Home >Documents >Tutorial v1.0.0 > How to operate each function >How to configure Source NAT and X-Forwarded-For

How to configure Source NAT and X-Forwarded-For

This section describes how to configure Source NAT and X-Forwarded-For.

If the protocol of the listener is HTTP/HTTPS, X-Forwarded-For is automatically added when the Source NAT function is enabled.

Note

This function requires API operation. If you are using the API for the first time, please refer to Start using the Smart Data Platform API , and Confirming various information and updating the API key before proceeding with this procedure.

Preparations for operating the Source NAT function

API execution permission control by API availability setting and IAM role setting

When using the API, it is necessary to set the user's API availability to the API availability setting. If API usage is not set, check here and set it in advance.

In addition, it is necessary to set the executable API using the IAM role. The setting procedure is as follows. For details, please refer to here.

• In the beginning, create an IAM group following this procedure .

• Then Create an IAM role with this procedure .

• Finally link the IAM group, IAM role, and user with this procedure , then the API execution permission settings are complete.

(reference)

If you set the following JSON in the IAM role, the permission to execute all GUI operations and API operations from the set IP address will be granted. (For the IP address of "0.0.0.0/32", please specify the public IP address used by the actual client device.)

This is not a recommended setting. If you want to set detailed permissions, please refer to Example of API Authorization Settings.

{
  "basePath" : "*",
  "ipAddress" : "0.0.0.0/32",
  "path" : "*",
  "verb" : "*"
}

Get Authentication Token from Keystone

Acquire the authentication token required to use operations in the API.

The following information is required to obtain an authentication token.

• Customer-specific API key, API secret key

  • Please click here to see how to confirm.

• Tenant ID using Managed Load Balancer that performs API operations

  • Please click here to see how to confirm.

• Regions using Managed Load Balancer for API operations

Make a request using the curl command as shown below. (Enter the API key, API secret key information, tenant ID, and region obtained above where described in {}.)

• {APIkey} : Customer-specific API key

• {APIsecret} : Customer-specific API secret key

• {TenandId} : Tenant ID using Managed Load Balancer that performs API operations

• {Region} : Region using Managed Load Balancer for API operations

$ curl -i \
     -H "Content-Type: application/json" \
     -d '
     {
        "auth": {
            "identity": {
                "methods": [
                    "password"
                ],
                "password": {
                    "user": {
                        "domain": {
                            "id": "default"
                        },
                        "name": "{APIkey}",
                        "password": "{APIsecret}"
                    }
                }
            },
            "scope": {
                "project": {
                    "id": "{TenandId}"
                }
            }
        }
     }' https://keystone-{Region}-ecl.api.ntt.com/v3/auth/tokens

Below is a sample request for obtaining an authentication token.

$ curl -i \
     -H "Content-Type: application/json" \
     -d '
     {
        "auth": {
            "identity": {
                "methods": [
                    "password"
                ],
                "password": {
                    "user": {
                        "domain": {
                            "id": "default"
                        },
                        "name": "DJ0lAxtptGTV9HZbiPPOe1nj9icP0CGV",
                        "password": "A990fiJklk12H35K"
                    }
                }
            },
            "scope": {
                "project": {
                    "id": "6c0bdafab1914ab2b2b6c415477defc7"
                }
            }
        }
     }' https://keystone-jp1-ecl.api.ntt.com/v3/auth/tokens

A successful request will return a response similar to the one below.

HTTP/1.1 201 OK
Date: Mon, 22 Aug 2022 06:49:22 GMT
Content-Type: application/json
Content-Length: 324
Connection: keep-alive
X-Subject-Token: dc03494823a841338430052e9ee95e07
Vary: X-Auth-Token
X-Distribution: Ubuntu
Set-Cookie: TS0183560f=01059ca7b10af7d1eaff84d7b1231b09a7d50550648db89c3aaae5f866871fd0ce11e0895b; Path=/

The value described as X-Subject-Token is the authentication token. ("dc03494823a841338430052e9ee95e07" in the example above)

Check the configuration status of policy settings that use the Source NAT function

Check the config status of the policy in Display the details of policy.

If the config status is "CREATE_STAGED" or "UPDATE_STAGED", go to When the configuration status is "CREATE_STAGED" or "UPDATE_STAGED".

If the config status is "ACTIVE", go to When the config status is "ACTIVE".

How to operate the Source NAT function

When the configuration status is "CREATE_STAGED" or "UPDATE_STAGED"

Checking the setting status of the Source NAT function

Make a request using the curl command as shown below. (Enter the following information in the places described in {}.)

• {TOKEN} : Authentication Token obtained with Get Authentication Token from Keystone

• {Region} : Region using Managed Load Balancer for API operations

• {policy_id} : ID of the policy that implements the API operation

$ curl -sS \
-H "Content-Type: application/json" \
-H "X-Auth-Token: {TOKEN}" \
-X GET \
https://managed-load-balancer-{Region}-ecl.api.ntt.com/v1.0/policies/{policy_id}/staged

A successful request will return a response similar to the one below.

{
   "policy": {
       "algorithm": "round-robin",
       "persistence": "none",
       "sorry_page_url": null,
       "source_nat": "disable",
       "certificate_id": null,
       "health_monitor_id": "e3e92d44-0c92-4017-9b2e-85f34e6e0545",
       "listener_id": "c78d0a09-3a95-4a5b-94bd-1cd49cf3ef00",
       "default_target_group_id": "732767f6-e840-4345-b23a-c2dfaeb27ae3",
       "tls_policy_id": null
   }
}

If "source_nat" is "disable", the Source NAT function is disabled.

How to set the Source NAT function

Make a request using the curl command as shown below. (Enter the following information in the places described in {}.)

• {TOKEN} : Authentication Token obtained with Get Authentication Token from Keystone

• {Region} : Region using Managed Load Balancer for API operations

• {policy_id} : ID of the policy that implements the API operation

$ curl -sS \
   -H "Content-Type: application/json" \
   -H "X-Auth-Token: {TOKEN}" \
   -X PATCH \
   -d '
   {
    "policy": {
      "source_nat": "enable"
    }
   }' \
   https://managed-load-balancer-{Region}-ecl.api.ntt.com/v1.0/policies/{policy_id}/staged

A successful request will return a response similar to the one below.

{
   "policy": {
       "algorithm": "round-robin",
       "persistence": "none",
       "sorry_page_url": null,
       "source_nat": "enable",
       "certificate_id": null,
       "health_monitor_id": "e3e92d44-0c92-4017-9b2e-85f34e6e0545",
       "listener_id": "c78d0a09-3a95-4a5b-94bd-1cd49cf3ef00",
       "default_target_group_id": "732767f6-e840-4345-b23a-c2dfaeb27ae3",
       "tls_policy_id": null
   }
}

If "source_nat" is "enable", the Source NAT function is enabled.

How to remove the Source NAT function

Make a request using the curl command as shown below. (Enter the following information in the places described in {}.)

• {TOKEN} : Authentication Token obtained with Get Authentication Token from Keystone

• {Region} : Region using Managed Load Balancer for API operations

• {policy_id} : ID of the policy that implements the API operation

$ curl -sS \
   -H "Content-Type: application/json" \
   -H "X-Auth-Token: {TOKEN}" \
   -X PATCH \
   -d '
   {
    "policy": {
      "source_nat": "disable"
    }
   }' \
   https://managed-load-balancer-{Region}-ecl.api.ntt.com/v1.0/policies/{policy_id}/staged

A successful request will return a response similar to the one below.

{
   "policy": {
       "algorithm": "round-robin",
       "persistence": "none",
       "sorry_page_url": null,
       "source_nat": "disable",
       "certificate_id": null,
       "health_monitor_id": "e3e92d44-0c92-4017-9b2e-85f34e6e0545",
       "listener_id": "c78d0a09-3a95-4a5b-94bd-1cd49cf3ef00",
       "default_target_group_id": "732767f6-e840-4345-b23a-c2dfaeb27ae3",
       "tls_policy_id": null
   }
}

If "source_nat" is "disable", the Source NAT function is disabled.

When the config status is "ACTIVE"

Checking the setting status of the Source NAT function

Make a request using the curl command as shown below. (Enter the following information in the places described in {}.)

• {TOKEN} : Authentication Token obtained with Get Authentication Token from Keystone

• {Region} : Region using Managed Load Balancer for API operations

• {policy_id} : ID of the policy that implements the API operation

$ curl -sS \
-H "Content-Type: application/json" \
-H "X-Auth-Token: {TOKEN}" \
-X GET \
https://managed-load-balancer-{Region}-ecl.api.ntt.com/v1.0/policies/{policy_id}

A successful request will return a response similar to the one below.

{
   "policy": {
       "algorithm": "round-robin",
       "persistence": "none",
       "sorry_page_url": null,
       "source_nat": "disable",
       "certificate_id": null,
       "health_monitor_id": "e3e92d44-0c92-4017-9b2e-85f34e6e0545",
       "listener_id": "c78d0a09-3a95-4a5b-94bd-1cd49cf3ef00",
       "default_target_group_id": "732767f6-e840-4345-b23a-c2dfaeb27ae3",
       "tls_policy_id": null
   }
}

If "source_nat" is "disable", the Source NAT function is disabled.

How to set the Source NAT function

Make a request using the curl command as shown below. (Enter the following information in the places described in {}.)

• {TOKEN} : Authentication Token obtained with Get Authentication Token from Keystone

• {Region} : Region using Managed Load Balancer for API operations

• {policy_id} : ID of the policy that implements the API operation

$ curl -sS \
   -H "Content-Type: application/json" \
   -H "X-Auth-Token: {TOKEN}" \
   -X POST \
   -d '
   {
    "policy": {
      "source_nat": "enable"
    }
   }' \
   https://managed-load-balancer-{Region}-ecl.api.ntt.com/v1.0/policies/{policy_id}/staged

A successful request will return a response similar to the one below.

{
   "policy": {
       "algorithm": "round-robin",
       "persistence": "none",
       "sorry_page_url": null,
       "source_nat": "enable",
       "certificate_id": null,
       "health_monitor_id": "e3e92d44-0c92-4017-9b2e-85f34e6e0545",
       "listener_id": "c78d0a09-3a95-4a5b-94bd-1cd49cf3ef00",
       "default_target_group_id": "732767f6-e840-4345-b23a-c2dfaeb27ae3",
       "tls_policy_id": null
   }
}

If "source_nat" is "enable", the Source NAT function is enabled.

How to remove the Source NAT function

Make a request using the curl command as shown below. (Enter the following information in the places described in {}.)

• {TOKEN} : Authentication Token obtained with Get Authentication Token from Keystone

• {Region} : Region using Managed Load Balancer for API operations

• {policy_id} : ID of the policy that implements the API operation

$ curl -sS \
   -H "Content-Type: application/json" \
   -H "X-Auth-Token: {TOKEN}" \
   -X POST \
   -d '
   {
    "policy": {
      "source_nat": "disable"
    }
   }' \
   https://managed-load-balancer-{Region}-ecl.api.ntt.com/v1.0/policies/{policy_id}/staged

A successful request will return a response similar to the one below.

{
   "policy": {
       "algorithm": "round-robin",
       "persistence": "none",
       "sorry_page_url": null,
       "source_nat": "disable",
       "certificate_id": null,
       "health_monitor_id": "e3e92d44-0c92-4017-9b2e-85f34e6e0545",
       "listener_id": "c78d0a09-3a95-4a5b-94bd-1cd49cf3ef00",
       "default_target_group_id": "732767f6-e840-4345-b23a-c2dfaeb27ae3",
       "tls_policy_id": null
   }
}

If "source_nat" is "disable", the Source NAT function is disabled.

---

How to configure the policy and rule

How to use management functions