Preserve Client IP

Overview

By default, Avi Service Engines (SEs) do source NAT-ing (SNAT) of traffic destined to servers. Due to SNAT, the application servers see the IP address of the SE interfaces and are unaware of the original client’s IP address. Preserving a client’s IP is a desirable feature in many cases, for example, when servers have to apply security and access-control policies. Two ways to solve this problem in Avi Vantage are:

Both of the above require the back-end servers to be capable of supporting the respective capability.

A third and more generic approach is for the Service Engine to use the client IP as the source IP for load-balanced connections from the SE to back-end servers. This capability is called preserve client IP, one component of Avi Vantage’s default gateway feature, and a property that may be set on/off in application profiles.

Enable IP routingin SE group is a prerequisite for enabling preserve client IP in any application profile.

enable IP routing in SE

Scope of Preserve Client IP

As enabling IP routing is a prerequisite for enabling preserve client IP, all the restrictions applicable to enabling IP routing are applicable here.

Mutual Exclusions With Other Features

  • Preserving the client IP is mutually exclusive with SNAT-ingthe virtual services.
  • Enablingconnection multiplexing in an HTTP(s) application profile is incompatible with selecting preserve client IP.
  • Client IP will not be preserved if Client and Server IPs are in the same subnet. It will always NAT the back-end connection in such cases.

Example Use-Case

multiple back-end networks

Enable IP routing on the SE group before enabling preserve client IP on an application profile used to create virtual services on that SE group.

In addition,

  • configure static routes to the back-end server networks on the front-end servers with nexthop as front-end floating IP,
  • configure back-end servers’ default gateway as SE, and
  • configure SE’s default gateway as front-end router.

Configure Preserve Client IP

Consider a simple two-leg setup with the back-end server(s) in the 10.10.10.0/24 network (always a directly-connected network) and the front-end router in the 10.10.40.0/24 network. Following are the steps to configure the feature:

  1. Create a virtual service using the advanced-mode wizard. Configure its application profile to preserve client IPs as follows:
    Applications -> Create Virtual Service -> Advanced -> Edit Application ProfileConfigure Preserve Client IP step onePlease note that this configuration needs to be done before enabling any virtual service in the chosen application profile. Once an application profile is configured to preserve client IP, it preserves the client IP for all virtual services using this application profile.
    : > configure applicationprofile System-HTTP
    : applicationprofile> preserve_client_ip
    Overwriting the previously entered value for preserve_client_ip
    : applicationprofile> save

Updated: 2018-01-22 07:57:32 +0000