VMware Networking Community
VMgwbaby
Enthusiast
Enthusiast
Jump to solution

Difference between "X-Forwarded-For " and "Transparent" for source IP

I see a confusion between two options for source IP visibility. Can someone explain the difference?

"Insert X-forwarded-for HTTP header" in application profile -> Maybe this is only for proxy-mode (one-armed)?

"Transparent" in pool -> Maybe this is in-line mode?

Then depending on the topology, I have to choose the right option?

1 Solution

Accepted Solutions
Sreec
VMware Employee
VMware Employee
Jump to solution

To be bit more precise

The Edge LB is configured in Proxy Mode (Source NAT) and the servers need the client IP@ information

Update the Application Profile

Under "Edge – Manage /  Load Balancer / Applications Profiles"

Select the option "Insert X-Forwarded-For HTTP header"

pastedImage_3.png

The Sce-IP@ = Edge IP@: 192.168.11.41

The server IP@: 192.168.11.3

The real client-IP@ in the X-Forwarded-For header: 10.0.1.12

pastedImage_2.png

Reference available @ NSX-v 6.3 - Load Balancing capabilities + configuration examples (and more...)

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

6 Replies
Sreec
VMware Employee
VMware Employee
Jump to solution

For one arm mode we need to configure the ESG with Load balancer  by checking Manage > Load Balancer > Global Configuration > Edit, followed by Server Pool creation with Transparent mode unchecked. Since Load balancer uses its own IP address as the source address to send requests to a backend server and only if there is a requirement for backend server to view orginating source IP we need x-forwarding which is limited to HTTP traffic(X-forwarding is not mandatory)

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
VMgwbaby
Enthusiast
Enthusiast
Jump to solution

Oh, I see. Basically, checking transparent option is not working when LB is one-armed (one interface) - Am I correct?

"X-Forwarded-For HTTP traffic" is only working when LB is one-armed. - Am I correct?

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
Jump to solution

To be bit more precise

The Edge LB is configured in Proxy Mode (Source NAT) and the servers need the client IP@ information

Update the Application Profile

Under "Edge – Manage /  Load Balancer / Applications Profiles"

Select the option "Insert X-Forwarded-For HTTP header"

pastedImage_3.png

The Sce-IP@ = Edge IP@: 192.168.11.41

The server IP@: 192.168.11.3

The real client-IP@ in the X-Forwarded-For header: 10.0.1.12

pastedImage_2.png

Reference available @ NSX-v 6.3 - Load Balancing capabilities + configuration examples (and more...)

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
VMgwbaby
Enthusiast
Enthusiast
Jump to solution

     When I researched source-IP for backend servers, there are two options (X-forwarded-for and Transparent). The term of transparent is not referring the in-line mode, but providing a visibility to the backend servers.

    I am curious

    1. if checking "transparent" in the pool makes every source traffic such as tcp/udp visible to backend? For example UDP/53 and UDP/5161

    2. if checking "transparent" in the pool works for certain mode (in-line mode), not one-armed mode.

I am sorry for more questions..

pastedImage_0.png

Reply
0 Kudos
MohamadAlhousse
Enthusiast
Enthusiast
Jump to solution

Hi VMgwbaby

For one-arm (proxy) load balancer, you have source NATing, which means the client IP address will not be reserved and visible at the backend server. There is a feature called "X-Forwarded-For" which can be used here to enable visibility of client IP address to the backend server but this is only limited to HTTP traffic.

To enable load balancer in proxy mode, you leave the "transparent" checkbox unchecked.

For inline (transparent) load balancer , we don't have source NATing, which means the client IP address will be visible to the backend server by default without any extra configuration.

In this case, you enable the "transparent" checkbox.

Hope it is clear now,

Best Regards,

Please consider marking this answer "correct" or "helpful" if you think your question have been answered correctly. Cheers, @vExpertConsult www.vexpertconsultancy.com VCIX-DCV 2018 | VCIX-NV 2019 | VCAP7-CMA Design | vSAN Specialist | vExpert ** | vExpert NSX | vExpert vSAN
VMgwbaby
Enthusiast
Enthusiast
Jump to solution

It is cleared. Thanks

Reply
0 Kudos