I apologize. I did not answer your question.
You want to ONLY be able to manage the controller from particular subnets, right?
We do not have a specific feature that does that (service acls), for now, but you can accomplish it by doing the following:
1. Create an "alias" or netdestination that defines what subnets you want management traffic from
2. Write rules allowing TCP 4343 traffic and SSH traffic from that subnet to the controller's IP address
3. Write rules dropping TCP 4343 traffic and SSH traffic to the controller ip address from anywhere else.
4. Allow all traffic at the end of the rule
5. Apply it to a controller interface
In the example below, I allow management traffic from 192.168.1.0 255.255.255.0 to the controller at 192.168.1.3 and drop if from everywhere else. If I want to expand where I want management traffic from, I can just edit the Alias/Netdestination "management-subnet":
HINT: Please have a console cable handly just in case you lock yourself out of the controller!
config t
netdestination management-subnet
network 192.168.1.0 255.255.255.0
!
ip access-list session "Controller-Access"
alias "management-subnet" host 192.168.1.3 tcp 4343 4343 permit queue low
any host 192.168.1.3 tcp 4343 4343 deny queue low
alias "management-subnet" host 192.168.1.3 "svc-ssh" permit queue low
any host 192.168.1.3 "svc-ssh" deny queue low
any any any permit queue low
!
interface gigabitethernet 1/0
ip access-group "Controller-Access" session