You are a software engineer. You are developing an online food order web application. The Node.js backend needs to get the client’s IP to understand users’ locations.The application is deployed in AWS EC2 with a network load balancer to distribute traffic. For the network load balancer, the target is specified using instance id. TLS is also terminated on the Network Load Balancer. You are worried that the backend cannot get the client’s IP due to the network load balancer. Which below description is correct in this situation?

Answer options:

A.Enable proxy protocol using AWS CLI for the network load balancer so that you can get the client IP in the backend service.
B.You just need to get the client IP from the TCP X-Forwarded-For header, which is used to identify the user`s originating IP address connecting to the webserver.
C.Source IP continues to be preserved to your back-end applications when TLS is terminated on the Network Load Balancer in this case.
D.Change listener protocol to TCP or change the load balancer to the application or classic load balancer. Otherwise, the client IP cannot be preserved.

Correct Answer – C
 
Network Load Balancer supports TLS termination between the clients and the load balancer.
You can configure a target group so that you register targets by instance ID or IP address. If you specify targets using an instance ID, the clients` source IP addresses are preserved and provided to your applications. If you specify targets by IP address, the source IP addresses are the private IP addresses of the load balancer nodes.
Therefore, in this case, the source IP is preserved since the targets are specified by instance ID.References are in https://aws.amazon.com/elasticloadbalancing/features/#compare and https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/network/elb-ng.pdf.
Option A is incorrect because the proxy protocol is not required in this case since the source IP is preserved.
Option B is incorrect because X-Forwarded-For is an HTTP header instead of a TCP header. Also, it is not needed in this scenario.
Option C is CORRECT because since the source IP is preserved, nothing else needs to be done.
Option D is incorrect because changing the protocol to TCP will have a security issue. Again it is not required.