Preserve Client IP
By default, Avi Service Engines (SEs) do source NAT-ing (SNAT) of traffic destined to back-end servers. Due to SNAT, the application servers see the IP address of the SE interfaces and are unaware of the original client’s IP address. Preserving a client’s IP address is a desirable feature in many cases, for example, when servers have to apply security and access-control policies. Two ways to solve this problem in Avi Vantage are:
- X-Forwarded-For — limited to HTTP(S) application profiles only
- TCP Proxy Protocol — limited to TCP traffic on L4 application profiles only
Both of the above require the back-end servers to be capable of supporting the respective capability.
A third and more generic approach is for the Service Engine to use the client IP address as the source IP address for load-balanced connections from the SE to back-end servers. This capability is called preserve client IP, one component of Avi Vantage’s default gateway feature, and a property that may be set on/off in application profiles.
Until Avi Vantage release 18.2.6, selecting Enable IP Routing with Service Engine option is a prerequisite for selecting the Preserve Client IP Address option in any application profile.
However, starting with Avi Vantage version 18.2.6, enabling IP Routing is not mandatory to select Preserve Client IP Address.
Starting with Avi Vantage version 18.2.5, to enable IP routing, refer to Network Service configuration page for more details.
Scope of Preserve Client IP
- Avi Vantage Releases 18.2.6 and below:
- As enabling IP routing is a prerequisite for enabling the Preserve Client IP Address option, all the restrictions applicable to enabling IP routing are applicable here.
- The HA mode must be legacy HA (active/standby) only for SE groups with the preserve client IP option set.
In Avi Vantage release 18.2.7, The dependency on of Preserve Client IP on IP routing is removed. However, the the HA mode still has to be Legacy HA.
- From Avi Vantage Release 18.2.8 onwards:
- Enabling IP routing is not a prerequisite for enabling the Preserve Client IP Address option.
- It is not mandatory for the HA mode to be legacy HA (active/standby).
However, you can either use Legacy HA, configure floating interface IP and set it as default gateway on server to attract return traffic as before.
Setup the routing in the backend to ensure that return traffic for the client-IP-preserved traffic requests sent to the backend server comes back to the Service Engine as needed.
Mutual Exclusions With Other Features
- Preserving the client IP address is mutually exclusive with SNAT-ing the virtual services.
- Enabling connection multiplexing in an HTTP(s) application profile is incompatible with selecting the Preserve Client IP Address option.
- Avi Vantage will always NAT the back-end connection in these cases:
- When client and server IPs are in the same subnet.
- When the back-end servers are not on networks directly-attached to the SE, i.e., they are a hop or more away.
Enable IP routing on the SE group before enabling preserve client IP on an application profile used to create virtual services on that SE group.
- configure static routes to the back-end server networks on the front-end servers with nexthop as front-end floating IP,
- configure back-end servers’ default gateway as SE, and
- configure SE’s default gateway as front-end router.
Configure Preserve Client IP
Consider a simple two-leg setup with the back-end server(s) in the 10.10.10.0/24 network (always a directly-connected network) and the front-end router in the 10.10.40.0/24 network. Following are the steps to configure the feature:
Create a virtual service using the advanced-mode wizard. Configure its application profile to preserve client IPs as follows: Applications > Create Virtual Service > Advanced > Edit Application Profile
Note that this configuration needs to be done before enabling any virtual service in the chosen application profile. Once an application profile is configured to preserve client IP, it preserves the client IP for all virtual services using this application profile.
: > configure applicationprofile System-HTTP : applicationprofile> preserve_client_ip Overwriting the previously entered value for preserve_client_ip : applicationprofile> save