Uncovering X-Forwarded-For in NSX-v Load Balancer

Few days back one of my close friend asked me that:

Can we monitor the actual source client ip who requested for the web page when the web server is behind a load balancer?

Another question came in around the same time from one of my customer:

In X-Forwarded-For mode do we change the source IP in the header or not being in the proxy mode of the Load Balancer.

Well a short answer to the first question is yes definitely we can but that depends on which mode the Load Balancer is configured and answer to the second question is no we don’t change the source IP if you use X-Forwarded-For in the Application Profiles of Load Balancer.

So from the second question you can see how can one monitor the source IP of the client who requested for a web page where web servers are behind a load balancer. However, it is not always true, that means it is not applicable for all the modes available in Edge Load Balancer. It is only possible when you run your Load Balancer in proxy mode, aka One-Arm mode. The One-Arm implementation uses the HTTP X-Forwarded-For standard to redirect traffic to a different IP. So Client IP address is not preserved in this mode.

LB-Inline

With the option “Insert X-Forwarded-For HTTP header” (under Application Profile), the Edge LoadBalancer adds the header “X-Forwarded-For” with the value Client-IP@. It does this if the configuration is with source NAT (not transparent in the pool) or without source NAT (transparent in the pool).

x-forwarded-for

Note: If the client request hitting the Edge device  already had the “X-Forwarded-For” header with a value, then the Edge LoadBalancer adds the source-IP@ seen next.

For example:

1. Client IP@ 20.20.20.20 request without “X-Forwarded-For”

The Edge LoadBalancer sends the request to the server with “X-Forwarded-For: 20.20.20.20”

2. Client IP@ 20.20.20.20 request with “X-Forwarded-For: 30.30.30.30”

The Edge LoadBalancer sends the request to the server with “X-Forwarded-For: 30.30.30.30, 20.20.20.20”

If you want to read more about the various load balancer function in NSX for vSphere then read this article:

http://www.vmware.com/files/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf

 

About Prasenjit Sarkar

Prasenjit Sarkar is a Product Manager at Oracle for their Public Cloud with primary focus on Cloud Strategy, Oracle Openstack, PaaS, Cloud Native Applications and API Platform. His primary focus is driving Oracle’s Cloud Computing business with commercial and public sector customers; helping to shape and deliver on a strategy to build broad use of Oracle’s Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings such as Compute, Storage, Java as a Service, and Database as a Service. He is also responsible for developing public/private cloud integration strategies, customer’s Cloud Computing architecture vision, future state architectures, and implementable architecture roadmaps in the context of the public, private, and hybrid cloud computing solutions Oracle can offer.