Using Dedicated Load Balancers to Transfer Client IP Address

Dedicated load balancers transfer client IP addresses in different ways based on whether they use Layer 4 or Layer 7 listeners to route requests.

Transfer Client IP Address is enabled by default for TCP and UDP listeners of dedicated load balancers. Load balancers communicate with backend servers using client IP addresses. You can check the backend server logs to obtain client IP addresses.
Transfer Client IP Address is enabled by default for HTTP, HTTPS, and QUIC listeners of dedicated load balancers, which means that client IP addresses can be placed in the X-Forwarded-For header and transferred to backend servers. The first IP address in the X-Forwarded-For header is the client IP address.
TLS listeners do not support Transfer Client IP Address. You can enable ProxyProtocol to obtain the client IP address.

If Transfer Client IP Address is enabled:

A server cannot serve as both a backend server and a client. If the client and the backend server use the same server, the backend server will think the packet from the client is sent by itself and will not return a response packet to the load balancer. As a result, the return traffic will be interrupted.

Traffic, such as unidirectional data transmission or push traffic, may be interrupted when backend servers are being migrated. After backend servers are migrated, you need to retransmit the packets to restore the traffic.

In some special cases, Transfer Client IP Address does not work. You can obtain client IP addresses by referring to Table 1.

**Table 1** Transferring client IP addresses at Layer 4
Listener Protocol	Transfer Client IP Address	When Transfer Client IP Address Fails	Other Methods
TCP	Supported	TCP listeners communicate with IP as backend servers. IPv4/IPv6 translation is enabled for TCP listeners. In this case, client IP addresses are translated.	Using the TOA Plug-in Using ProxyProtocol to Transfer Client IP Addresses
UDP	Supported	UDP listeners communicate with IP as backend servers. IPv4/IPv6 translation is enabled for UDP listeners. In this case, client IP addresses are translated.	N/A
TLS	Not supported	N/A	Using ProxyProtocol to Transfer Client IP Addresses

You can configure the backend servers to ensure that they can correctly parse the X-Forwarded-For header to obtain client IP addresses.

The X-Forwarded-For header is in the following format:

X-Forwarded-For: <client-IP-address>, <proxy-server-1-IP-address>, <proxy-server-2-IP-address>, ...

The first IP address included in the X-Forwarded-For header is the client IP address.

Transfer Client IP Address is enabled by default and cannot be disabled when you add a listener on the console as below.
- Adding a TCP Listener, Adding a UDP Listener, and Adding a UDP Listener (with a QUIC Backend Server Group Associated).
- Adding an HTTP Listener, Adding an HTTPS Listener, and Adding a QUIC Listener.
Calling the API for adding a listener: transparent_client_ip_enable can only be set to true and the source IP addresses of the clients can be passed to backend servers.

Parent Topic: Security

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.