Using CIDR-Binding Config Parameters Behind a Load Balancer

john.pagano · February 18, 2022, 3:37am

Vault: v1.9.3 (OSS)
O.S.: Centos7
HA = Enabled
storage_type = Consul v1.11.2

Hi,

I have a three-node Vault cluster–one primary and two standbys–and I’m fronting them with an AWS Application Load Balancer. As far as I can tell, you lose client IP specificity in your audit logs when you do this, because (obviously) you’ll only see requests originating from ALB IPs (assuming you bar all others).

It just dawned on me that most of the rationale for using CIDR-binding parameters–for example, to narrow who can retrieve certain secrets–is clobbered by this kind of deployment. Or am I missing something? Is there a way to work around losing client IPs while preserving the sort of HA functionality that ALB provides behind a shared DNS name?

Thanks!

aram · February 18, 2022, 8:44am

Switch the ALB to pass-thru for SSL, that’ll make the connection terminate at the node rather than at the LB. That’ll get you the client info in your log.

jeffsanicola · February 18, 2022, 12:56pm

Otherwise you can add
x_forwarded_for_authorized_addrs to your listener block and set the value to the list of CIDR(s) that your Vault nodes exist in.

Topic		Replies	Views
Secret_id_bound_cidr is not working if the vault is behind Load balancer Vault	0	286	May 28, 2021
Vault UI setup and balancing Vault	3	1678	July 25, 2019
Can I use the IP's in the X-Forwarded-for header to match IP's listed in 'token_bound_cidrs' Vault	3	2523	November 1, 2022
Vault in front of AWS Load Balancer Vault	9	4956	June 8, 2023
Vault Cluster with ELB - Failing health checks, not relaying to nodes Vault	5	1056	March 8, 2021

Using CIDR-Binding Config Parameters Behind a Load Balancer

Related topics