By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Get source IP address with AWS Network Firewall

0

I am building a simple three layer architecture that uses NGINX on EKS as the front end for receiving all the API traffic from my customers. I want to add a AWS Network Firewall in front of the NGINX layer to restrict the incoming traffic ( don't need a WAF). My NGINX layer requires the source IP (client IP) address for custom processing and logging purposes. I have few queries on AWS Network firewall:

  1. Does AWS Network Firewall add any XFF header with source IP for incoming HTTP requests ?
  2. If not, how can the downstream layer get the source IP address?

Thanks in advance

Topics
Security, Identity, & Compliance
Tags
AWS Network Firewall
Language
English
Venu
asked a year ago3.8K views
2 Answers
1
Accepted Answer

AWS Network Firewall does not automatically add the X-Forwarded-For (XFF) header containing the source IP address to incoming HTTP requests. This header is typically added by a reverse proxy like AWS Elastic Load Balancer (ELB) or NGINX itself when configured as a reverse proxy.

  • Application Load Balancer (ALB) can add the X-Forwarded-For header by default, which includes the original client IP address.
  • Network Load Balancer (NLB) supports preserving the client IP address through the Proxy Protocol.
  • Position the AWS Network Firewall between the ELB and your NGINX layer in EKS.
profile picture
EXPERT
Oleksii Bebych
answered a year ago
profile picture
EXPERT
Artem
reviewed a year ago
0

The NLB options for IP preservation and for Proxy Protocol are two different things. It's well explained in the following blog post : https://aws.amazon.com/fr/blogs/networking-and-content-delivery/preserving-client-ip-address-with-proxy-protocol-v2-and-network-load-balancer/

  • IP preservation will allow the target to see the original client IP address in the IP packet. This is achieved using AWS internal routing mecanisms and has some limitations when used in conjunction with AWS Network Firewall.
  • Proxy Protocol V2 is an additional header in the TCP communication stream. The receiving target must support the additional header or else the communication will fail.

When you have architectures including a NLB and an AWS Network Firewall you have to be careful about the architecture deployed.

The recommendation is to deploy the AWS Network Firewall endpoint between the Internet Gateway and the NLB. This will allow IP preservation if required and also allows better visibility for for source IP in the AWS Network Firewall. As mentioned in the previous answer, the NGINX proxy will support the Proxy Protocol V2 so you will be able to relay the information between the NLB and the NGINX proxy.

Important clarifications :

  • If you position the AWS Network Firewall between the NLB and the NGINX you will not be able to enable the IP preservation so the source IP for the communication in the IP packet will be the NLB internal IP, proxy protocol will relay the information to the NGINX.
  • It will not be possible for the AWS Network firewall to see the real client source IP address.
  • All of the above is supported if you position the AWS Network firewall between the Internet Gateway and the NLB
AWS
jpsaws
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content