IPV6 Networking with AWS VPC

Crishantha Nanayakkara
7 min readJun 5, 2020

What you can actually do with it

AWS IPV6 Support

On AWS, IPv6 is an option and not enabled by default. Though the support is available it is not 100% ready yet and coupled with limitations.

Limitations

  1. DNS names are not allocated to IPv6 addresses.
  2. IPv6 addresses are all routable and there is no concept of private vs public with IPv6 unlike IPv4.
  3. Elastic IPs are not relevant with IPv6
  4. IPv6 not supported for VPNs, Customer Gateways, NAT Gateways and VPC Endpoints.

Hence, you are required to bit be cautious while using AWS with IPv6. It is not yet 100% ready.

IPV6 with AWS VPC

Though there are limitations around with IPV6, we can still do a normal routing on AWS VPCs, Subnets, Routing Tables, etc. Here with this blog we are trying to execute following steps with IPV6. If you are new to IPV6 networking with AWS, I am sure this will be a little bit of fun.

  1. Creating a Custom VPC with IPV6 support.
  2. Creating Public and Private subnets with IPV6 support.
  3. Add IPV6 Routing to VPC Routing Tables
  4. Use Egress-only Internet Gateway to do Internet access from private subnets (This replaces the need of NAT Gateway in IPV4).

Now, lets try out all above scenarios:

Figure 01, visualizes what we are going to achieve in this blog post. It has a Custom VPC with a public and private subnets. The public subnet and the private subnets are routed via two Route tables. The public Route table connects to the Internet via a typical Internet Gateway and the private subnet Route table connects to the Internet via Egress-only Internet Gateway.

Figure 01 — IPV6 Networking with Egress-Only Internet Gateway

Task 1: Create a Custom VPC with both IPV4 and IPV6 support (Dual Support)

Create a Custom VPC with following IPV4 and IPV6 block ranges.

IPV4 CIDR Block: 10.0.0.0/16

IPV6 CIDR Block: <Select Amazon Provided CIDR Block>

[P.Note: Here AWS will provide you a /56 IPV6 CIDR Block]

Figure 02 — Creating the Custom VPC with IPV6 Support

Here, you can see a /56 IPV6 CIDR block is allocated for your VPC (2600:1f13:d15:9500::/56) — [See Figure 03].

Figure 03

Task 2: Create two Subnets (Public and Private) with IPV6 Support

Figure 04 — Creating the Public Subnet with IPV6 Support

In each subnet, make sure to select “Custom IPV6” and give a starting point of each subnet IPV6 block.

The public subnet was created with following CIDR blocks

IPV4: 10.0.1.0/24

IPV6: 2600:1f13:0d15:95:00::/64

Here, IPV6 CIDR block starting point is given as 00, and you are automatically given a /64 block.

Make sure to enable auto-assign IP addresses (IPV4 and IPV6) both at the Subnet level.

Figure 05 — Auto assign IPV4 and IPV6 addresses to the Public Subnet

The private subnet was created with following CIDR blocks

IPV4: 10.0.2.0/24

IPV6: 2600:1f13:0d15:95:50::/64

Task 3: Create two Route Tables and assign Subnets to them.

Go to Route Tables and name the Main Route Table as the “private-RT” and assign the Private Subnet to it.

Figure 06 — The Private Route Table
Figure 07 — Assigning the Private Route Table to the Private Subnet

And, create a new Route Table and name it as the “public-RT” and assign the Public Subnet to it.

Figure 08 — Adding the Public Route Table to the Public Subnet

Task 4: Create an Internet Gateway and attach it to our Custom VPC

Create the Internet Gateway (igw-ipv6) and attach the Custom VPC to it.

Figure 09 — Creating the Internet Gateway and attaching it to the Custom VPC

Task 5: Create an Egress Only Internet Gateway and attach it to the Custom VPC

We use Egress-only Internet Gateway to connect to the Internet via private subnet EC2 instances. We used to execute this task with the help of NAT Gateways in IPV4.

Figure 10 — Creating an Egress-only Internet Gateway

Task 6: Adding Routing Entries to Public Route Table

Figure 11 — Adding Routing entries to the Public Route Table.

You need to add following two entries for both IPV4 and IPV6 and attach them to the Internet Gateway.

0.0.0.0/0 for IPV4 → Target (Internet Gateway)

::/0 for IPV6 → Target (Internet Gateway)

Task 7: Adding Routing Entries to Private Route Table

Figure 12 — Adding Routing entries to the Private Route Table

You need to add the following entry for IPV6 and attach them to the Egress Only Internet Gateway.

::/0 (For IPV6)→ Target (Egress-only Internet Gateway)

Task 8: Create a public EC2 instance in the Public Subnet

1. Select an Amazon Linux 2 AMI (HVM), SSD Volume Type

2. Select m4.large EC2 instance type (We select a larger EC2 instance type here for more support in IPV6. You can try t2.micro but may not function IPV6 as it should be. But this can change in the future)

Figure 13 — Selecting the EC2 instance type which is m4.large

P.Note: We have selected m4.large here in order to get full support for EC2 instances. Though t2.micro instances do support IPV6 now, I have witnessed many issues while working with them. So to be on the safe side, we will experiment with m4.large for the moment. But remember it is not under free tier.

3. Select the Custom VPC and the public subnet and make sure to enable both IPV4 and IPV6 auto-assign IP checkbox.

Figure 14 — Configure the public EC2 instance by selecting auto-assign IPV4 and IPV6

4. Create a new Security Group with SSH port 20 and HTTP port 80 for both IPV4 and IPV6.

Figure 15 — Create a Security Group with HTTP (80) and SSH(22) for both IPV4 and IPV6 support

5. Launch the public instance. Once it is launched you could see two public IPV4 and IPV6 addresses are assigned to the instance (See Figure 16).

Figure 16

Task 9: Create a private EC2 instance in the Private Subnet

Follow same steps, that you followed in Task 8 and create a private instance in the private subnet.

Once the instance is created, make sure to assign an IPV6 address to the instance in order to access later. (This can be done by Actions → Networking → Manage IP Addresses → IPV6 Addresses → Assign new IP)

Figure 17

Task 10: Test the Public EC2 Instance

SSH into the public EC2 instance and install Apache (HTTPD)

$ ssh-add -k <the-pem-file>

$ ssh -A ec2-user@2600:1f13:d15:9500:52d8:2632:79f9:586

[Here 2600:1f13:d15:9500:52d8:2632:79f9:586 is the IPV6 address of the public instance]

$ sudo yum update

$ sudo yum install httpd

$ cd /var/www/html

$ sudo vi index.html (Add some text to the file)

$ sudo service httpd start

Now you may access the public instance via the IPV6 address on your selected browser (See Figure 18).

P.Note: you may see that you have to enter the IPV6 address within square brackets on the browser URL.

Figure 18

Congratulations!. You have accessed an Apache web site via an IPV6 address.

Task 11: Test the Private EC2 Instance

Now it is the time to check how private instance behaves with Engress-only Internet Gateway.

1. SSH into private instance via public instance as the bastian host. For that please do SSH into public instance first.

$ ssh -A ec2-user@2600:1f13:d15:9500:52d8:2632:79f9:586

[ 2600:1f13:d15:9500:52d8:2632:79f9:586 is the IPV6 address of the public instance]

Now you should be inside the public instance

2. SSH into the private instance

$ ssh ec2-user@2600:1f13:d15:9550:dae8:81f5:e0af:96c2

[ 2600:1f13:d15:9550:dae8:81f5:e0af:96c2 is the IPV6 address of the private instance]

3. Now you may access the private instance via the IPV6 address on your selected browser.

Theoretically it should not work!

4. Can we now check for Internet access from the private EC2 instance?

In IPV4 we used to have this with the help from NAT instances/ Gateways. But here we are testing with Egress-only Internet Gateway.

Try and install Apache in the private instance. It should work if you have done your steps properly so far.

--

--

Crishantha Nanayakkara

Enterprise Architect, Consultant @ FAO (UN), Former CTO, ICTA Sri Lanka