Sunday, April 7, 2019

networking - Revealing the real IP address behind an AWS EC2 load balancer



I have a web-application that contains events that I'm interested in reading from the internet.



To do this, I have an AWS EC2 load balancer that sits in front of two EC2 instances. I have an application that tracks events on both of these servers.



The setup can be visualized like this:
Instance 1 and 2 -> Load Balancer -> Event Monitor




The problem I'm seeing is that each event appears to be coming from the load balancer IP and not from the EC2 instance IP. I'm convinced that when the load balancer forwards traffic, it puts its IP on the packet.



Is there a setting in AWS on the load balancer that I can change to forward packets with the actual IP address instead of the load balancer IP?


Answer




The problem I'm seeing is that each event appears to be coming from
the load balancer IP and not from the EC2 instance IP. I'm convinced
that when the load balancer forwards traffic, it puts its IP on the
packet.





You're convinced of this because yes, that is precisely how load balancers are designed to work.




Is there a setting in AWS on the load balancer that I can change to
forward packets with the actual IP address instead of the load
balancers IP?




Think that through for a minute. Sure, an LB could theoretically change the IP headers so that the source IP matches the backend server. There are several problems with this, though:





  1. Your backend servers have private IPs. Which your clients aren't going to be able to hit.

  2. When your clients hit your ELB, they first have to stand up a TCP connection before any HTTP can happen. So they have a TCP connection with the ELB, not with the backend server. Therefore when the client sees a packet with a source IP that doesn't match a current connection, it's going to discard it.

  3. You likely don't want to do this anyway, as backend instances change frequently and your clients shouldn't need to worry about that, nor should they be able to discover your private infrastructure.



Why do you want this anyway? If you really want your clients to be able to discover this information, you can possibly put the private IP into an HTTP response header, which your client has access to.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...