Preserve Client IP
By default, Avi Service Engines (SEs) do source NAT-ing (SNAT) of traffic destined to back-end servers. Due to SNAT, the application servers see the IP address of the SE interfaces and are unaware of the original client’s IP address. Preserving a client’s IP address is a desirable feature in many cases, for example, when servers have to apply security and access-control policies. Two ways to solve this problem in Avi Vantage are:
- X-Forwarded-For — limited to HTTP(S) application profiles only
- TCP Proxy Protocol — limited to TCP traffic on L4 application profiles only
Both of the above require the back-end servers to be capable of supporting the respective capability.
A third and more generic approach is for the Service Engine to use the client IP address as the source IP address for load-balanced connections from the SE to back-end servers. This capability is called preserve client IP, one component of Avi Vantage’s default gateway feature, and a property that may be set on/off in application profiles.
Until Avi Vantage release 18.2.6, selecting Enable IP Routing with Service Engine option is a prerequisite for selecting the Preserve Client IP Address option in any application profile.
However, starting with Avi Vantage version 18.2.6, enabling IP Routing is not mandatory to select Preserve Client IP Address.
Starting with Avi Vantage version 18.2.5, to enable IP routing, refer to Network Service configuration page for more details.
Scope of Preserve Client IP
In Legacy HA mode, configure the floating interface IP and set it as the default gateway on the server to attract return- traffic for using the
Note : For NSX-T overlay Preserve Client IP deployments, pool servers do not require the default gateway to be updated.
In Elastic HA mode, preserve client IP is supported only for unidirectional traffic, where the response from the backend servers is not expected to go through the Service Engines.
Mutual Exclusions With Other Features
- Preserving the client IP address is mutually exclusive with SNAT-ing the virtual services.
- Enabling connection multiplexing in an HTTP(s) application profile is incompatible with selecting the Preserve Client IP Address option.
- Avi Vantage will always NAT the back-end connection in these cases:
- When client and server IPs are in the same subnet.
- When the back-end servers are not on networks directly-attached to the SE, i.e., they are a hop or more away.
Enable IP routing on the SE group before enabling preserve client IP on an application profile used to create virtual services on that SE group.
- configure static routes to the back-end server networks on the front-end servers with nexthop as front-end floating IP,
- configure back-end servers’ default gateway as SE, and
- configure SE’s default gateway as front-end router.
Configure Preserve Client IP
Consider a simple two-leg setup with the back-end server(s) in the 10.10.10.0/24 network (always a directly-connected network) and the front-end router in the 10.10.40.0/24 network. Following are the steps to configure the feature:
Create a virtual service using the advanced-mode wizard. Configure its application profile to preserve client IPs as follows: Applications > Create Virtual Service > Advanced > Edit Application Profile
Note that this configuration needs to be done before enabling any virtual service in the chosen application profile. Once an application profile is configured to preserve client IP, it preserves the client IP for all virtual services using this application profile.
: > configure applicationprofile System-HTTP : applicationprofile> preserve_client_ip Overwriting the previously entered value for preserve_client_ip : applicationprofile> save
For deploying preserve client IP in NSX-T overlay cloud refer Preserve Client IP for NSX-T Overlay.