NLB IP preservation over peering target group

0

Dear Experts, is this supported options by AWS to preserve source IP addresses over peering target group? can you please also talk about couple of use cases for IP preservation. In my understanding, one of the use case is simple audit purpose and another one can be direct server return but i do not think if DSR is supported by AWS. Appreciate all your help.

1 Answer
1

Currently Client IP preservation is only supported when NLB and targets are in the same VPC, not for targets in peered VPC or on-premises.

There is no DSR as you correctly mentioned, the AWS SDN handles the connection in such a way that the Client IP is preserved and traffic is still (symmetrically) routed via NLB.


"When client IP preservation is enabled, targets must be in the same VPC as the Network Load Balancer, and traffic must flow directly from the Network Load Balancer to the target."

Reference: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#client-ip-preservation

profile pictureAWS
EXPERT
answered 2 years ago
  • First of all thanks for responding, let me explain you in detail about the lab i was trying to build and my observation. 1- LB and target group in same VPC, target are configured with IP address. IP preservation is not on by default but once turn on i can see client IP's making connections from internet. 2- Target IP moved over peering VPC, health check comes green, with IP preservation which is still on it breaks application. 3- In 2nd option with default setting when proxy and IP preservation off application works, I see connections coming from private IP of LB. 4- In 2nd option when only proxy protocol on, application still works and LB IP is visible in connection. My question is target IP's can be anywhere in same VPC, on-Prem, over peered connection hence technically this combination fails with IP preservation options (only same VPC host will respond). Even after enabling proxy protocol i do not see connection make from public IP address, that's expected also else that may break routing for return traffic. I was just wondering about use cases works in production.

  • Thank you for the additional explanation. You are correct see this note "When client IP preservation is enabled, targets must be in the same VPC as the Network Load Balancer, and traffic must flow directly from the Network Load Balancer to the target." from this link: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#client-ip-preservation

  • Even this point make me bit confused, For example NLB and target host both are part of same VPC, client 1.1.1.1 request to LB 2.2.2.2 when client see request coming from 1.1.1.1 and try to respond back, it will use PIP 3.3.3.3, hence technically application should fail until it goes from LB using same IP 2.22.2 with some NAT functionality.

  • I edited the answer. Thanks for the clarifications.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions