# Preserve client IP addresses in AWS Global Accelerator Preserve client IP addresses Your options for preserving and accessing the client IP address for AWS Global Accelerator depend on the endpoints that you've set up with your accelerator. When client IP address preservation is enabled, the source IP address of the original client is preserved for packets that arrive at the load balancer. Endpoints on custom routing accelerators always have the client IP address preserved. There are three types of endpoints for standard accelerators that can preserve the source IP address of the client in incoming packets: Application Load Balancers, Amazon EC2 instances, and Network Load Balancers with security groups. There are requirements and limitations for specific resources that you add as endpoint with client IP address preservation. For more information, see [Transition endpoints with client IP address preservation](about-endpoints.sipp.md). Note that Global Accelerator does not support client IP address preservation for the following endpoint types: + Network Load Balancers without security groups + Elastic IP addresses For details about endpoint requirements, see [Requirements for resources you add as accelerator endpoints](about-endpoints-caveats.md). **Topics** + [Guidelines and restrictions](preserve-client-ip-address.how-to-enable-preservation.md) + [Requirements for client IP address preservation](about-endpoints.sipp-caveats.md) + [How the client IP address is preserved](preserve-client-ip-address.headers.md) + [ # Benefits of client IP address preservation ](preserve-client-ip-address.benefits-of-preservation.md) + [Best practices for ENIs and security](best-practices-aga.md) + [Transition endpoints](about-endpoints.sipp.md) # Guidelines and restrictions for client IP address preservation in Global Accelerator Guidelines and restrictions As you prepare for and use client IP address preservation in AWS Global Accelerator, be aware of the following guidelines and restrictions. **General caveats** When you plan for adding client IP address preservation, be aware of the following. Make sure that you also review the overall requirements for endpoints in Global Accelerator. For more information, see [Requirements for resources you add as accelerator endpoints](about-endpoints-caveats.md). When client IP address preservation is enabled, traffic bypasses the following security controls: + **Gateway Load Balancer (GWLB) inspection:** Traffic does not flow through GWLB endpoints, preventing inspection by third-party security appliances. + **AWS Network Firewall:** Network traffic filtering and intrusion prevention rules are not applied to this traffic. + **Network Access Control Lists (NACLs):** Subnet-level allow and deny rules are not evaluated for this traffic. + VPC Block Public Access is supported with client IP address preservation. + Before you add and begin to route traffic to endpoints that preserve the client IP address, make sure that all your required security configurations, for example, security groups, are updated to include the user client IP address on allow lists. + You might see client IP addresses in AWS WAF, instead of Global Accelerator IP addresses. Client IP addresses appear in AWS WAF when you configure Global Accelerator for client IP address preservation and you enable AWS WAF to block connections from your Application Load Balancers that don't come from Global Accelerator. + Client IP address preservation is supported in all AWS Regions where Global Accelerator is supported. For a list of supported Regions, see [AWS Region availability for AWS Global Accelerator](preserve-client-ip-address.regions.md). **Defaults for client IP address preservation** When you create a new accelerator using the console, client IP address preservation is enabled, by default, for supported endpoints. You can choose to disable the option for some endpoints, depending on the endpoint type: + When you use an internet-facing Application Load Balancer or a Network Load Balancer with security groups as an endpoint with Global Accelerator, client IP address preservation is enabled by default for new accelerators. You can choose to disable the option when you create the accelerator or by editing the accelerator later. + When you use an internal Application Load Balancer or an EC2 instance with Global Accelerator, the endpoint always has client IP address preservation enabled. Be aware of the following: + Internal Application Load Balancers and EC2 instances always have client IP address preservation enabled. You can't disable the option for these endpoints. + When you use the AWS console to create a new accelerator, the option for client IP address preservation is enabled by default for Application Load Balancer endpoints. The option is not enabled by default for Network Load Balancer with security groups endpoints. You can update the option for client IP address preservation for these endpoints at any time after you add it. + When you use the AWS CLI or an API action to create a new accelerator and you don't specify the option for client IP address preservation, the following is the default setting for client IP address preservation: + Internet-facing Application Load Balancer endpoints have client IP address preservation enabled by default. + Network Load Balancer with security group endpoints do *not* have client IP address preservation enabled by default. **Transitioning endpoints without client IP address preservation** For existing accelerators, you can transition endpoints without client IP address preservation to endpoints that do preserve the client IP address. For example, existing Application Load Balancer endpoints can be transitioned to new Application Load Balancer endpoints. To transition to the new endpoints, we recommend that you move traffic slowly from an existing endpoint to a new endpoint that has client IP address preservation by doing the following: + For existing Application Load Balancer or Network Load Balancer with security groups endpoints, first add to Global Accelerator a duplicate load balancer endpoint that targets the same backends, and make sure that client IP address preservation is enabled for it. Then adjust the weights on the endpoints to slowly move traffic from the load balancer that does *not* have client IP address preservation enabled to the load balancer *with* client IP address preservation. + For an existing Elastic IP address endpoint, you can move traffic to an EC2 instance endpoint with client IP address preservation. First add an EC2 instance endpoint to Global Accelerator, and then adjust the weights on the endpoints to slowly move traffic from the Elastic IP address endpoint to the EC2 instance endpoint. For step-by-step transition guidance, see [Transitioning endpoints to use client IP address preservation](about-endpoints.sipp.md#about-endpoints.transition-to-IP-preservation). # Requirements for endpoints with client IP address preservation Requirements for client IP address preservation There are specific requirements for endpoint types that you can use with client IP address preservation. >You can use this feature with endpoints that are Application Load Balancers, Network Load Balancers with security groups, and Amazon EC2 instances, subject to the additional requirements described in this section. Endpoints on custom routing accelerators always have the client IP address preserved. This section provides information that is specific to endpoints that you want to add with client IP address preservation enabled. For information about overall requirements for endpoints, see [Requirements for resources you add as accelerator endpoints](about-endpoints-caveats.md). In addition, for more information about best practices with client IP address preservation, see [Best practices for ENIs and security groups with client IP address preservation](best-practices-aga.md). If you intend to use the client IP address preservation feature, be aware of the following when you add endpoints to Global Accelerator, in addition to the overall requirements for endpoints in Global Accelerator. **Elastic IP addresses** Client IP address preservation is not supported for Elastic IP address endpoints in Global Accelerator. **Network Load Balancer endpoints** If you want to enable client IP address preservation when you add Network Load Balancer resources as endpoints to Global Accelerator, be aware that client IP address preservation is not supported for the following: + Network Load Balancers without security groups + Network Load Balancers with security groups that have TLS listeners attached + Network Load Balancers with security groups that perform IPv4 to IPv6 NAT translation to their EC2 targets In addition, for Network Load Balancers, client IP address preservation is supported only when targets are in the same VPC as the Network Load Balancer. Traffic must flow directly from the Network Load Balancer to the target. These requirements apply only to Network Load Balancer endpoints, not to other load balancing endpoints, such as Application Load Balancers. **Elastic network interfaces** To support client IP address preservation, Global Accelerator creates elastic network interfaces in your AWS account—one for each subnet where an endpoint is present. For more information about how Global Accelerator works with elastic network interfaces, see [Best practices for ENIs and security groups with client IP address preservation](best-practices-aga.md). **Endpoints in private subnets** You can target an Application Load Balancer, Network Load Balancer, or an EC2 instance in a private subnet using Global Accelerator but you must have an [internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html) attached to the VPC that contains the endpoints. For more information, see [Secure VPC connections in AWS Global Accelerator](secure-vpc-connections.md). As a best practice, use private subnets if you want to ensure that traffic is delivered only by Global Accelerator. Also, make sure that inbound security group rules are configured appropriately to correctly allow or deny traffic for your applications. **Add the client IP address to the allow list** Before you add and begin to route traffic to endpoints that preserve the client IP address, make sure that all your required security configurations, for example, security groups, are updated to include the user client IP address on the allow list. Network access control lists (ACLs) only apply to egress (outbound) traffic. If you need to filter ingress (inbound) traffic, you must use security groups. **Configure network access control lists (ACLs)** Network ACLs associated with your VPC subnets apply to egress (outbound) traffic when client IP address preservation is enabled on your accelerator. However, for traffic to be allowed to exit through Global Accelerator, you must configure the ACL as both an inbound and outbound rule. For example, to allow TCP and UDP clients using an ephemeral source port to connect to your endpoint through Global Accelerator, associate the subnet of your endpoint with a Network ACL that allows outbound traffic destined to an ephemeral TCP or UDP port (port range 1024-65535, destination 0.0.0.0/0). In addition, create a matching inbound rule (port range 1024-65535, source 0.0.0.0/0). Be aware of the following for security groups and WAF: + Security group and AWS WAF rules are an additional set of capabilities that you can apply to protect your resources. For example, the inbound security group rules associated with your Amazon EC2 instances and Application Load Balancers allow you to control the destination ports that clients can connect to through Global Accelerator, such as port 80 for HTTP or port 443 for HTTPS. + Amazon EC2 instance security groups apply to any traffic that arrives to your instances, including traffic from Global Accelerator and any public or Elastic IP address that is assigned to your instance. # How the client IP address is preserved in AWS Global Accelerator How the client IP address is preserved AWS Global Accelerator preserves the source IP address of the client differently for Amazon EC2 instances, Network Load Balancers, and Application Load Balancers: + For an EC2 instance endpoint, the client’s IP address is preserved for all traffic. + For a Network Load Balancer endpoint with client IP address preservation, Global Accelerator works together with the Network Load Balancer to include the IP address of the original client in the IP header of the packet so that your application can access it. + For an Application Load Balancer endpoint with client IP address preservation, Global Accelerator works together with the Application Load Balancer to provide an `X-Forwarded` header, `X-Forwarded-For`, that includes the IP address of the original client so that your web tier can access it. HTTP requests and HTTP responses use header fields to send information about the HTTP messages. Header fields are colon-separated name-value pairs that are separated by a carriage return (CR) and a line feed (LF). A standard set of HTTP header fields is defined in RFC 2616, [ Message Headers](https://tools.ietf.org/html/rfc2616#section-4.2). There are also non-standard HTTP headers available that are widely used by the applications. Some of the non-standard HTTP headers have an `X-Forwarded` prefix. Because an Application Load Balancer terminates incoming TCP connections and creates new connections to your backend targets, it does not preserve client IP addresses all the way to your target code (such as instances, containers, or Lambda code). The source IP address that your targets see in the TCP packet is the IP address of the Application Load Balancer. However, an Application Load Balancer does preserve the original client IP address by removing it from the original packet’s reply address and inserting it into an HTTP header before it sends the request to your backend over a new TCP connection. The `X-Forwarded-For` request header is formatted like this: ``` X-Forwarded-For: client-ip-address ``` The following example shows an `X-Forwarded-For` request header for a client with an IP address of 203.0.113.7. ``` X-Forwarded-For: 203.0.113.7 ``` The following example shows an `X-Forwarded-For` request header for a client with an IPv6 address of 2001:DB8::21f:5bff:febf:ce22:8a2e. ``` X-Forwarded-For: 2001:DB8::21f:5bff:febf:ce22:8a2e ``` # Benefits of client IP address preservation You can configure client IP address preservation for specific endpoints in Global Accelerator. For some applications that you configure with AWS Global Accelerator, you might want to access the original client IP address by using endpoints with client IP address preservation. For example, when you have the client IP address, you can gather statistics based on client IP addresses. You can also use IP-address-based filters, such as [security groups on Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html), to filter traffic. You can apply logic that is specific to a user's IP address in your applications that run on the web tier servers behind that Application Load Balancer endpoint by using the load balancer's `X-Forwarded-For` header, which contains the original client IP address information. You can also use client IP address preservation in security group rules in the security groups associated with your Application Load Balancer or Network Load Balancer. For more information, see [How the client IP address is preserved in AWS Global Accelerator](preserve-client-ip-address.headers.md). For EC2 instance endpoints, the original client IP address is preserved. The client IP address can be used by the following, for example: + The security group associated with an Application Load Balancer or Network Load Balancer + Application Load Balancer listener rules + AWS WAF rules For endpoints that don’t have client IP address preservation enabled, the IP addresses used by the Global Accelerator service at the edge network replace the requesting user's IP address as the source address in the arriving packets. The original client's connection information—such as the IP address of the client and the client's port—is not preserved as traffic travels to systems behind an accelerator. This works fine for many applications, especially those that are available to all users such as public websites. For endpoints that don't have client IP address preservation, you can filter for the source IP address that Global Accelerator uses when it forwards traffic from the edge. You can see information about the source IP addresses (which are also client IP addresses, when client IP address preservation is enabled) of incoming packets by reviewing your Global Accelerator flow logs. For more information, see [Location and IP address ranges of Global Accelerator Edge servers](introduction-ip-ranges.md) and [Configuring and using flow logs in AWS Global Accelerator](monitoring-global-accelerator.flow-logs.md). # Best practices for ENIs and security groups with client IP address preservation Best practices for ENIs and security When you use client IP address preservation in AWS Global Accelerator, keep in mind the information and best practices in this section for elastic network interfaces (ENIs) and security groups. To support client IP address preservation, Global Accelerator creates elastic network interfaces in your AWS account—one for each subnet where an endpoint is present. An elastic network interface is a logical networking component in a VPC that represents a virtual network card. Global Accelerator uses these elastic network interfaces to route traffic to the endpoints configured behind an accelerator. Client IP address preserved traffic still respects your subnet's route table rules and NACLs. The supported endpoints for routing traffic this way are Application Load Balancers (internal and internet-facing), Network Load Balancers with security groups, and Amazon EC2 instances. **Note** When you add an internal Application Load Balancer or an EC2 instance endpoint in Global Accelerator, you enable internet traffic to flow directly to and from the endpoint in Virtual Private Clouds (VPCs) by targeting it in a private subnet. For more information, see [Secure VPC connections in AWS Global Accelerator](secure-vpc-connections.md). **How Global Accelerator uses elastic network interfaces** When you have an Application Load Balancer or Network Load Balancer endpoint with client IP address preservation enabled, the number of subnets that the load balancer is in determines the number of elastic network interfaces that Global Accelerator creates in your account. Global Accelerator creates one elastic network interface for each subnet that has at least one elastic network interface of the Application Load Balancer or Network Load Balancer in it that is fronted by an accelerator in your account. The following examples illustrate how this works: + **Example 1: **If an Application Load Balancer has elastic network interfaces in subnet A and subnet B, and then you add the load balancer as an accelerator endpoint, Global Accelerator creates two elastic network interfaces, one in each subnet. + **Example 2: **If you add, for example, an ALB1 that has elastic network interfaces in subnetA and subnetB to Accelerator1, and then add an ALB2 with elastic network interfaces in subnet A and subnet B to Accelerator2, Global Accelerator creates only two elastic network interfaces: one in subnetA and one in subnetB. + **Example 3: **If you add an ALB1 that has elastic network interfaces in subnetA and subnetB to Accelerator1, and then add an ALB2 with elastic network interfaces in subnetA and subnetC to Accelerator2, Global Accelerator creates three elastic network interfaces: one in subnetA, one in subnetB, and one in subnetC. The elastic network interface in subnetA delivers traffic on for both Accelerator1 and Accelerator2. As shown in Example 3, elastic network interfaces are reused across accelerators if endpoints in the same subnet are placed behind multiple accelerators. The logical elastic network interfaces that Global Accelerator creates do not represent a single host, a throughput bottleneck, or a single point of failure. Like other AWS services that appear as a single elastic network interface in an Availability Zone or subnet—services like a network address translation (NAT) gateway or a Network Load Balancer—Global Accelerator is implemented as a horizontally scaled, highly available service. Evaluate the number of subnets that are used by endpoints in your accelerators to determine the number of elastic network interfaces that Global Accelerator will create. Before you create an accelerator, make sure that you have enough IP address space capacity for the required elastic network interfaces: that is, at least one free IP address per relevant subnet. If you don't have enough free IP address space, you must create or use a subnet that has adequate free IP address space for your Application Load Balancer or Network Load Balancer and associated Global Accelerator elastic network interfaces. When Global Accelerator determines that an elastic network interface is not being used by any of the endpoints in accelerators in your account, Global Accelerator deletes the interface. **Security groups created by Global Accelerator** Review the following information and best practices when you work with Global Accelerator and security groups. + You can use the security groups created by Global Accelerator as a source group in other security groups that you maintain, but Global Accelerator only forwards traffic to the targets that you specify in your VPC. + If you modify the security group rules created by Global Accelerator, the endpoint might become unhealthy. If that happens, contact [AWS Support](https://console.aws.amazon.com/support/home) for assistance. + Global Accelerator creates a specific security group for each VPC. Elastic network interfaces that are created for the endpoints within a specific VPC all use the same security group, no matter which subnet an elastic network interface is associated with. **Important** Global Accelerator creates security groups that are associated with its elastic network interfaces. Although the system doesn't prevent you from doing so, you shouldn't edit any of the security group settings for these groups. # Transition endpoints with client IP address preservation Transition endpoints If you haven't yet configured client IP address preservation for the endpoints in your accelerator, follow the guidance in this section add and transition one or more endpoints to endpoints that preserve the user’s client IP address. You can choose to transition an Application Load Balancer, Network Load Balancer with security groups, or an Elastic IP address endpoint to a corresponding endpoint—a corresponding load balancer endpoint or an EC2 instance endpoint—that has client IP address preservation. This section explains how to add and transition endpoints by using the AWS Global Accelerator console. If you want to use API operations with Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). ## Transitioning endpoints to use client IP address preservation Transitioning endpoints We recommend that you transition endpoints to using client IP address preservation slowly. + **Add the new endpoint:** First, add to Global Accelerator the new load balancer or EC2 instance endpoints that you enable to preserve the client IP address. + **Slowly increase traffic: ** Then, slowly move traffic from existing endpoints to the new endpoints by configuring weights on the endpoints. + **Test as you go:** After you move a small amount of traffic to the new endpoint with client IP address preservation, test to make sure that your configuration is working as you expect it to. Then gradually increase the proportion of traffic to the new endpoint by adjusting the weights on the corresponding endpoints. Follow the steps in the following sections to transition your endpoints. Client IP address preservation is supported in all AWS Regions where Global Accelerator is supported. For a list of supported Regions, see [AWS Region availability for AWS Global Accelerator](preserve-client-ip-address.regions.md). **Important** Before you begin to route traffic to endpoints that preserve the client IP address, make sure that all the configurations in which you’ve included Global Accelerator client IP addresses on allow lists are updated to include the user client IP address instead. ## To add an endpoint with client IP address preservation 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. On the Accelerators page, choose an accelerator. 1. In the **Listeners** section, choose a listener. 1. In the **Endpoint group** section, choose an endpoint group. 1. In the **Endpoints** section, choose **Add endpoint**. 1. On the **Add endpoints** page, in the **Endpoints** drop-down menu, choose an endpoint that supports client IP address preservation. 1. In the **Weight** field, choose a low number compared to the weights that are set for your existing endpoints. For example, if the weight for a corresponding Application Load Balancer is 255, you could enter a weight of 5 for the new Application Load Balancer, to start with. For more information, see [How endpoint weights work to manage traffic volume](about-endpoints-endpoint-weights.md). 1. If needed, under **Preserve client IP address**, select **Preserve address**. 1. Choose **Save changes**. Next, follow the steps here to edit the corresponding existing endpoints (that you're replacing with the new endpoints with client IP address preservation) to reduce the weights for existing endpoints so that less traffic goes to them. ## To reduce traffic for the existing endpoints 1. On the **Endpoint group** page, choose an existing endpoint that doesn't have client IP address preservation. 1. Choose **Edit**. 1. On the **Edit endpoint** page, in the **Weight** field, enter a lower number than the current number. For example, if the weight for an existing endpoint is 255, you could enter a weight of 220 for the new endpoint (with client IP address preservation). 1. Choose **Save changes**. After you’ve tested with a small portion of the original traffic by setting the weight for the new endpoint to a low number, you can slowly transition all the traffic by continuing to adjust the weights for the original and new endpoints. For example, say you start with an existing Application Load Balancer with a weight set to 200, and you add a new Application Load Balancer endpoint with client IP address preservation enabled with a weight set to 5. Gradually shift traffic from the original Application Load Balancer to the new Application Load Balancer by increasing the weight for the new Application Load Balancer and decreasing the weight for the original Application Load Balancer. For example: + Original weight → 190 new weight 10 + Original weight 180 → new weight 20 + Original weight 170 → new weight 30, and so on. When you have decreased the weight to 0 for the original endpoint, all traffic (in this example scenario) goes to the new Application Load Balancer endpoint, which includes client IP address preservation. If you have additional endpoints—load balancers or EC2 instances—that you want to transition to use client IP address preservation, repeat the steps in this section to transition them. If you need to revert your configuration for an endpoint so that traffic to the endpoint doesn't preserve the client IP address, you can do that at any time: increase the weight for the endpoint that does *not* have client IP address preservation to the original value, and decrease the weight for the endpoint *with* client IP address preservation to 0.