14

AWS's older 'Classic' load balancers have the ability to set a proxy protocol policy, which adds the external IP address of a request to a HTTP header for the internal requests.

AWS's newer Application Load Balancers don't seem to have this same functionality. Is this correct, or is it something that can be enabled?

And if it's not an option, then is reverting to a classic load balancer recommended? I feel that there's a push to use the newer load balancer types, so it doesn't feel wise to get so attached to the classic approach.

pat
  • 16,116
  • 5
  • 40
  • 46

1 Answers1

13

The Proxy Protocol header helps you identify the IP address of a client when you have a load balancer that uses TCP for back-end connections.

Proxy Protocol works in L4 (TCP) and Application Load Balancer only works on L7. ALB only supports HTTP/ HTTPs Listeners.

That's the reason Proxy Protocol is present in Classic ELB, but not in ALB.

Regarding the second question what load balancer to use this depends on scenario what you are using it for , you can read this thread that will enlighten you on up gradation of each CLB to NLB/ALB.

Hope this helps !

Kush Vyas
  • 5,813
  • 2
  • 26
  • 36
  • Thanks Kush, that makes sense. It seems NLB has the true IP, but not any integration with the certificate manager - does that match your understanding? – pat Jul 31 '18 at 06:32
  • 1
    Just to elaborate slightly on Kush's answer from my further investigation: while Proxy Protocol and other ELB policies can't be used with ALBs, ALBs actually do send the X-Forwarded-For header through (I didn't have the internal service displaying headers correctly, hence my hunt for another way). – pat Jul 31 '18 at 06:47
  • 1
    @pat Do you know if an ALB actually supports parsing of a Proxy Protocol header to convert it into an X-Forwarded-For? (we have NLBs at our boundary, that pass through Foritate FW instances that then hit ALBs which call our applications) – Peter McEvoy Mar 13 '19 at 11:34
  • @PeterMcEvoy I don't know. I'm afraid the project I was working on for this isn't running any more, so I don't have anything on hand to test with. – pat Mar 15 '19 at 05:35