Using CIDR-Binding Config Parameters Behind a Load Balancer

Vault: v1.9.3 (OSS)
O.S.: Centos7
HA = Enabled
storage_type = Consul v1.11.2


I have a three-node Vault cluster–one primary and two standbys–and I’m fronting them with an AWS Application Load Balancer. As far as I can tell, you lose client IP specificity in your audit logs when you do this, because (obviously) you’ll only see requests originating from ALB IPs (assuming you bar all others).

It just dawned on me that most of the rationale for using CIDR-binding parameters–for example, to narrow who can retrieve certain secrets–is clobbered by this kind of deployment. Or am I missing something? Is there a way to work around losing client IPs while preserving the sort of HA functionality that ALB provides behind a shared DNS name?


Switch the ALB to pass-thru for SSL, that’ll make the connection terminate at the node rather than at the LB. That’ll get you the client info in your log.

Otherwise you can add
x_forwarded_for_authorized_addrs to your listener block and set the value to the list of CIDR(s) that your Vault nodes exist in.