We have noticed a strange behavior that we cannot really explain. We are using VCD with a TKG cluster. We wanted to expose some of the service ports of the TKG cluster to the outside world.
We created the DNAT rules to access the API endpoint of our cluster. But we cannot connect from the outside unless we set the firewall default_rule to "allow".
We did set a ALLOW ALL rule above the default rule as a test but still, it does not work. The only way to make it works seems to be to change the default rule.
We also tried to alter the NAT behavior to bypass the firewall. It does not work either.
We have never faced the same behavior for VMs, it seems it is a particular issue with TKG cluster.
Looking at various online guide detailing how to route TKG cluster, it does say to alter the default rule but there is no explanation around that. https://pingforinfo.com/how-to-create-nsx-t-routed-network-in-vcd-for-tanzu-kubernetes-grid-tkg-clus...
Has anyone faced the same issue? How can we explain this strange behavior?