Skip to main content
NetApp Knowledge Base

How to configure StorageGRID to work with third-party Layer 7 load balancers

Last Updated:

Applies to

  • StorageGRID Appliances
  • StorageGRID 11.4


  • This article applies to StorageGRID 11.4.0 or later if you are using one or more external Layer 7 load balancers, such as NGINX or HAProxy, and an S3 bucket or group policy that is IP based.

Note: Using only IP address restrictions is not recommended for StorageGRID production use. When using an IP-based bucket or group policy, you should also use S3 Access Key controls instead of anonymous access.

  • In an S3 bucket or group policy, the policy condition key aws:SourceIp and the policy variable ${aws:SourceIp} are compared to the IP address of the sender of the S3 request.
  • If an external (third party) Layer 7 load balancer is used to route requests to the Storage Nodes, StorageGRID needs to determine the real sender’s IP address. It does this by looking at the X-Forwarded-For (XFF) header, which is inserted into the request by the load balancer.
  • As the X-Forwarded-For header can be easily spoofed in requests sent directly to the Storage Nodes, StorageGRID needs to ensure that each request is being routed by a trusted Layer 7 load balancer. If StorageGRID cannot trust the source of the request, it will ignore the X-Forwarded-For header.
  • In StorageGRID 11.4, a new Grid Management API has been added to allow a list of trusted external Layer 7 load balancers to be configured. This new API is private and is subject to change in future StorageGRID releases.



Scan to view the article on your device