Preserving Client IP in Nginx Ingress Controller with AWS NLB
Prerequisite
- Install AWS Load Balancer Controller: This controller is essential for managing AWS load balancers in a Kubernetes environment.
Step 1: Enable Proxy Protocol in NLB Target Group
Add the following annotation to your NLB Target Group to enable the Proxy Protocol:
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
This ensures that the NLB forwards the original client's IP address along with other connection information.
Step 2: Configure Nginx Ingress Controller
Modify the values.yaml
file of the Nginx Ingress Controller with the following settings:
use-forwarded-headers: "true"
: This instructs Nginx to use theX-Forwarded-*
headers, which may contain the client's original IP address as forwarded by the NLB.use-proxy-protocol: true
: Configures the Nginx Ingress Controller to expect and handle the Proxy Protocol header, including the original client IP, from the NLB.enable-real-ip: true
: Activates thereal_ip
module in Nginx, allowing it to replace the client IP address (which would appear as the NLB's IP) with the one specified in theX-Forwarded-For
orX-Real-IP
headers.