[SOLVED] Getting amazon network IP's and not actual client IP's behind ALB (Xforward proto)

Getting amazon network IP's and not actual client IP's behind ALB (Xforward proto)

Hello Community members,

I am using ALB (application load balancer) for my e-commerce website. behind the load balancer there are two ec2-linux instances which are getting the client traffic through ALB (there is web server tomcat7 on both ec2-instances).

I am using X-Forwarded-For header to get the actual client IP on my ec2-instances, which is working fine in terms of getting the client IP. My 70% client IP's are actual client IP's which is accessing a payment page of my website ( i am getting the production sale on my e-commerce website.)

30% IP's are AWS network operations IP just like below ip those Ec2-network IP' are also accessing payment page of my website (but i am not getting any production sale from these amazon network IP's)

https://www.whois.com/whois/54.175.230.41
https://www.whois.com/whois/34.234.97.242
https://www.whois.com/whois/52.91.159.209
https://www.whois.com/whois/34.224.173.149

Please check above 4 example URL's here OrgName: Amazon Technologies Inc.

OrgTechName: Amazon EC2 Network Operations

So i am confused that why i am getting Amazon network IP's (are these amazon ec2-network IP's are routers between actual client and amazon ALB OR these Ip's are load balancer's IPs instead of client Ip's : my java code is given below to fetch client IP) Should i block them using aws waf on amazon ALB or not. If i block them will i be ended up loosing actual client traffic ?

OR Why i am not getting client real IP for 30% of all traffic while I am using x-forward-for header? My java code is :

public static String getClientIpAddr(HttpServletRequest request) {
    String ip = request.getHeader("X-Forwarded-For");
    if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
        ip = request.getHeader("Proxy-Client-IP");
    }
    if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
        ip = request.getHeader("WL-Proxy-Client-IP");
    }
    if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
        ip = request.getHeader("HTTP_CLIENT_IP");
    }
    if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
        ip = request.getHeader("HTTP_X_FORWARDED_FOR");
    }
    if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
        ip = request.getRemoteAddr();
    }
    return ip;
}

I only want to save real client IP(using x-forward header) who are actually accessing my website. Does X-Forward header provide null values ??

Regards, Yugdeep

Solution

Those 4 IPs are Amazon owned IPs. I see two possibilities here:

They aren't your ELB. I believe if they were your ELB you should see an IP from your VPC CIDR block (check what the IP shows as for health check requests for an example). You can check the current IP of your ELBs in EC2 > Network Interfaces in the console. Here you will find the network interfaces for everything, including load balancers. Both their public and private IPs will be shown. Verify these IPs don't show anywhere in that list to confirm they aren't something of your own.
If they are your ELB IPs then your code may be getting the public IP of your ELB health checks, double check what page your health check is hitting.