Get source IP address with AWS Network Firewall


I am building a simple three layer architecture that uses NGINX on EKS as the front end for receiving all the API traffic from my customers. I want to add a AWS Network Firewall in front of the NGINX layer to restrict the incoming traffic ( don't need a WAF). My NGINX layer requires the source IP (client IP) address for custom processing and logging purposes. I have few queries on AWS Network firewall:

  1. Does AWS Network Firewall add any XFF header with source IP for incoming HTTP requests ?
  2. If not, how can the downstream layer get the source IP address?

Thanks in advance

demandé il y a 2 mois1985 vues
1 réponse
Réponse acceptée

AWS Network Firewall does not automatically add the X-Forwarded-For (XFF) header containing the source IP address to incoming HTTP requests. This header is typically added by a reverse proxy like AWS Elastic Load Balancer (ELB) or NGINX itself when configured as a reverse proxy.

  • Application Load Balancer (ALB) can add the X-Forwarded-For header by default, which includes the original client IP address.
  • Network Load Balancer (NLB) supports preserving the client IP address through the Proxy Protocol.
  • Position the AWS Network Firewall between the ELB and your NGINX layer in EKS.
profile picture
répondu il y a 2 mois
profile picture
vérifié il y a 2 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions