Using NGINX Plus to decode Proxy Protocol TLV linkIdentifier from Azure Private Link Service

Arsen Vladimirskiy
2 min readApr 6, 2022

In this video, we look at how to use NGINX Plus to get the TCP Proxy Protocol v2 TLV from the Azure Private Link Service and extract and decode the numeric linkIdentifier (aka LINKID) of the private endpoint connection.

Update March 2023: There is now better integration with cloud specific headers directly in the NGINX Plus which may no longer required NJS code described in this article. Please see the documentation for ngx_http_proxy_protocol_vendor_module.

We use NGINX Plus features such as $proxy_protocol_tlv_0x__ and the NGINX JavaScript module.

Prior to watching this deep dive video, I recommend to review Azure Private Link Service explanation and demos from provider (SaaS ISV) and consumer perspectives and TCP Proxy Protocol v2 with Azure Private Link Service — Deep Dive.

Video Walkthrough

Tip: Play the video full screen or on YouTube.

Video Chapters

00:00 Introduction
03:05 NGINX Plus
07:15 $proxy_protocol_tlv_0xEE
09:25 NGINX JavaScript
13:15 Decoding TLV
18:20 Seeing the linkIdentifier


Code snippets for NGINX Plus

azure_privatelink.js and nginx.conf in /etc/nginx directory

Thank you!

Please leave feedback and questions below, on the YouTube video, or on Twitter



Arsen Vladimirskiy

Principal Engineer / Architect, FastTrack for Azure at Microsoft