This mode is sometimes called reverse-proxy.

The load-balancer is in the middle of all transactions between the user and the server.
It maintains two separated TCP connections:

  • One with the user: the load-balancer acts as a server. It takes requests and forward responses
  • One with the server: the load-balancer acts as a user: it forward requests and get responses

This mode is the less intrusive in an architecture: nothing to change on any server or router.

TCP connection overview

The diagram shows clearly the two TCP connections maintained by the load-balancer.

Data flow

As a consequence of the proxy mode, the server gets a connection from the load-balancer IP address and the server can only get the client IP address at the application level.
IE: HTTP X-Forwarded-For header.

Pros and cons


  • not intrusive
  • more secure: server aren’t reached directly
  • allows protocol inspection and validation
  • can load-balance services even if both client and server are in the same subnet


  • backend servers only see one IP address: the one from the LB
  • “slower” than layer 4 load-balancing (we speak about micro-seconds)

When use this mode?

  • when you need application layer intelligence (content switching, etc…)
  • in order to protect an application
  • when the application does not care about the user IP (or can use the X-Forwarded-For header)