AWS EKS Traefik UDP Load Balancer

tothalex · May 30, 2022, 12:11pm

Hi!

I set up an eks in aws, I installed the traefik via helm charts, and I also added the nlb annotation to the UDP load balancer to make it work. There's a service listening to the UDP packets and it does, it's receiving the packet but with the wrong IP.

My question is that how can I configure the traefik UDP load balancer to forward the real IP of the client?

douglasdtm · May 30, 2022, 8:15pm

Hi @tothalex

Can you confirm the address that Traefik is receiving is the real client source address?

Getting the correct IP address as the client source on incoming connections usually involves some configuration before Traefik to work properly, mainly on any load balancer / proxy that might be in front of it.

As an example for Kubernetes cloud providers its often required to set the service.spec.externalTrafficPolicy to Local to avoid being NATed on the load balancer provisioned by the cluster, see Using Source IP | Kubernetes

tothalex · May 31, 2022, 6:40am

@douglasdtm is there a way to check what IP the traefik is receiving? Here is the repo btw GitHub - tothalex/cluster

tothalex · May 31, 2022, 7:33am

I mean is there a way to log out the received messages in the traefik-udp service? I tried turning on the logging on info level but I can see only the HTTP logs but not any udp packet-related log.

tothalex · May 31, 2022, 9:28am

Apparently, I found out that the aws nlb by default using the client ip, so I believe the issue is between traefik and the pod. Target groups for your Network Load Balancers - Elastic Load Balancing

douglasdtm · June 1, 2022, 7:08pm

usually there is access logs to show what is incoming but to be honest I don't remember if the functionality shows anything useful or anything at all for UDP connections.

if you identified that the NLB uses the correct client IP than its probably a matter of letting Traefik know there is another load balancer in front of it and that it should trust it.

On TCP you can rely on enabling the proxy protocol on the entrypoint, reference here
For HTTP there is also the option to just trust X-Forwarded-* headers, reference here

Unfortunately for UDP we still don't support proxy protocol, tracked on this issue, and that might explain why you're just seeing the Traefik IP

tothalex · June 2, 2022, 7:03am

@douglasdtm It's weird I managed to solve it with proxy_protocol.v2, but I'm confused about how the traefik works together with nlb, the load balancing might happen somehow without traefik. We decided to move on without traefik we experienced no difference with/without traefik.

system · June 5, 2022, 7:04am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Traefik Kubernetes UDP Traefik v2 (latest) kubernetes-crd	5	1435	May 20, 2022
Traefik ECS provider is not forwarding client IP with AWS ALB Traefik v2 (latest) ecs , cli	2	996	March 23, 2022
Traefik access logs get real source IP Traefik v1 kubernetes-ingress	9	10073	March 23, 2022
Intermittent bad gateway 504 from AWS load balancer Traefik v2 (latest) kubernetes-crd	0	690	May 24, 2020
Traefik v1 on EKS v1.18 - Bad request when enabling ProxyProtocol Traefik v1 kubernetes-ingress	0	511	December 30, 2020

AWS EKS Traefik UDP Load Balancer

Related Topics