Help Center> Cloud Container Engine> Best Practices> Networking> Obtaining the Client Source IP Address for a Container

Obtaining the Client Source IP Address for a Container

Background

There may be different types of proxy servers between a client and a container server. How can a container obtain the real source IP address of the client? This section describes several scenarios you may encounter.

Principles

Click to enlarge

Layer-7 forwarding:

Ingress: If this access mode is used, the client source IP address is saved in the X-Forwarded-For HTTP header field by default. No other configuration is required.

ELB ingress: A self-developed ingress to implement layer-7 network access between the internet and intranet (in the same VPC) based on ELB. If the backend Service type is NodePort, set Service Affinity to Node level.
Nginx ingress: An ingress that implements layer-7 networking based on the nginx-ingress add-on. The backend Service type can be either ClusterIP or NodePort. If the backend Service type is NodePort, set Service Affinity to Node level.

Layer-4 forwarding:

LoadBalancer: Use HUAWEI CLOUD ELB to achieve load balancing. You can manually enable the Obtain Client IP Address option for TCP and UDP listeners of shared load balancers. By default, the Obtain Client IP Address option is enabled for TCP and UDP listeners of dedicated load balancers. You do not need to manually enable it.
NodePort: In this access mode, the container port is mapped to the node port. If cluster-level affinity is configured, access requests will be forwarded through the node and the client source IP address cannot be obtained. If node-level affinity is configured, access requests are not forwarded and the client source IP address can be obtained.

If Istio is used, you can obtain the source IP address by referring to How Do I Obtain the IP Address of a Client If I Use Istio for My Services.

Scenarios in Which Source IP Address Can Be Obtained

Due to network model differences, CCE does not support obtaining source IP addresses in some scenarios, as listed in Table 1. "-" in the table indicates that this scenario does not exist.

**Table 1** Scenarios in which source IP addresses can be obtained
Level-1 Category	Level-2 Category	Load Balancer Type	VPC and Container Tunnel Network Models	Cloud Native Network 2.0 Model
Layer-7 forwarding (ingress)	ELB	Shared	Supported	Supported
	ELB	Dedicated	Supported	Supported
	Nginx (interconnected with the nginx-ingress add-on)	Shared	Supported	Not supported
	Nginx (interconnected with the nginx-ingress add-on)	Dedicated	Supported	Supported
Layer-4 forwarding (Service)	LoadBalancer	Shared	Supported	Not supported
	LoadBalancer	Dedicated	Supported	Supported (only for ENI load balancing)
	NodePort	-	Supported	Not supported

Ingress

Configure the application server and obtain the IP address of a client from the HTTP header.

The real IP address is placed in the X-Forwarded-For HTTP header field by the load balancer in the following format:

X-Forwarded-For: IP address of the client,Proxy server 1-IP address,Proxy server 2-IP address,...

If you use this method, the first IP address obtained is the IP address of the client.

For details, see How Can I Obtain the IP Address of a Client.

In the Cloud Native Network 2.0 model, source IP addresses cannot be obtained if a shared load balancer is used when an ingress is interconnected with the nginx-ingress add-on. For details, see Scenarios in Which Source IP Address Can Be Obtained. To obtain the source IP addresses, uninstall the nginx-ingress add-on and use the dedicated load balancer during reinstallation. For details, see Installing the nginx-ingress Add-on.
When adding an ingress, if the backend service is of the NodePort type, set Service Affinity to Node level, that is, set spec.externalTrafficPolicy to Local. For details, see NodePort.

LoadBalancer

For a LoadBalancer Service, different types of clusters obtain source IP addresses in different scenarios. In some scenarios, source IP addresses cannot be obtained currently. For details, see Scenarios in Which Source IP Address Can Be Obtained.

CCE clusters (using the VPC or container tunnel network model): Source IP addresses can be obtained when either a shared or dedicated load balancer is used.
CCE Turbo clusters (using the Cloud Native Network 2.0 model): Source IP addresses can be obtained only when a dedicated load balancer (ENI LoadBalancer) is used.

VPC and Container Tunnel Network Models

To obtain source IP addresses, perform the following steps:

When creating a LoadBalancer Service on the CCE console, set Service Affinity to Node level instead of Cluster level.
Go to the ELB console and enable the function of obtaining the client IP address of the listener corresponding to the load balancer. Transparent transmission of source IP addresses is enabled for dedicated load balancers by default. You do not need to manually enable this function.
1. Log in to the ELB console.
2. Click in the upper left corner to select the desired region and project.
3. Click Service List. Under Network, click Elastic Load Balance.
4. On the Load Balancers page, click the name of the load balancer.
5. Click Listeners.
6. To add a listener, click Add Listener.
7. To modify a listener, locate the listener and click on the right of its name.
8. Enable Obtain Client IP Address.
  Figure 1 Enabling the function

Cloud Native Network 2.0 Model

In the Cloud Native Network 2.0 model, when a shared load balancer is used for load balancing, the service affinity cannot be set to Node level. As a result, source IP addresses cannot be obtained. To obtain a source IP address, you must use an ENI LoadBalancer Service to connect to the dedicated load balancer. External access to the container does not need to pass through the forwarding plane.

By default, transparent transmission of source IP addresses is enabled for dedicated load balancers. You do not need to manually enable Obtain Client IP Address on the ELB console. Instead, you only need to select a dedicated load balancer when creating an ENI LoadBalancer Service on the CCE console, as shown in the following figure.

Click to enlarge

NodePort

Set the service affinity of a NodePort Service to Node level instead of Cluster level. That is, set spec.externalTrafficPolicy of the Service to Local.

In the Cloud Native Network 2.0 model, the service affinity of the NodePort Service cannot be set to Node level. Therefore, source IP addresses cannot be obtained in this model.

Figure 2 Selecting a node-level affinity
Click to enlarge

Parent topic: Networking

Last Article: Allowing Containers and IDCs to Communicate with Each Other Through VPC and Direct Connect

Next Article: Increasing the Listening Queue Length by Configuring Container Kernel Parameters

Did this article solve your problem?

Thank you for your score！Your feedback would help us improve the website.

Products

Compute

Application

Dedicated Cloud

Storage

Management & Deployment

Migration

Network

Enterprise Intelligence

Video

Database

Edge Cloud Services

DevCloud

Security

Cloud Communications

Internet of Things

Solutions

Industry-Specific Solutions

General-Purpose Solutions

Security

DevOps

Enterprise Intelligence

Essential Platform

Big Data

Visual Cognition

Speech and Semantics

Support

Help Center

Customer Services

Developers

Console

语言 - Language

中国站 - 简体中文

中国站 - English

International - 简体中文

International - English