.456.789.1
  # AKS LB
  - 987.654.321.1
plugin: ip-restriction

Everything worked fine for months and suddenly routes and services that were restricted with the plugin stopped working with Kong Error: Your IP address is not allowed.

The only things that I changed in my cluster were

Additionally, IP Restriction plugin | Kong Docs doesn’t mention any breaking changes and my AKS LP IP has not changed.

What could break my setup? Is this possible the charts upgrades or perhaps AKS LBS fiddling with X-Forwarded-For headers?

Well, this is embarrassing! Several months ago I manually applied this according to the Preserving Client IP Address - v2.9.x | Kong Docs guide:

kubectl patch -n kong service kong-kong-proxy -p '{"spec":{"externalTrafficPolicy":"Local"}}'

and I had not recorded this setting in my IasC - at that time, I had no idea how to set it on kong-kong-proxy service in my kind: HelmRelease manifest deploying Kong and KIC.

I have figured it out, I think, so I now can record it in my IasC:

kind: HelmRelease
  name: kong
  namespace: kong
      enabled: true
      type: LoadBalancer
      externalTrafficPolicy: Local

Apologies for the noise!