- Newest
- Most votes
- Most comments
It depends on the the type of target you have for the target group. You can also set it to enabled or disabled using the preserve_client_ip.enabled attribute of the target group. As per documentation,
preserve_client_ip.enabled: Indicates whether client IP preservation is enabled. The value is true or false. The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation can't be disabled for UDP, TCP_UDP, QUIC, and TCP_QUIC target groups.
Refer: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html
Yes. Network Load Balancers preserve the original client source IP address even when using TLS listeners.
Unlike Application Load Balancers, NLBs operate at Layer 4. TLS termination at the NLB does not replace the source IP — backend targets continue to see the client’s IP as the source of the connection.
This makes NLBs suitable for workloads that require source IP visibility, such as IP-based allow-listing or protocol-level logging.
Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html
Relevant content
- asked a year ago
While the old OSI layer model is rarely very useful, TCP and UDP listeners operate at layer 4 (transport), but TLS runs on top of the layer 4 protocols and belongs on layers 5 (session) and 6 (presentation).
Only if you have preserve client IP enabled otherwise it sees the NLB internal IP