Calico advertises pod IPs over BGP, so you need to peer Calico’s BGP, directly or indirectly, with all of the routers between the cluster and the places that you want to access from. Then those places will know how to route to pod IPs.
To restrict that to a specific IP pool, you can do it at the networking level, or at the policy level (or both).
By networking: configure import filters on your BGP routers, so that they only learn routes for the specific IP pool.
By policy: configure an ingress policy for all pods that:
- allows from the pod CIDR, regardless of destination
- allows from the cluster host CIDR, regardless of destination
- allows from anywhere if destination is in your specific IP pool
- denies any other traffic
Hope that helps!