AWS Serverless

AWS Network Load Balancers with Header Modification Techniques

AWS Network Load Balancers (NLBs) are a powerful tool for distributing incoming application traffic across multiple targets, such as Amazon EC2 instances, in a single or multiple Availability Zones. They provide high throughput, low latency, and are designed to handle millions of requests per second while maintaining ultra-low latencies. However, one limitation of NLBs is the inability to modify HTTP headers directly. This article explores various techniques to work around this limitation, providing full examples to help you implement these solutions in your own AWS environment.

Introduction to AWS Network Load Balancers

AWS Network Load Balancers operate at the connection level (Layer 4), routing connections to targets based on IP protocol data. NLBs are ideal for applications that require extreme performance and low latency, making them suitable for real-time applications like gaming, financial transactions, or video streaming.

Key Features of NLBs:
  1. Static IP: Each NLB is assigned one static IP per Availability Zone (AZ) it operates in.
  2. Elastic IP: You can associate one or more Elastic IP addresses with your NLB.
  3. TLS Termination: NLBs can offload TLS termination to minimize CPU load on your application servers.
  4. Cross-Zone Load Balancing: Distributes traffic evenly across all targets in all enabled AZs.
  5. Target Health Monitoring: Automatically checks the health of targets and routes traffic only to healthy targets.

Header Modification Needs

Modifying HTTP headers is often essential for a variety of use cases, such as:

  • Adding security headers (e.g., Content-Security-Policy).
  • Injecting custom headers for logging or tracking.
  • Modifying User-Agent headers for backend processing.
  • Implementing security policies based on headers.

Given the Layer 4 operation of NLBs, direct header modification is not feasible. However, we can achieve this using AWS Lambda, Amazon API Gateway, and Application Load Balancers (ALBs).

Solution 1: Using AWS Lambda and Amazon API Gateway

Step 1: Create an AWS Lambda Function

First, create a Lambda function that will modify the headers of incoming requests.

  1. Go to the AWS Lambda console.
  2. Create a new Lambda function:
    • Choose “Author from scratch”.
    • Enter a function name (e.g., ModifyHeadersFunction).
    • Choose a runtime (e.g., Python 3.8).
    • Create an execution role with basic Lambda permissions.
  3. Write the Lambda function code:

def lambda_handler(event, context):
    # Log the incoming event
    print("Received event: " + json.dumps(event, indent=2))

    # Modify the headers
    event['headers']['X-Custom-Header'] = 'CustomHeaderValue'

    return {
        'statusCode': 200,
        'headers': {
            'Content-Type': 'application/json'
        },
        'body': json.dumps({
            'message': 'Header modified successfully',
            'input': event
        })
    }
  1. Deploy the function.
Step 2: Create an Amazon API Gateway

Next, create an API Gateway that will route requests to the Lambda function.

  1. Go to the Amazon API Gateway console.
  2. Create a new API:
    • Choose “HTTP API”.
    • Set up a new API.
  3. Integrate the API with the Lambda function:
    • Add an integration by selecting the Lambda function created earlier.
    • Configure routes and methods (e.g., POST /modify).
  4. Deploy the API and note the endpoint URL.
Step 3: Point the NLB to the API Gateway

Finally, set the API Gateway URL as the target for your NLB.

  1. Go to the EC2 console.
  2. Navigate to Load Balancers and select your NLB.
  3. Configure a target group to point to the API Gateway endpoint.

This setup routes all traffic through the API Gateway, where the Lambda function modifies the headers before forwarding the requests to your backend services.

Solution 2: Using AWS WAF

AWS WAF can be used to inspect and modify requests before they reach your backend services, although this method is more about filtering rather than directly modifying headers.

  1. Create a Web ACL in AWS WAF.
  2. Define rules to inspect headers and take actions (e.g., block, allow, or count requests).
  3. Associate the Web ACL with your NLB.
Example Rule:
IF request.headers['User-Agent'] matches 'bad-bot'
THEN block request

This setup helps in filtering out malicious requests or modifying requests based on certain conditions.

Solution 3: Using Application Load Balancer (ALB)

If you require extensive header modification capabilities, switching to an ALB might be the best solution. ALBs operate at the request level (Layer 7) and support native header modification.

Step 1: Create an Application Load Balancer
  1. Go to the EC2 console.
  2. Create an Application Load Balancer:
    • Choose “Application Load Balancer”.
    • Configure listeners and target groups as needed.
Step 2: Set Up Listener Rules
  1. Add a listener for your ALB.
  2. Add rules to modify headers.

Example Rule to Add a Header:

IF path is /add-header
THEN modify header X-Header-Name to Header-Value
  1. Save the configuration and test by sending requests to the ALB.
Full Example of ALB with Header Modification

Let’s walk through a complete example of setting up an ALB to modify headers.

  1. Create the ALB:
    • Go to the EC2 console.
    • Create a new ALB named HeaderModificationALB.
    • Configure the listener on port 80.
    • Create a target group named HeaderModificationTG and add your backend instances.
  2. Add Listener Rules:
    • Select the ALB and navigate to the Listeners tab.
    • Click on the listener (e.g., HTTP:80) and select “View/edit rules”.
    • Add a rule:
      • IF Path is /modify-header
      • THEN Insert Header X-Custom-Header with value CustomValue
  3. Test the Configuration:
    • Send a request to the ALB: http://HeaderModificationALB-xxxxxxxxxx.region.elb.amazonaws.com/modify-header
    • Verify that the response contains the modified header X-Custom-Header: CustomValue.

Summary

While AWS Network Load Balancers provide robust performance and scalability, their Layer 4 nature limits direct header modification. However, by leveraging AWS Lambda with Amazon API Gateway, AWS WAF, or switching to an Application Load Balancer, you can achieve the desired header modification functionality.

Each solution has its own strengths and is suitable for different use cases:

  • AWS Lambda and API Gateway: Best for specific and complex header manipulations.
  • AWS WAF: Ideal for security-focused applications needing inspection and filtering.
  • Application Load Balancer: Provides native header modification and is best for HTTP/HTTPS applications requiring extensive header operations.

By understanding these techniques and their implementations, you can effectively manage and modify HTTP headers in your AWS environment, ensuring that your applications remain secure, efficient, and highly available.

If you have any questions or need further assistance with implementing these solutions, feel free to reach me! Happy building on AWS!