Client IP address in Istio

11/14/2019

So I have a setup like this:

AWS NLB (forwards) --> Istio --> Nginx pod

Now, I'm trying to implement rate limiting at Istio layer. I followed this link. However, I can still request the API more than what I configured. Looking more into it, I logged X-Forwarded-For header in the nginx, and it's empty.

So, how do I get the client IP in Istio when I'm using NLB? NLB forwards the client IP, but how? In header?

EDITS:

Istio Version: 1.2.5

istio-ingressgateway is configured as type NodePort.

-- nirvair
amazon-web-services
istio
kubernetes

1 Answer

11/19/2019

According to AWS documentation about Network Load Balancer:

A Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. After the load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration.

...

When you create a target group, you specify its target type, which determines whether you register targets by instance ID or IP address. If you register targets by instance ID, the source IP addresses of the clients are preserved and provided to your applications. If you register targets by IP address, the source IP addresses are the private IP addresses of the load balancer nodes.


There are two ways of preserving client IP address when using NLB:

1.: NLB preserves client IP address in source address when registering targets by instance ID.

So client IP address are only available in specific NLB configuration. You can read more about Target Groups in aws documentation.


2.: Proxy Protocol headers.

It is possible to use to send additional data such as the source IP address in header. Even if You specify targets by IP addresses.

You can follow aws documentation for guide and examples how to configure proxy protocol.

To enable Proxy Protocol using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, under LOAD BALANCING, choose Target Groups.

  3. Select the target group.

  4. Choose Description, Edit attributes.

  5. Select Enable proxy protocol v2, and then choose Save.

-- Piotr Malec
Source: StackOverflow