Get source IP address with AWS Network Firewall


I am building a simple three layer architecture that uses NGINX on EKS as the front end for receiving all the API traffic from my customers. I want to add a AWS Network Firewall in front of the NGINX layer to restrict the incoming traffic ( don't need a WAF). My NGINX layer requires the source IP (client IP) address for custom processing and logging purposes. I have few queries on AWS Network firewall:

  1. Does AWS Network Firewall add any XFF header with source IP for incoming HTTP requests ?
  2. If not, how can the downstream layer get the source IP address?

Thanks in advance

preguntada hace 2 meses2187 visualizaciones
1 Respuesta
Respuesta aceptada

AWS Network Firewall does not automatically add the X-Forwarded-For (XFF) header containing the source IP address to incoming HTTP requests. This header is typically added by a reverse proxy like AWS Elastic Load Balancer (ELB) or NGINX itself when configured as a reverse proxy.

  • Application Load Balancer (ALB) can add the X-Forwarded-For header by default, which includes the original client IP address.
  • Network Load Balancer (NLB) supports preserving the client IP address through the Proxy Protocol.
  • Position the AWS Network Firewall between the ELB and your NGINX layer in EKS.
profile picture
respondido hace 2 meses
profile picture
revisado hace 2 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas