I'm configuring a GCloud Armor to restrict access to my API which is deployed in GKE behind and ingress. Some of the petitions come directly from de front-end which is also deployed in the GKE cluster and I need to allow those requests. This front-end has currently 2 pods and I have tested that It works when I allow in GCloud Armor the external IPs of the nodes where those pods are deployed. Of course this is not a valid solution since the pods may change from nodes and the nodes are also volatile.
I have also an ingress for the front service which has a static IP, however allowing this IP in GCloud Armor doesn't work and still blocks the requests.
What's the best solution to solve this problem? Isn't there any option to set the front load balancer IP as the origin IP?
Thanks in advance!
As workaround, you may create private GKE cluster https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
and allow CloudNAT IP on CloudArmor.