IPV6 Networking with AWS VPC
What you can actually do with it
AWS IPV6 Support
On AWS, IPv6 is an option and not enabled by default. Though the support is available it is not 100% ready yet and coupled with limitations.
- DNS names are not allocated to IPv6 addresses.
- IPv6 addresses are all routable and there is no concept of private vs public with IPv6 unlike IPv4.
- Elastic IPs are not relevant with IPv6
- IPv6 not supported for VPNs, Customer Gateways, NAT Gateways and VPC Endpoints.
Hence, you are required to bit be cautious while using AWS with IPv6. It is not yet 100% ready.
IPV6 with AWS VPC
Though there are limitations around with IPV6, we can still do a normal routing on AWS VPCs, Subnets, Routing Tables, etc. Here with this blog we are trying to execute following steps with IPV6. If you are new to IPV6 networking with AWS, I am sure this will be a little bit of fun.
- Creating a Custom VPC with IPV6 support.
- Creating Public and Private subnets with IPV6 support.
- Add IPV6 Routing to VPC Routing Tables
- Use Egress-only Internet Gateway to do Internet access from private subnets (This replaces the need of NAT Gateway in IPV4).
Now, lets try out all above scenarios:
Figure 01, visualizes what we are going to achieve in this blog post. It has a Custom VPC with a public and private subnets. The public subnet and the private subnets are routed via two Route tables. The public Route table connects to the Internet via a typical Internet Gateway and the private subnet Route table connects to the Internet via Egress-only Internet Gateway.
Task 1: Create a Custom VPC with both IPV4 and IPV6 support (Dual Support)
Create a Custom VPC with following IPV4 and IPV6 block ranges.
IPV4 CIDR Block: 10.0.0.0/16
IPV6 CIDR Block: <Select Amazon Provided CIDR Block>
[P.Note: Here AWS will provide you a /56 IPV6 CIDR Block]
Here, you can see a /56 IPV6 CIDR block is allocated for your VPC (2600:1f13:d15:9500::/56) — [See Figure 03].
Task 2: Create two Subnets (Public and Private) with IPV6 Support
In each subnet, make sure to select “Custom IPV6” and give a starting point of each subnet IPV6 block.
The public subnet was created with following CIDR blocks
Here, IPV6 CIDR block starting point is given as 00, and you are automatically given a /64 block.
Make sure to enable auto-assign IP addresses (IPV4 and IPV6) both at the Subnet level.
The private subnet was created with following CIDR blocks
Task 3: Create two Route Tables and assign Subnets to them.
Go to Route Tables and name the Main Route Table as the “private-RT” and assign the Private Subnet to it.
And, create a new Route Table and name it as the “public-RT” and assign the Public Subnet to it.
Task 4: Create an Internet Gateway and attach it to our Custom VPC
Create the Internet Gateway (igw-ipv6) and attach the Custom VPC to it.
Task 5: Create an Egress Only Internet Gateway and attach it to the Custom VPC
We use Egress-only Internet Gateway to connect to the Internet via private subnet EC2 instances. We used to execute this task with the help of NAT Gateways in IPV4.
Task 6: Adding Routing Entries to Public Route Table
You need to add following two entries for both IPV4 and IPV6 and attach them to the Internet Gateway.
0.0.0.0/0 for IPV4 → Target (Internet Gateway)
::/0 for IPV6 → Target (Internet Gateway)
Task 7: Adding Routing Entries to Private Route Table
You need to add the following entry for IPV6 and attach them to the Egress Only Internet Gateway.
::/0 (For IPV6)→ Target (Egress-only Internet Gateway)
Task 8: Create a public EC2 instance in the Public Subnet
1. Select an Amazon Linux 2 AMI (HVM), SSD Volume Type
2. Select m4.large EC2 instance type (We select a larger EC2 instance type here for more support in IPV6. You can try t2.micro but may not function IPV6 as it should be. But this can change in the future)
P.Note: We have selected m4.large here in order to get full support for EC2 instances. Though t2.micro instances do support IPV6 now, I have witnessed many issues while working with them. So to be on the safe side, we will experiment with m4.large for the moment. But remember it is not under free tier.
3. Select the Custom VPC and the public subnet and make sure to enable both IPV4 and IPV6 auto-assign IP checkbox.
4. Create a new Security Group with SSH port 20 and HTTP port 80 for both IPV4 and IPV6.
5. Launch the public instance. Once it is launched you could see two public IPV4 and IPV6 addresses are assigned to the instance (See Figure 16).
Task 9: Create a private EC2 instance in the Private Subnet
Follow same steps, that you followed in Task 8 and create a private instance in the private subnet.
Once the instance is created, make sure to assign an IPV6 address to the instance in order to access later. (This can be done by Actions → Networking → Manage IP Addresses → IPV6 Addresses → Assign new IP)
Task 10: Test the Public EC2 Instance
SSH into the public EC2 instance and install Apache (HTTPD)
$ ssh-add -k <the-pem-file>
$ ssh -A ec2-user@2600:1f13:d15:9500:52d8:2632:79f9:586
[Here 2600:1f13:d15:9500:52d8:2632:79f9:586 is the IPV6 address of the public instance]
$ sudo yum update
$ sudo yum install httpd
$ cd /var/www/html
$ sudo vi index.html (Add some text to the file)
$ sudo service httpd start
Now you may access the public instance via the IPV6 address on your selected browser (See Figure 18).
P.Note: you may see that you have to enter the IPV6 address within square brackets on the browser URL.
Congratulations!. You have accessed an Apache web site via an IPV6 address.
Task 11: Test the Private EC2 Instance
Now it is the time to check how private instance behaves with Engress-only Internet Gateway.
1. SSH into private instance via public instance as the bastian host. For that please do SSH into public instance first.
$ ssh -A ec2-user@2600:1f13:d15:9500:52d8:2632:79f9:586
[ 2600:1f13:d15:9500:52d8:2632:79f9:586 is the IPV6 address of the public instance]
Now you should be inside the public instance
2. SSH into the private instance
$ ssh ec2-user@2600:1f13:d15:9550:dae8:81f5:e0af:96c2
[ 2600:1f13:d15:9550:dae8:81f5:e0af:96c2 is the IPV6 address of the private instance]
3. Now you may access the private instance via the IPV6 address on your selected browser.
Theoretically it should not work!
4. Can we now check for Internet access from the private EC2 instance?
In IPV4 we used to have this with the help from NAT instances/ Gateways. But here we are testing with Egress-only Internet Gateway.
Try and install Apache in the private instance. It should work if you have done your steps properly so far.