Menu
From experimenting with Azure load-balancing set, it seems that x-forwarded-for header is not used (as it would be expected in regular load-balancer), rather they preserve the original client IP.
E.g.:
app.get('/my-ip', function(req, res) {
winston.log('/my-ip', 'x-forwarded', req.headers['x-forwarded-for'] || 'none', 'remoteAddress', req.connection.remoteAddress || 'none');
res.end();
});
With the result:
/my-ip x-forwarded none remoteAddress MY_CORRECT_IP
Can this behavior be confirmed and relied upon?
864
A response to an inbound flow is always a response from a virtual machine. When the flow arrives on the virtual machine, the original source IP address is also preserved.
Because an Application Load Balancer terminates incoming TCP connections and creates new connections to your backend targets, it does not preserve client IP addresses all the way to your target code (such as instances, containers, or Lambda code).
Azure load balancer overview An Azure load balancer is a Layer-4 (TCP, UDP) load balancer that provides high availability by distributing incoming traffic among healthy VMs. A load balancer health probe monitors a given port on each VM and only distributes traffic to an operational VM.
Floating IP is Azure's terminology for a portion of what is known as Direct Server Return (DSR). DSR consists of two parts: a flow topology and an IP address mapping scheme. At a platform level, Azure Load Balancer always operates in a DSR flow topology regardless of whether Floating IP is enabled or not.
You are confusing proxies with load balancing. Proxies use x-forwarded, load balancers do not (by default). Load balancers work at a lower level in the OSI stack (although you might find all kinds of things calling themselves load balancers that really aren't).
The key difference here is that a proxy actually interprets your HTTP request, typically caching it in the process, before forwarding it with it's altered headers. A load balancer doesn't have to (though it can). They just re-route packets. Some more advanced load balancers support adding this header, but it's never the default configuration. Proxies typically have this header on by default, and support removing it.
The reason load balancers don't typically need this header is that a load balancer is basically a router, as such it maintains the original source ip information of the packets by default. A proxy, on the other hand acts as destination for the original request, then it issues a new request to the new destination, thus the original packet information is typically lost. Like, if you worked at a mail forwarding facility, and you opened peoples mail, read it, then put it in a new envelope with your return address.
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
