Configuring client IP address preservation with a Network Load Balancer in AWS Global Accelerator
AWS Global Accelerator now supports client IP address preservation with Network Load Balancer endpoints. This feature allows you to maintain the source IP address of the original client for packets that arrive at Network Load Balancers configured as Global Accelerator endpoints.
In this blog post, we discuss use cases and benefits for using Global Accelerator client IP address preservation, review best practices and requirements for setting up this feature with Network Load Balancer endpoints, and share examples of test scenarios.
AWS Global Accelerator is a networking service that helps you improve the internet client experience for your applications by leveraging the AWS Global Network infrastructure. Depending on your needs, you can use AWS Global Accelerator for several deployment use cases, including A/B testing, blue-green deployments, API acceleration, or live video ingestion.
When you create an accelerator, you get two global static IP addresses for each IP stack (for example, two IPv4 and two IPv6 addresses for a dual-stack accelerator). The static IP addresses are anycast routed from the AWS edge network. Clients use the static IP addresses to access your applications, and traffic enters the AWS network at the nearest Global Accelerator point of presence (POP).
Traffic for standard accelerators is routed to the optimal regional endpoint, based on health, client location, and configured policies. Global Accelerator also implements automatic routing optimizations to keep packet loss, jitter, and latency consistently low for your applications.
The following diagram (Figure 1) provides a high-level overview of how Global Accelerator works.
Figure 1: High level overview of Global Accelerator
Client IP address preservation with Global Accelerator endpoints allows you to implement specific features in your application deployment, for example:
- Apply security and compliance controls that rely on the original client IP address.
- Configure custom business logic decisions at the application level, based on the client IP address.
- Provide customized application experiences to your end users, based on their IP address. For example, you can map a client public IP address to a geographic location, and deliver application content in a regional language.
- Use GeoIP-based filters based on client IP addresses for localized data access requirements. Thus, you can ensure compliance with data regulations based on the end user residency.
- Gather meaningful statistics about client IP addresses and connection profiles, and adapt your application to optimize the user experience.
You can use client IP address preservation with several endpoint types, including Amazon Elastic Compute Cloud (Amazon EC2) instances, Application Load Balancers, and now Network Load Balancers. You can use this feature with new accelerators, in all AWS Regions where Global Accelerator is supported. You can also enable it for existing accelerators for supported endpoint types.
Before you begin
For the following sections, we assume that you’re familiar with the features and capabilities of AWS Global Accelerator and Network Load Balancers. For more information specific to client IP address preservation in Global Accelerator, see Preserve client IP addresses in the Developer Guide. For overall information about Global Accelerator and its features, see the overview documentation. To learn more about working with Network Load Balancers, see the user guide.
Before we dive into the configuration steps, let’s review the following requirements for setting up Global Accelerator client IP address preservation with Network Load Balancer endpoints:
- You can enable client IP address preservation only for Network Load Balancers configured with security groups.
- You must configure the security group for the Network Load Balancer to allow inbound traffic from the client IP addresses.
- You must ensure that the security group for the Network Load Balancer allows the health check probes that Global Accelerator uses. Additionally, Network Load Balancer health checks for end targets are subject to outbound rules, not inbound rules, so you must ensure that outbound rules allow health check traffic. Otherwise, the load balancer considers the targets unhealthy.
- You can add Network Load Balancer endpoints in both public and private subnets, with client IP address preservation. When you add an internal Network Load Balancer endpoint to an accelerator, the VPC that contains the load balancer must have an internet gateway attached to it, to indicate that the VPC accepts internet traffic. However, you don’t need public IP addresses on the load balancer, or an associated route through the internet gateway for the load balancer subnets.
To learn more about how client IP preservation works with AWS Global Accelerator, see the guidance in the Developer Guide.
In addition to the support for client IP address preservation in Global Accelerator, Network Load Balancers also preserve the source IP address of clients by default when they route requests to their backend targets. To learn more about how client IP preservation works with Network Load Balancers, see the user guide.
For an application to receive the original client IP address, both Global Accelerator and the Network Load Balancer must be configured to preserve client IP addresses.
Setting up client IP address preservation in Global Accelerator
To illustrate how to set up client IP address preservation with Network Load Balancer endpoints in Global Accelerator, let’s walk through an example.
For our setup, let’s consider an application deployed in an Amazon VPC, on EC2 instances that are configured to use TCP port 80. To ensure high availability, scalability and resilience, we use a Network Load Balancer to front our application. Clients on the internet access the application by using TCP port 8080, so we include a standard accelerator with a listener on TCP port 8080. Our sample application implements custom logic based on the client IP address, so we’ll configure both the Network Load Balancer and the accelerator to preserve the client IP addresses.
The architecture and traffic flow path for our sample application are shown in the following diagram (Figure 2).
Figure 2: Overview architecture for data flow with Global Accelerator
You can use AWS CloudFormation templates to deploy the architecture depicted in Figure 2.
Let’s review the steps to configure client IP address preservation with Network Load Balancer endpoints in Global Accelerator.
Step 1: Set up a Network Load Balancer
We start by creating an instance-type target group, and registering the EC2 instances that host our sample application with the target group. We assume that the EC2 instances in the VPC are already configured to accept client traffic for the application on TCP port 80. The target group has the configuration shown in the following screenshot of the AWS Management Console (Figure 3).
Figure 3: Target group configuration on the Network Load Balancer details page in the console
The target group configuration has the following settings:
-  Target group protocol set to TCP port 80
-  Two EC2 instances registered in the group, both configured to receive client traffic on port 80
Now, let’s create a Network Load Balancer, with the settings shown in the following screenshot of the console (Figure 4).
Figure 4: Network Load Balancer setup page in the console
The Network Load Balancer is configured with the following settings:
-  A TCP listener on port 8080
-  A default action to forward traffic to the target group for the application
A requirement for using client IP address preservation in Global Accelerator with a Network Load Balancer endpoint is to associate a security group with the Network Load Balancer when you create it. For your Network Load Balancer, configure the security group based on your security requirements.
For our example Network Load Balancer, we associated a default security group with the load balancer, as shown in the following screenshot of the console of the Security tab (Figure 5).
Figure 5: Network load Balancer security group tab
When you configure your own Network Load Balancer, make sure that your security configuration allows traffic that is incoming from your application’s client IP addresses, and that it allows Network Load Balancer health check probes to the load balancer’s target instances. For the detailed steps to configure a Network Load Balancer, see the user guide documentation.
Step 2: Create an accelerator with a Network Load Balancer endpoint
Now that we’ve created a Network Load Balancer with a security group, and configured the options for it, we use the Create accelerator wizard in the console to create and configure a standard IPv4 accelerator for our application, with the load balancer endpoint.
- For the accelerator listener, we match the Network Load Balancer listener configuration: protocol TCP, port 8080.
- We choose us-east-2 as the Region for our endpoint group, where the Network Load Balancer is deployed.
Finally, on the Add endpoints page, we add the Network Load Balancer as an endpoint for the accelerator. We select the option to preserve the client IP address, as shown in the following console screenshot (Figure 6).
Figure 6: Endpoint with client IP address preservation enabled
After Global Accelerator has deployed the accelerator, users can access our application that runs on the target instances behind the Network Load Balancer. When they access the application by using the static global IP addresses assigned to this accelerator, their client IP addresses are preserved through to our application. For details about how Global Accelerator routes client traffic to its endpoints, see the documentation.
The following screenshot (Figure 7) of the console details page for our example accelerator highlights the anycast-routed global static IP addresses  and the listener configuration on TCP port 8080 .
Figure 7: Accelerator details page in the console
The following console screenshot (Figure 8) of the endpoint details page for the accelerator highlights the Network Load Balancer endpoint type  and shows that the client IP address preservation option is enabled .
Figure 8: Client IP address preservation enabled on the endpoint details page in the console
Testing client IP address preservation
Our example setup is ready for an end-to-end test. For this, we send raw TCP traffic to the accelerator DNS name, using the netcat utility on a client host. Netcat allows us to create a TCP session from the client to the accelerator port. The following screenshot (Figure 9) shows a client creating a TCP session with the accelerator, on port 8080. Note that VPC DNS resolution helps the client resolve the accelerator name to the public IP address 22.214.171.124, which is anycast routed on the internet.
Figure 9: Successful TCP connection from client to the accelerator
Next, we monitor incoming traffic on the application instances, and observe the client IP address preserved in the IP packets. Our client IP address is 126.96.36.199. The following screenshot (Figure 10) of tcpdump output confirms that the application instance receives incoming traffic with the client IP address as the source IP.
Figure 10: Tcpdump screenshot showing that backend instances see the client’s IP address
Now, we can use the client IP address information to improve our client experience, for example, by delivering customized application features or implementing data residency restrictions.
You can also use Amazon OpenSearch Service to visualize and analyze the client IP addresses. With OpenSearch, you can create dashboards with heat maps to highlight where your application users are concentrated. You can use this data to continuously optimize and evolve your applications, for example, by expanding them in AWS Regions closer to user-dense geographies, or by consolidating deployments in Regions where the user footprint is small.
Client IP address preservation in AWS Global Accelerator can help you to secure, customize, and optimize your AWS applications by sending the source IP address of clients directly to your applications. This allows you improve end user experiences, deliver content tailored to the profiles of your clients, and ensure compliance and data residency requirements are met. In this blog post, we discussed how to configure client IP address preservation feature for Network Load Balancer endpoints in Global Accelerator. If you have questions about this post, start a new thread on AWS re:Post, or contact AWS Support.