externalTrafficPolicy=Local seems to be always needed

[lbruun]

For the Kubernetes-Nginx controller in AKS:

There's a difference in the config for the Helm chart config vs the method that the Kubernetes Nginx controller project recommends for Azure, namely the using this template. In short the Microsoft doc recommends Helm, while the project itself recommends another approach. Odd. (I don't know if the Kubernetes nginx project would agree that those two should yield the same result?)

Anyway, it is actually the latter approach which works, not the one described in the Microsoft docs. The reason is that

externalTrafficPolicy=Local

seems to be absolutely required. The template-based method for Azure does this by default, but Helm chart method doesn't by default.

There seems to be others who have had the same problem as me.

In short, for my use-case using AKS Kubernetes v 1.24.6, if was definitely a requirement to set externalTrafficPolicy=Local. If not, the external IP will not reply (it will timeout).

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: fd0e7d5a-37e9-07dc-f395-9cb5bb580e45
• Version Independent ID: 7e4faf70-9724-7e7b-832b-1cd99a974920
• Content: Create an ingress controller in Azure Kubernetes Service (AKS) - Azure Kubernetes Service
• Content Source: articles/aks/ingress-basic.md
• Service: container-service
• GitHub Login: @rayoef
• Microsoft Alias: rayoflores

[Naveenommi-MSFT]

@lbruun Thanks for your feedback! We will investigate and update as appropriate.

[AjayBathini-MSFT]

Hi @lbruun I'd recommend working closer with our support team via an [Azure support request] (https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request). Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds. [Teams Q&A forum] (https://docs.microsoft.com/en-us/answers/topics/46488/office-teams-windows-itpro.html) for technical questions about the configuration and administration of Microsoft Teams on Windows.

[ameetkonnur]

Ran into the same issue as @Ibruun. Setting externalTrafficPolicy=Local seems to be missing in the document. Without this Traffic to External IP times out.

[bryn1u]

Ran into the same issue few minutes ago on AKS. I installed newest version of nginx ingress via helm install. Have exactly the same issue. To resolve this, the externalTrafficPolicy=cluster has to be change to externalTrafficPolicy=local if not the traffic will be blocked. For production it might be disaster.

[metaphy6]

I've got a similar issue, too; I need to set it to 'Local' to preserve source IPs on x-forwarded-for header. Neither 'kubectl patch' nor 'kubectl edit' lets me modify it, either (the platform reverts the changes I've just made to its default value even if I see the changes reflected for a time). I use aks managemed istio service mesh, btw.

[atmask]

@AjayBathini-MSFT Why is this marked as closed when it is still a relevant issue? This impacts both the public and private LB

[AjayBathini-MSFT]

@atmask you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds. [Teams Q&A forum] (https://docs.microsoft.com/en-us/answers/topics/46488/office-teams-windows-itpro.html)