Get source IP address with AWS Network Firewall


I am building a simple three layer architecture that uses NGINX on EKS as the front end for receiving all the API traffic from my customers. I want to add a AWS Network Firewall in front of the NGINX layer to restrict the incoming traffic ( don't need a WAF). My NGINX layer requires the source IP (client IP) address for custom processing and logging purposes. I have few queries on AWS Network firewall:

  1. Does AWS Network Firewall add any XFF header with source IP for incoming HTTP requests ?
  2. If not, how can the downstream layer get the source IP address?

Thanks in advance

asked 23 days ago1073 views
1 Answer
Accepted Answer

AWS Network Firewall does not automatically add the X-Forwarded-For (XFF) header containing the source IP address to incoming HTTP requests. This header is typically added by a reverse proxy like AWS Elastic Load Balancer (ELB) or NGINX itself when configured as a reverse proxy.

  • Application Load Balancer (ALB) can add the X-Forwarded-For header by default, which includes the original client IP address.
  • Network Load Balancer (NLB) supports preserving the client IP address through the Proxy Protocol.
  • Position the AWS Network Firewall between the ELB and your NGINX layer in EKS.
profile picture
answered 23 days ago
profile picture
reviewed 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions