TCP Proxy Protocol v2 with Azure Private Link Service — Deep Dive

Arsen Vladimirskiy
2 min readMar 11, 2022

In this video, we deep dive into TCP Proxy Protocol v2 — an advanced feature of the Azure Private Link Service.

We experiment with enabling Proxy Protocol v2 in Azure Private Link Service and configuring NGINX service to read the source private IP address of the original client (vs the NAT IP) accessing the service via the private endpoint.

We also use tcpdump to capture the raw network packets and manually decode the packet payload to see the contents of the Proxy Protocol header packet.

Prior to watching this deep dive video, I recommend reviewing Azure Private Link Service explanation and demos from provider (SaaS ISV) and consumer perspectives where we look at deploying the provider and consumer Azure resources used in this walkthrough.

Video Walkthrough

Tip: Play the video full screen or on YouTube.

Video Chapters

00:00 Introduction
03:15 Looking at original NGINX config
05:55 Enable TCP Proxy v2 in Private Link Service
07:40 Enable NGINX proxy_protocol
11:45 Testing from Consumer
12:15 Capture tcpdump and decode Proxy Protocol packet
19:03 Looking at LINKID and matching to linkIdentifier

Next steps

After watching the deep dive video above, I recommend reviewing Using NGINX Plus to decode Proxy Protocol TLV linkIdentifier from Azure Private Link Service.

Thank you!

Please leave feedback and questions below, on the YouTube video, or on Twitter



Arsen Vladimirskiy

Principal Engineer / Architect, FastTrack for Azure at Microsoft