Preserve Client IP

Overview

By default, Avi Service Engines (SEs) do source NAT-ing (SNAT) of traffic destined to back-end servers. Due to SNAT, the application servers see the IP address of the SE interfaces and are unaware of the original client’s IP address. Preserving a client’s IP address is a desirable feature in many cases, for example, when servers have to apply security and access-control policies. Two ways to solve this problem in Avi Vantage are:

Both of the above require the back-end servers to be capable of supporting the respective capability.

A third and more generic approach is for the Service Engine to use the client IP address as the source IP address for load-balanced connections from the SE to back-end servers. This capability is called preserve client IP, one component of Avi Vantage’s default gateway feature, and a property that may be set on/off in application profiles.

Until Avi Vantage release 18.2.6, selecting Enable IP Routing with Service Engine option is a prerequisite for selecting the Preserve Client IP Address option in any application profile.

Note:

  • Until Avi Vantage release 18.2.6, selecting Enable IP Routing with Service Engine option is a prerequisite for selecting the Preserve Client IP Address option in any application profile. However, starting with Avi Vantage version 18.2.6, enabling IP Routing is not mandatory to select Preserve Client IP Address.
  • Starting with Avi Vantage version 18.2.8, it is not mandatory for the HA mode to be legacy HA (active/standby).
    • However, you can use Legacy HA, configure floating interface IP, and set it as the default gateway on the server to attract return traffic as before.
      or
    • Use the Preserve Client IP in Active/Active HA mode for unidirectional traffic where the return traffic is not expected.

Enable IP Routing in SE

Starting with Avi Vantage version 18.2.5, to enable IP routing, refer to Network Service configuration page for more details.

Scope of Preserve Client IP

  • In Legacy HA mode, configure the floating interface IP and set it as the default gateway on the server to attract return- traffic for using the Preserve-Client-IP feature.

  • In Elastic HA mode, Preserve client IP is supported only for traffic types that are unidirectional in nature, where the response is not expected from the backend servers to go via Service Engines.

Mutual Exclusions With Other Features

  • Preserving the client IP address is mutually exclusive with SNAT-ing the virtual services.
  • Enabling connection multiplexing in an HTTP(s) application profile is incompatible with selecting the Preserve Client IP Address option.
  • Avi Vantage will always NAT the back-end connection in these cases:
    • When client and server IPs are in the same subnet.
    • When the back-end servers are not on networks directly-attached to the SE, i.e., they are a hop or more away.

Example Use-Case

multiple back-end networks

Enable IP routing on the SE group before enabling preserve client IP on an application profile used to create virtual services on that SE group.

In addition,

  • configure static routes to the back-end server networks on the front-end servers with nexthop as front-end floating IP,
  • configure back-end servers’ default gateway as SE, and
  • configure SE’s default gateway as front-end router.

Configure Preserve Client IP

Consider a simple two-leg setup with the back-end server(s) in the 10.10.10.0/24 network (always a directly-connected network) and the front-end router in the 10.10.40.0/24 network. Following are the steps to configure the feature:

Create a virtual service using the advanced-mode wizard. Configure its application profile to preserve client IPs as follows: Applications > Create Virtual Service > Advanced > Edit Application Profile

Configure Preserve Client IP step one

Note that this configuration needs to be done before enabling any virtual service in the chosen application profile. Once an application profile is configured to preserve client IP, it preserves the client IP for all virtual services using this application profile.

: > configure applicationprofile System-HTTP
: applicationprofile> preserve_client_ip
Overwriting the previously entered value for preserve_client_ip
: applicationprofile> save