AWS Network Load Balancer unable to get client IP

Question

I switched from Application Load Balancer to Network Load Balancer for my application running on ECS Fargate because my application needed static IP address.

Now I am unable to get source/client IP address from X-Forwarded-For or X-Real-Ip HTTP headers. In both of these headers, I am getting private IP. While on Application Load Balancer I was able to get client IP from X-Forwarded-For header.

Documentation here says that NLB preserves source IP address.

I couldn't yet troubleshoot the issue. What I might be doing wrong?

If this is not possible using Network Load Balancer, How can I achieve my following objectives, given that my application is running on AWS ECS-Fargate :

Have a static IP (e.g. for A record, IP whitelisting etc)
Can extract client IP address (e.g. for region-based business logics using GeoIP etc)

@Paul very clearly described why extracting client IP is not possible from X-Forwarded-For headers using NLB, updated my question in the hope of finding a solution to my two objectives. — varnothing

Paul Dawson Paul Dawson · Accepted Answer · 2019-12-18T13:33:14

The network LB will not support X-Forwarded-For headers like the Application LB does.

Application LB:

Layer-7 Load Balancing You can load balance HTTP/HTTPS applications and use layer 7-specific features, such as X-Forwarded-For headers.

This is not the case with Network LB, which is a layer 4 load balancing method and as such it is not HTTP Protocol aware.

The Network LB will maintain the source IP "Preserve Source IP address" whereas the Application LB will not. Because the IP address is being maintained the Network LB method has no use for the X-Forwarded-For header which inserts the original IP when NAT is being used.

AWS Network Load Balancer unable to get client IP

2 Answers