Oct 23, 2023

AWS NLB and Client IP Preservation - How to create Security Group Rules

author's image Danilo Desole
3 minutes read

Have you ever created a Network Load Balancer on AWS, its target group and its target, and some security rules attached to it, to end up giving out to your browser because you couldn’t reach the target?

It happened to me last week and I interestingly found out about this cool AWS feature named Client IP Preservation.

Client IP Preservation is a target group feature that allows the traffic from the Network Load Balancer to preserve the client IP. Therefore the traffic to your target will keep the IP from the original client. Disabling this option will overwrite the traffic IP with the NLB private IP (the NLB is likely to have more than one IP, it will override the traffic IP with the IP of the ENI that handles the traffic).

By default, AWS enables client IP preservation if the Target Group type is one of the following

  • EC2 instance (ASG, EC2 instances)
  • IP type, protocol UDP or TCP_UDP

This means that the only case Client IP Preservation is OFF by default is if your target type is IP and the protocol is TCP or TLS.

But what does this mean?

It means that you need to remember to allow internet public cidrs in your security group if your target is: one or more EC2 instances or any other target with type IP and protocol UDP or TCP_UDP.

Instead, if your target is of type IP and the protocol is TCP or TLS, you can simply allow traffic from the NLB private IPs. For example, if you set an ECS cluster as the target of your NLB, its tasks’ security group can only contain rules that allow the NLB private IPs.

Is it any better to enable Client IP Preservation?

For target types IP + UDP/TCP_UDP and Instances (except some instance types), you cannot disable Client IP Preservation; you can though enable Client IP Preservation for target type IP + TCP/TLS. You should enable Client IP Preservation considering the following

  • Targets must be in the same VPC as the Network Load Balancer, and traffic must flow directly from the Network Load Balancer to the target;

  • Client IP preservation is not supported when using a Gateway Load Balancer endpoint to inspect traffic between the Network Load Balancer and the target;

  • Client IP preservation is not supported when a target group contains AWS PrivateLink ENIs or the ENI of another Network Load Balancer.

  • Client IP preservation has no effect on traffic converted from IPv6 to IPv4.

  • When you specify targets by Application Load Balancer type, the client IP of all incoming traffic is preserved by the Network Load Balancer and is sent to the Application Load Balancer.

If your organisation is scaling its AWS usage and needs help in implementing AWS Guardrails, AWS Control Tower, AWS Landing Zones, and any other AWS Service, please feel free to reach out by visiting our contact page or sending an email to team@virtuability.com.

We have the tools to understand your cloud and the guidance to make the most of it.

GET IN TOUCH

Schedule a call with a us and find out what Virtuability can do for you.

GET STARTED