Load balancer for the DB cluster, restrictions to the database through the source IP

I’m configuring haproxy as a load balancer in a cluster. The idea is to limit access to the database to only allowed addresses. Databases percona operator for mysq. The configuration is as follows:
haproxy:
size: 1
serviceType: LoadBalancer
serviceAnnotations:
load-balancer.hetzner.cloud/disable-private-ingress: “false”
load-balancer.hetzner.cloud/use-private-ip: “true”
load-balancer.hetzner.cloud/location: hel1
load-balancer.hetzner.cloud/uses-proxyprotocol: “true”
load-balancer.hetzner.cloud/name: “pxc-lb”
configuration: |
global
maxconn 2048
external-check
insecure-fork-wanted
stats socket /etc/haproxy/pxc/haproxy.sock mode 600 expose-fd listeners level admin
defaults
default-server init-addr last,libc,none
log global
mode tcp
retries 10
timeout client 28800s
timeout connect 100500
timeout server 28800s
frontend galera-in
bind *:3309 accept-proxy
bind *:3306
mode tcp
acl allowed_ips src 217.196.161.215 10.0.0.0/16
tcp-request connection reject if !allowed_ips
option clitcpka
default_backend galera-nodes
frontend galera-admin-in
bind *:33062
mode tcp
acl allowed_ips src 217.196.161.215 10.0.0.0/16
tcp-request connection reject if !allowed_ips
option clitcpka
default_backend galera-admin-nodes
frontend galera-replica-in
bind *:3307
mode tcp
acl allowed_ips src 217.196.161.215 10.0.0.0/16
tcp-request connection reject if !allowed_ips
option clitcpka
default_backend galera-replica-nodes
frontend galera-mysqlx-in
bind *:33060
mode tcp
acl allowed_ips src 217.196.161.215 10.0.0.0/16
tcp-request connection reject if !allowed_ips
option clitcpka
default_backend galera-mysqlx-nodes
frontend stats
bind *:8404
mode http
http-request use-service prometheus-exporter if { path /metrics }
The problem is that it allows you to connect from any IP