IP Transparency

Sometimes the upstream server or network may need to know the original IP address of the connection, called the downstream remote address, for many reasons. Some examples include:

• the IP address being used to enforce network policy, or
• the IP address being included in an audit.

Envoy supports multiple methods for providing the downstream remote address to the upstream host. These techniques vary in complexity and applicability.

The HTTP header approach has a few downsides:

• It is only applicable to HTTP.
• It may not be supported by the upstream host.

HAProxy Proxy Protocol defines a protocol for communicating metadata about a connection over TCP, prior to the main TCP stream. This metadata includes the source IP. Envoy supports consuming this information using , which may be used to recover the downstream remote address for propagation into an x-forwarded-for header. It can also be used in conjunction with the .

• It only supports TCP protocols.
• It requires upstream host support.
• Envoy cannot yet send it to the upstream.

In controlled deployments, it may be possible to replicate the downstream remote address on the upstream connection by using a Original Source listener filter. No metadata is added to the upstream request or stream. Rather, the upstream connection itself will be established with the downstream remote address as its source address. This filter will work with any upstream protocol or host. However, it requires fairly complex configuration, and it may not be supported in all deployments due to routing constraints.

Some drawbacks to the Original Source filter:

• It requires that Envoy have access to the downstream remote address.
• It may introduce a slight performance hit due to restrictions on connection pooling.