AWS Network Load Balancers with Header Modification Techniques

Ercan,

AWS Network Load Balancers (NLBs) are a powerful tool for distributing incoming application traffic across multiple targets, such as Amazon EC2 instances, in a single or multiple Availability Zones. They provide high throughput, low latency, and are designed to handle millions of requests per second while maintaining ultra-low latencies. However, one limitation of NLBs is the inability to modify HTTP headers directly. This article explores various techniques to work around this limitation, providing full examples to help you implement these solutions in your own AWS environment.

Introduction to AWS Network Load Balancers

AWS Network Load Balancers operate at the connection level (Layer 4), routing connections to targets based on IP protocol data. NLBs are ideal for applications that require extreme performance and low latency, making them suitable for real-time applications like gaming, financial transactions, or video streaming.

Key Features of NLBs:
  1. Static IP: Each NLB is assigned one static IP per Availability Zone (AZ) it operates in.
  2. Elastic IP: You can associate one or more Elastic IP addresses with your NLB.
  3. TLS Termination: NLBs can offload TLS termination to minimize CPU load on your application servers.
  4. Cross-Zone Load Balancing: Distributes traffic evenly across all targets in all enabled AZs.
  5. Target Health Monitoring: Automatically checks the health of targets and routes traffic only to healthy targets.

Header Modification Needs

Modifying HTTP headers is often essential for a variety of use cases, such as:

  • Adding security headers (e.g., Content-Security-Policy).
  • Injecting custom headers for logging or tracking.
  • Modifying User-Agent headers for backend processing.
  • Implementing security policies based on headers.

Given the Layer 4 operation of NLBs, direct header modification is not feasible. However, we can achieve this using AWS Lambda, Amazon API Gateway, and Application Load Balancers (ALBs).

Solution 1: Using AWS Lambda and Amazon API Gateway

Step 1: Create an AWS Lambda Function

First, create a Lambda function that will modify the headers of incoming requests.

  1. Go to the AWS Lambda console.
  2. Create a new Lambda function:
    • Choose “Author from scratch”.
    • Enter a function name (e.g., ModifyHeadersFunction).
    • Choose a runtime (e.g., Python 3.8).
    • Create an execution role with basic Lambda permissions.
  3. Write the Lambda function code:

def lambda_handler(event, context):
    # Log the incoming event
    print("Received event: " + json.dumps(event, indent=2))

    # Modify the headers
    event['headers']['X-Custom-Header'] = 'CustomHeaderValue'

    return {
        'statusCode': 200,
        'headers': {
            'Content-Type': 'application/json'
        },
        'body': json.dumps({
            'message': 'Header modified successfully',
            'input': event
        })
    }
  1. Deploy the function.
Step 2: Create an Amazon API Gateway

Next, create an API Gateway that will route requests to the Lambda function.

  1. Go to the Amazon API Gateway console.
  2. Create a new API:
    • Choose “HTTP API”.
    • Set up a new API.
  3. Integrate the API with the Lambda function:
    • Add an integration by selecting the Lambda function created earlier.
    • Configure routes and methods (e.g., POST /modify).
  4. Deploy the API and note the endpoint URL.
Step 3: Point the NLB to the API Gateway

Finally, set the API Gateway URL as the target for your NLB.

  1. Go to the EC2 console.
  2. Navigate to Load Balancers and select your NLB.
  3. Configure a target group to point to the API Gateway endpoint.

This setup routes all traffic through the API Gateway, where the Lambda function modifies the headers before forwarding the requests to your backend services.

Solution 2: Using AWS WAF

AWS WAF can be used to inspect and modify requests before they reach your backend services, although this method is more about filtering rather than directly modifying headers.

  1. Create a Web ACL in AWS WAF.
  2. Define rules to inspect headers and take actions (e.g., block, allow, or count requests).
  3. Associate the Web ACL with your NLB.
Example Rule:
IF request.headers['User-Agent'] matches 'bad-bot'
THEN block request

This setup helps in filtering out malicious requests or modifying requests based on certain conditions.

Summary

While AWS Network Load Balancers provide robust performance and scalability, their Layer 4 nature limits direct header modification. However, by leveraging AWS Lambda with Amazon API Gateway or AWS WAF, you can achieve the desired header modification functionality.

Each solution has its own strengths and is suitable for different use cases:

  • AWS Lambda and API Gateway: Best for specific and complex header manipulations.
  • AWS WAF: Ideal for security-focused applications needing inspection and filtering.

By understanding these techniques and their implementations, you can effectively manage and modify HTTP headers in your AWS environment, ensuring that your applications remain secure, efficient, and highly available.

If you have any questions or need further assistance with implementing these solutions, feel free to reach me! Happy building on AWS!

AWS Serverless