1

We have multiple microservices deployed in AWS App Mesh. All the services are developed in Spring Boot and deployed in AWS fargate.

I need to find the service IP/domain from which the API is called. In Java, this can be done by calling getRemoteHost() or getRemoteAddr() on icoming request. But currently, it's returning, 127.0.0.1 for both the calls.

Could it be because of the envoy proxy deployed along with the service? How do I get caller IP in services deployed in app mesh?

shwetap
  • 621
  • 1
  • 6
  • 14
  • Have you configured the proxy to send `x-forwarded-for` in HTTP headers? – aksappy Oct 05 '21 at 19:00
  • @aksappy App mesh is new technology to me. I am still in the learning phase. Can you please point me to how to configure these headers in Proxy? – shwetap Oct 06 '21 at 06:45
  • I see a feature request in Github [here](https://github.com/aws/aws-app-mesh-roadmap/issues/349). Could be easier to follow the issue. Docs say [this](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) to get the XFF. – aksappy Oct 06 '21 at 13:10

2 Answers2

0

Based on this image, App Mesh seems to be fronted by a load balancer with the traffic routed to a Virtual Gateway and finally to the various clients.

enter image description here

This should mean that simply getting the value of the X-Forwarded-For header from the incoming HTTP request should be enough to retrieve a client's IP address. You can read more on that here.

akortex
  • 5,067
  • 2
  • 25
  • 57
  • I am not sure how to configure the envoy proxy to forward these headers to the other service. I cant find anything in documentation regarding the same. – shwetap Oct 06 '21 at 07:42
0

The X-Forwarded-For request header is automatically added and helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. From AWS documentation, the X-Forwarded-For request header may contain multiple IP addresses that are comma separated. The left-most address is the client IP where the request was first made. You need to check for it in the request that your Spring Boot app gets.

Lejdi Prifti
  • 183
  • 6
  • Do you mean the envoy proxy by default sets these headers? I printed all the headers, but I couldn't find any XFF headers in my request – shwetap Oct 06 '21 at 08:26
  • Envoy will only append to XFF if the `use_remote_address` HTTP connection manager option is set to true and the `skip_xff_append` is set false. This means that if use_remote_address is false (which is the default) or skip_xff_append is true, the connection manager operates in a transparent mode where it does not modify XFF. – Lejdi Prifti Oct 06 '21 at 08:29
  • Yes, I read this in the docs, but I am not sure from where to change these settings. Also, it mentioned in the docs that, use_remote_address should be set to true when Envoy is deployed as an edge node (aka a front proxy), whereas it may need to be set to false when Envoy is used as an internal service node in a mesh deployment. In my case, its internal service node – shwetap Oct 06 '21 at 08:32
  • There must be a configuration file (json,yaml,pb or pb_text) for envoy – Lejdi Prifti Oct 06 '21 at 08:36