How do I apply client IP address preservation to AWS resources?
Introduction
In this example, we will apply client IP address preservation in AWS by setting up an Application Load Balancer (ALB) with EC2 instances as targets. Preserving the client IP addresses allows backend servers to see the original IP address of the clients and make decisions based on it.
We’ll be creating:
- A VPC with subnets.
- An Internet Gateway to make the VPC public.
- An Application Load Balancer.
- Target group for EC2 instances.
- EC2 instances.
Program Example
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create a VPC
const main = new aws.ec2.Vpc("main", {
cidrBlock: "10.0.0.0/16",
enableDnsSupport: true,
enableDnsHostnames: true,
});
// Create a Public Subnet
const _public = new aws.ec2.Subnet("public", {
vpcId: main.id,
cidrBlock: "10.0.1.0/24",
availabilityZone: "us-west-2a",
mapPublicIpOnLaunch: true,
});
// Create an Internet Gateway
const gateway = new aws.ec2.InternetGateway("gateway", {vpcId: main.id});
// Create a Route Table
const publicRouteTable = new aws.ec2.RouteTable("public", {vpcId: main.id});
// Create a Route
const publicRoute = new aws.ec2.Route("public", {
routeTableId: publicRouteTable.id,
destinationCidrBlock: "0.0.0.0/0",
gatewayId: gateway.id,
});
// Associate the Route Table with the Subnet
const publicRouteTableAssociation = new aws.ec2.RouteTableAssociation("public", {
subnetId: _public.id,
routeTableId: publicRouteTable.id,
});
// Create Security Group
const allowTraffic = new aws.ec2.SecurityGroup("allow_traffic", {
vpcId: main.id,
ingress: [{
fromPort: 80,
toPort: 80,
protocol: "tcp",
cidrBlocks: ["0.0.0.0/0"],
}],
egress: [{
fromPort: 0,
toPort: 0,
protocol: "-1",
cidrBlocks: ["0.0.0.0/0"],
}],
});
// Create an EC2 instance
const app = new aws.ec2.Instance("app", {
ami: "ami-0c55b159cbfafe1f0",
instanceType: aws.ec2.InstanceType.T2_Micro,
subnetId: _public.id,
vpcSecurityGroupIds: [allowTraffic.id],
userData: `#!/bin/bash
echo "Hello, World" > index.html
nohup busybox httpd -f -p 80 &
`,
});
// Create a Target Group
const appTargetGroup = new aws.lb.TargetGroup("app", {
name: "app-tg",
port: 80,
protocol: "HTTP",
vpcId: main.id,
healthCheck: {
path: "/",
interval: 30,
timeout: 5,
healthyThreshold: 2,
unhealthyThreshold: 10,
},
});
// Create a Load Balancer
const appLoadBalancer = new aws.lb.LoadBalancer("app", {
name: "app-lb",
internal: false,
loadBalancerType: "application",
securityGroups: [allowTraffic.id],
subnets: [_public.id],
});
// Create a Listener
const appListener = new aws.lb.Listener("app", {
loadBalancerArn: appLoadBalancer.arn,
port: 80,
protocol: "HTTP",
defaultActions: [{
type: "forward",
targetGroupArn: appTargetGroup.arn,
}],
});
// Associate the EC2 instances with the Target Group
const appTargetGroupAttachment = new aws.lb.TargetGroupAttachment("app", {
targetGroupArn: appTargetGroup.arn,
targetId: app.id,
port: 80,
});
Key Points
- A VPC and subnet are created to place our resources in a new isolated network.
- An Internet Gateway and route table setup ensures our VPC can communicate with the internet.
- Security groups are configured to allow HTTP traffic.
- An EC2 instance with basic HTTP setup is launched.
- An Application Load Balancer forwards client requests to EC2 while preserving the client IP addresses.
Conclusion
We have successfully configured AWS resources to preserve client IP addresses by utilizing an Application Load Balancer and EC2 instances. This is crucial for applications needing to see and use the client’s original IP address for various purposes.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.