How to deny access cluster-ip from external network?

Hi,
I want to expose some services as ClusterIP.
Currently, Has advertising ClusterIP with calico bgp.
I want to deny all access, except for some services.

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: allow-cluster-internal-ingress-only
spec:
  applyOnForward: true
  ingress:
  - action: Allow
    source:
      nets:
      - 10.16.0.0/20 (Node IP Cidr)
      - 172.16.0.0/12 (Pod IP Cidr)
  preDNAT: true
  selector: has(host-endpoint)

(The host-endpoint is labeled on the node.)

But not working.

02:10:35.926981 IP 172.16.12.192.60393 > 172.19.15.224.6789: Flags [S], seq 2444179478, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:10:35.927074 IP 172.19.15.224.6789 > 172.16.12.192.60393: Flags [S.], seq 1303218966, ack 2444179479, win 64390, options [mss 1370,nop,nop,sackOK,nop,wscale 7], length 0

172.16.12.192 is vxlan.calico’s IP.
When accessing ClusterIP from PC, SourceIP is changed to IP of vxlan.calico of Node, so that it is connected.

Solved!

spec:
  applyOnForward: true
  ingress:
  - action: Deny
    destination:
      nets:
      - 10.96.0.0/12 (ClusterIP)
    source:
      notNets:
      - 172.16.0.0/12 (Pod IP)
  order: 1000
  preDNAT: true
  selector: has(host-endpoint)

Yes indeed, preDNAT is the solution here. Glad you worked that out!