Load balancer in front of Kubernetes configuration question

Hello,

I am completely at a loss here when I have been trying to get my load balancer firewall configured to have a public load balancer with kubernetes nodes that are not accessible outside of the VPC. I need to shut down access to all kubernetes node ports outside of DigitalOcean and only allow a single public load balancer to access a single nodeport on the kubernetes nodes, which then get routed with an Nginx ingress controller.

I have found that DigitalOcean can create and manage firewall rules but it configures things where the node ports are open to the world behind the load balancer. This won’t work for me because I put SSO and SSL termination from Cloudflare in front of the load balancer. So I have one Cloudflare proxied DNS record for root and wildcard pointing at that load balancer. Since all authentication is happening in front of the load balancer I absolutely can not have the node ports behind the load balancer exposed to the world. So from what I have found DigitalOcean’s firewall configuration management for Kubernetes won’t work.

So I tried creating the load balancer outside of kubernetes and configuring its DNS through Terraform to link to the nodeport for the Nginx service and tried creating a new firewall rule (also in Terraform) to only allow traffic from the load balancer. This does not work either, as the load balancer can not reach the nodeport anymore.

In fact when I create a firewall test (new rule) that allows all ports outside of the kubernetes configured firewall, it still doesn’t work, even if I allow full access to all ports from all ipv4 traffic. This makes no sense to me, so I am completely missing something here.

So what am I missing here? Why is it almost impossible to configure a simple firewall rule to lock down nodeports on the kubernetes nodes, except for traffic from a single load balancer?

Thanks for your help!