OCP regression where EgressIP addresses respond to ALB health probes for ingress NodePorts, causing intermittent external connection failures

Solution Verified - Updated -

Issue

After upgrading an Azure Red Hat OpenShift (ARO) cluster to OpenShift Container Platform (OCP) 4.18.13, nodes assigned EgressIP addresses begin responding to Azure Load Balancer (ALB) health probes associated with ingress NodePort services.

As a result:

  • The Azure Load Balancer incorrectly marks these EgressIP addresses as healthy backends.
  • The ALB then forwards ingress traffic to these EgressIPs.
  • Since no ingress router pods are listening on EgressIPs, the connections are immediately refused (TCP RST).

  • Users experience intermittent “connection refused” errors when accessing routes exposed via the default ingress controller.

    Important:
    This behavior was not present in OCP 4.17.25, where only the primary node IPs responded to health probes and served ingress traffic.

Environment

  • OpenShift Container Platform (OCP)
    • 4.18.13
  • Azure Red Hat OpenShift (ARO)
    • 4.18.13

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content