Getting client original ip address with azure aks

Asked 23/8, 2020 at 13:35 Answered 27/5, 2023 at 11:40

Solved nginx azure-aks azure-load-balancer

I'm currently working on copying AWS EKS cluster to Azure AKS. In our EKS we use external Nginx with proxy protocol to identify the client real IP and check if it is whitelisted in our Nginx.
In AWS to do so we added to the Kubernetes service annotation aws-load-balancer-proxy-protocol to support Nginx proxy_protocol directive.

Now the day has come and we want to run our cluster also on Azure AKS and I'm trying to do the same mechanism.
I saw that AKS Load Balancer hashes the IPs so I removed the proxy_protocol directive from my Nginx conf, I tried several things, I understand that Azure Load Balancer is not used as a proxy but I did read here: AKS Load Balancer Standard
I tried whitelisting IPs at the level of the Kubernetes service using the loadBalancerSourceRanges api instead on the Nginx level.

But I think that the Load Balancer sends the IP to the cluster already hashed (is it the right term?) and the cluster seem to ignore the ips under loadBalancerSourceRanges and pass them through.

I'm stuck now trying to understand where I lack the knowledge, I tried to handle it from both ends (load balancer and kubernetes service) and they both seem not to cooperate with me.
Given my failures, what is the "right" way of passing the client real IP address to my AKS cluster?

Tribasic answered 23/8, 2020 at 13:35 Comment(0)

From the docs: https://learn.microsoft.com/en-us/azure/aks/ingress-basic#create-an-ingress-controller

If you would like to enable client source IP preservation for requests to containers in your cluster, add --set controller.service.externalTrafficPolicy=Local to the Helm install command. The client source IP is stored in the request header under X-Forwarded-For. When using an ingress controller with client source IP preservation enabled, SSL pass-through will not work.

More information here as well: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

You can use the real_ip and geo modules to create the IP whitelist configuration. Alternatively, the loadBalancerSourceRanges should let you whitelist any client IP ranges by updating the associated NSG.

Adulterant answered 24/8, 2020 at 22:59 Comment(2)

Thanks setting the service to externalTrafficPolicy=Local did the trick! limiting the IPs i'm doing using Nginx proxy protocol directive - this still have a problem with broken header but i'm now getting the client IPs. – Tribasic 26/8, 2020 at 11:31

I spent way too long trying to figure this one out. In my case, always in AKS, but switching between installing with the deploy.yaml provided in GitHub vs installing with Helm, broke it for me. Early on I set this flag to the Helm install, but it still didn't work, so I wasted a few hours trying a few other things. In the end, it was the Capitalization on the flag, which I had not considered. Thanks for posting this answer! – Nordstrom 14/10, 2020 at 11:44

Deploying my traefik ingress as part of my own helm deployment.

values.yaml

traefik:
  deployment:
    enabled: true
    kind: DaemonSet  # Deployment
    ingressClass:
      enabled: true
      isDefaultClass: true
  service:
    spec:
      externalTrafficPolicy: Local  # Preserve IP from LB to AKS
  logs:
    general:
      format: json
      level: INFO 
    access:
      enabled: true
      format: json
      fields:
        general:
          defaultmode: keep
        headers:
          defaultmode: keep

kubectl logs daemonsets/-traefik -f

Laverty answered 27/5, 2023 at 11:40 Comment(0)

Recommended topics

Hot tags