Kong is usually deployed behind a Load Balancer (using a
Kubernetes Service of type LoadBalancer). This can result
in loss of actual Client IP address and Kong observing the IP address
of the Load Balancer as the client IP address. This guide lays
out different methods of solving this problem.
Preserving the Client IP address in cloud behind Load-Balancers requires configuration that is be specific to your use-case, cloud provider and other architecture details. This document provides details on how networking works inside Kubernetes and explains in detail of how various methods describe later in this document work. It is recommended that you give this a read.
Following methods are possible to preserve Client IP address:
As explained in
Kubernetes docs,
setting service.spec.externalTrafficPolicy to Local preserves the Client
IP address. You don't need to change any configuration in Kong if you
are using this method to preserve Client IP address.
Please note that this is not supported by all of the public Cloud providers.
If you have an L4 Load Balancer that supports Proxy Protocol, and you're terminating TCP connections at the Load Balancer before passing traffic onward to Kong, then you can configure Kong to pick up the Client IP address via this protocol.
Once you have configured the Load Balancer to use Proxy Protocol, you need to set the following environment variables in Kong for Kong to receive the Client IP from the Proxy Protocol header.
For example:
KONG_TRUSTED_IPS=0.0.0.0/0,::/0 # This trusts all IPs
KONG_PROXY_LISTEN="0.0.0.0:8000 proxy_protocol, 0.0.0.0:8443 ssl proxy_protocol"
KONG_REAL_IP_HEADER=proxy_protocol
If you are using an L7 Load Balancer, i.e. HTTP requests are being terminated
at the Load Balancer, then you need to use x-forwarded-for or x-real-ip
header to preserve details of the connection between the Client and Load Balancer.
You should configure the Load Balancer to inject these headers, and then you need to set the following environment variables in Kong for Kong to pick up the Client IP address from HTTP headers:
Please note that if you are using an L7 Load Balancer with Kong,
you cannot use the certificates feature in Kong as the TLS session is
already established between the Client and Load Balancer.
For the major public clouds, follow are some additional details that can help you preserve the client IP address:
You can use ExternalTrafficPolicy: Local to preserve the Client IP address.
You can use ExternalTrafficPolicy: Local to preserve the Client IP address.
You have two options:
- L4 Load Balancer In this case, you need to use the Proxy Protocol method to preserve Client IP address.
- L7 Load Balancer In this case, you need to use the HTTP headers method to preserve the Client IP address.
The recommend Load Balancer type for AWS is NLB. You can choose the type of Load Balancer using the following annotation:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
Other useful annotations for AWS are:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
A complete list can be found here.