Back to all scenarios
Scenario #151
Networking
K8s v1.23, Google GKE

NodePort Service Not Accessible Due to Firewall Rules

A NodePort service became inaccessible due to restrictive firewall rules on the cloud provider.

Find this helpful?
What Happened

External access to a service using a NodePort was blocked because the cloud provider's firewall rules were too restrictive.

Diagnosis Steps
  • 1Checked service configuration and confirmed that it was correctly exposed as a NodePort.
  • 2Used kubectl describe svc to verify the NodePort assigned.
  • 3Verified the firewall rules for the cloud provider and found that ingress was blocked on the NodePort range.
Root Cause

Firewall rules on the cloud provider were not configured to allow traffic on the NodePort range.

Fix/Workaround
• Updated the firewall rules to allow inbound traffic to the NodePort range.
• Ensured that the required port was open on all nodes.
Lessons Learned

Always check cloud firewall rules when exposing services using NodePort.

How to Avoid
  • 1Automate the validation of firewall rules after deploying NodePort services.
  • 2Document and standardize firewall configurations for all exposed services.
Previous ScenarioNext Scenario