This section discusses the configuration and scope of preserve client IP address.

By default, Avi Load Balancer Service Engines (SEs) do source NAT-ing (SNAT) of traffic destined to back-end servers. Due to SNAT, the application servers see the IP address of the SE interfaces and are unaware of the original client’s IP address. Preserving a client’s IP address is a desirable feature in many cases, for example, when servers have to apply security and access-control policies. Two ways to solve this problem in Avi Load Balancer are:

X-Forwarded-For Header Insertion:

Limited to HTTP(S) application profiles only

Proxy Protocol Support:

Limited to TCP traffic on L4 application profiles only

Both of the above require the back-end servers to be capable of supporting the respective capability.

The other approach is for the SE to use the client IP address as the source IP address for load-balanced connections from the SE to back-end servers. This capability is called preserve client IP, one component of Avi Load Balancer default gateway feature and property that can be set on/ off in application profiles.



For more information on Enable IP routing, see Network Service Configuration.

Note:

The Preserve client IP feature is supported for IPv6 addresses with TCP-Proxy, TCP Fast Path, and UDP profiles.

Scope of Preserve Client IP

  • In Legacy HA mode, configure the floating interface IP and set it as the default gateway on the server to attract return traffic for using the Preserve-Client-IP feature.

    • For NSX-T overlay Preserve Client IP deployments, pool servers do not require the default gateway to be updated.

  • In Elastic HA mode, preserve client IP is supported only for unidirectional traffic, where the response from the backend servers is not expected to go through the Service Engines.

Mutual Exclusions with other Features

  • Preserving the client IP address is mutually exclusive with SNAT-ing the virtual services.

  • Enabling connection multiplexing in an HTTP(s) application profile is incompatible with selecting the Preserve Client IP Address option.

  • Avi Load Balancer will always NAT the back-end connection in these cases:

    • When client and server IPs are in the same subnet.

    • When the back-end servers are not on networks directly-attached to the SE, that is, they are a hop or more away.

Example Use-Case



Enable IP routing on the SE group before enabling preserve client IP on an application profile used to create virtual services on that SE group.

In addition,

  • Configure static routes to the back-end server networks on the front-end servers with nexthop as front-end floating IP,

  • Configure back-end servers’ default gateway as SE, and

  • Configure SE’s default gateway as a front-end router.

Configure Preserve Client IP

Consider a simple two-leg setup with the back-end servers in the 10.10.10.0/24 network (always a directly-connected network) and the front-end router in the 10.10.40.0/24 network. Following are the steps to configure the feature:

Create a virtual service using the advanced-mode wizard. Configure its application profile to preserve client IPs as follows: Applications > Create Virtual Service > Advanced > Edit Application Profile.



Note that this configuration needs to be done before enabling any virtual service in the chosen application profile. Once an application profile is configured to preserve client IP, it preserves the client IP for all virtual services using this application profile.

: > configure applicationprofile System-HTTP
: applicationprofile> preserve_client_ip
Overwriting the previously entered value for preserve_client_ip
: applicationprofile> save

For deploying preserve client IP in NSX-T overlay cloud, see Preserve Client IP for NSX-T Overlay section in VMware Avi Load BalancerInstallation guide.