Get source IP address with AWS Network Firewall


I am building a simple three layer architecture that uses NGINX on EKS as the front end for receiving all the API traffic from my customers. I want to add a AWS Network Firewall in front of the NGINX layer to restrict the incoming traffic ( don't need a WAF). My NGINX layer requires the source IP (client IP) address for custom processing and logging purposes. I have few queries on AWS Network firewall:

  1. Does AWS Network Firewall add any XFF header with source IP for incoming HTTP requests ?
  2. If not, how can the downstream layer get the source IP address?

Thanks in advance

已提问 2 个月前1946 查看次数
1 回答

AWS Network Firewall does not automatically add the X-Forwarded-For (XFF) header containing the source IP address to incoming HTTP requests. This header is typically added by a reverse proxy like AWS Elastic Load Balancer (ELB) or NGINX itself when configured as a reverse proxy.

  • Application Load Balancer (ALB) can add the X-Forwarded-For header by default, which includes the original client IP address.
  • Network Load Balancer (NLB) supports preserving the client IP address through the Proxy Protocol.
  • Position the AWS Network Firewall between the ELB and your NGINX layer in EKS.
profile picture
已回答 2 个月前
profile picture
已审核 2 个月前

您未登录。 登录 发布回答。