How to configure Client IP Preservation with Global Accelerator

0

We're trying to configure NLB Endpoint Group for Global Accelerator with Client IP preservation and getting error "StatusCode400", while according to Global Accelerator documentation Client IP preservation with NLB that has Security Group attached to it is possible. What could be the reason?

3 Answers
3
Accepted Answer

Hello,

Starting Aug 2023 Global Accelerator supports Client IP Preservation with NLB endpoints . The error that you are experiencing could be related to NLB TLS Listener:

If you want to enable client IP address preservation when you add Network Load Balancer resources as endpoints to Global Accelerator, be aware that client IP address preservation is not supported for the following:

Network Load Balancers without security groups

Network Load Balancers with security groups that have TLS listeners attached

Network Load Balancers with security groups that perform IPv4 to IPv6 NAT translation to their EC2 targets

Reference: https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints.sipp.html

AWS
Nino_G
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 2 months ago
1

FYI- when using client IP preservation, a security group is needed to allow traffic from the public internet to the NLB and from the NLB to the targets servers. (You can Only associate security groups with a Network Load Balancer when you create it. If you created the NLB without associating any security groups, you can't associate them later on.)

Best practice is to add a rule to the security groups associated with your targets that references the security group associated with your Network Load Balancer. This allows clients to send traffic to your targets through your load balancer, but prevents them from sending traffic directly to your targets. Referencing the security group associated with your Network Load Balancer in the security groups associated with your targets ensures that your targets accept traffic from your load balancer even if you enable client IP preservation for your load balancer.

For more details, see: Security groups for your Network Load Balancer

AWS
answered 2 months ago
0

Various restrictions are documented here: https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints.sipp-caveats.html

In particular, have you got TLS listeners on the NLB?

EXPERT
Leo K
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions