A company runs an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB terminates SSL/TLS and forwards traffic to the instances over HTTP. The SysOps administrator needs to capture the original client IP address in the instance logs. How should the administrator configure this?
Trap 1: Enable stickiness on the ALB target group.
Stickiness (session affinity) ensures a client's requests are sent to the same target. It does not provide the client IP to the instances.
Trap 2: Configure the ALB to use Proxy Protocol v2.
Proxy Protocol is used with Network Load Balancers to preserve the client IP. ALB uses X-Forwarded-For headers instead.
Trap 3: Enable access logs on the ALB and store them in Amazon S3.
Access logs capture detailed information about requests sent to the ALB, including client IP, but they are stored in S3, not available directly on the EC2 instances. The requirement is to capture the IP in instance logs.
- A
Enable stickiness on the ALB target group.
Why wrong: Stickiness (session affinity) ensures a client's requests are sent to the same target. It does not provide the client IP to the instances.
- B
Enable the X-Forwarded-For header on the ALB.
The ALB automatically adds the X-Forwarded-For header containing the original client IP address when terminating TLS. The backend instances can log this header to capture the client IP.
- C
Configure the ALB to use Proxy Protocol v2.
Why wrong: Proxy Protocol is used with Network Load Balancers to preserve the client IP. ALB uses X-Forwarded-For headers instead.
- D
Enable access logs on the ALB and store them in Amazon S3.
Why wrong: Access logs capture detailed information about requests sent to the ALB, including client IP, but they are stored in S3, not available directly on the EC2 instances. The requirement is to capture the IP in instance logs.