This is the first part of a two part series on setting up IPv6 in Amazon Web Services (AWS). This first part discusses setting up IPv6 in your AWS VPC. The second part will discuss setting up IPv6 on your EC2 instances.
The IPv6 revolution is happening and you need to be a part of it, or you will be left behind running IPv4. Almost all major broadband service providers like BT and Sky provide IPv6 addresses by default. IPv6 and IPv4 are not compatible, and eventually IPv4 will be dropped altogether. Until that day dual stack set ups offer you the best of both worlds, readying you for the future.
Since last Christmas AWS have slowly been adding IPv6 support to more of their services and regions. However you need to actively opt in and set it up. These are my 6 steps to setting up IPv6 on AWS:
What is IPv6?
Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed […] to deal with the long-anticipated problem of IPv4 address exhaustion.
Step 1: Pre-requisites
This guide assumes you have an existing AWS VPC set up and that you have full console access to your account.
Before you add IPv6 to your services it is worth making sure you can use it. Some older EC2 instances don’t yet support it. Check the docs for the table showing the EC2 generation and their IPv6 support status. You will need to re-size your EC2 instances to a supported instance type before you can fully set up IPv6.
Another catch is that some services including RDS do not support IPv6 yet, but do not fret as we are setting up a dual stack environment (supporting IPv4 and IPv6) and these services will continue working without issue over IPv4.
Step 2: Request an IPv6 range
Firstly we need to get an IPv6 range for your VPC. AWS give you a range of 4,722,366,482,869,645,213,696 different IPv6 IPs, to put this into perspective there are 4,294,967,296 total IPv4 IPs in the world! :-O
- Back to the tutorial. Open the VPC management console, you can also find this by selecting the services menu at the top left and searching for “VPC”.
- In the navigation bar, on the left, select “Your VPCs”.
- Select the VPC you want to add IPv6 to.
- Right click on the VPC and select “Edit CIDRs”.
- Select Add IPv6 CIDR, it will then obtain a new IPv6 range for you and add it to your VPC.
- Select “Close” to continue.
Step 3: Add IPv6 to your subnets
A subnet is a range of IP addresses. It makes routing traffic much simpler by pointing this range of IP’s in one direction rather than needing rules for each individual IP address. For example the IP address 203.0.113.76 is part of the 203.0.113.76/24 subnet range and routers on the internet will point all addresses in that range towards the owner of that range (Amazon for example). The /24 section indicates the size of the subnet, in this case it includes all IPs from 203.0.113.1 to 203.0.113.255.
This step adds the new IPv6 range to the subnets which your servers reside in.
- In the navigation bar, select “Subnets”, this takes you to a page which lists all subnets in all of your VPCs. If you have multiple VPCs you will want to filter the subnet page by VPC, making it easier to see which subnets you need to add IPv6 to. (You can filter by VPC on every menu we will be looking at in this tutorial.)
- Select a subnet in your VPC
- Right click on it and select “Edit IPv6 CIDRs”
- Select “Add IPv6 CIDR”
- Press the tick icon that appears to the right of your new IPv6 range, this will associate it with the subnet.
- Close the menu.
- Repeat items 2 to 6 for each subnet in your VPC
Step 4: Speaking to the internet
At this point we have set up our VPC with IPv6 traffic coming in. This section is about talking out to the internet and that starts with routing. The first part of routing is an Internet Gateway, this is an AWS service which provides network address translation. Simply it is a device which guides network traffic in the right direction on its way into the internet.
You may already have an Internet Gateway, if you do great you can skip to step 5.
- In the navigation bar, select “Internet Gateways”.
- Click “Create Internet Gateway” at the top.
- Give it a sensible name and press “Yes, Create” to save.
If you didn’t have an Internet Gateway before now, your servers would have only been able to speak to each other so be aware your servers can now talk to anyone on the Internet.
Step 5: Speaking to the IPv6 internet
The route table is telling all servers in your VPC this is the first hop on your journey, it passes internal traffic to your other servers, RDS instances, Elasticache instances etc and importantly it passes external traffic out to the Internet Gateway. That is what we are about to set up.
- In the navigation bar, select “Route Tables”.
- Select the route table attached to your VPC.
- Click on the “Routes” tab and then “Edit” the existing table
- Add in a rule for Destination “::/0” where the Target is your Internet Gateway.
- When you click in the target field it will automatically show you all available Internet Gateways
- If you have just created your first Internet Gateway you will also want to route IPv4 traffic out to the internet
- “Add another route” with the Destination of 0.0.0.0/0 and a Target of your Internet Gateway.
- Click save
::/0 means any IPv6 address, this is why it is at the bottom of your route table because it is catching all un-routed IPv6 traffic and passing it onto your AWS Internet Gateway.
Step 6: Network ACL
There is one final step at the network level, the Network Access Control List (ACL). It is one of many layers of security protecting your servers from attackers. The ACL lists both allowed and denied connections based in IP ranges, so we need to add IPv6. You may find that IPv6 has been configured on your ACL by AWS, in which case you can skip this step.
- In the navigation bar, select “Network ACLs”, it is under the “Security” subheading.
- Select your Network ACL; again you can filter by VPC if needed.
- Select the “Inbound Rules” tab and “Edit” the rules
- A little known fact about IPv6 is that it is prioritised over IPv4 traffic, if you have IPv6 set up people connecting in will prefer it over IPv4. This means your developers with their static IP addresses need their IPv6 address added as well as their IPv4 address. Just having their IPv4 record whitelisted will still leave them blocked.
- With this in mind for each rule in your IPv4 inbound rules there should be one with an IPv6 “Source” field.
- As mentioned above ::/0 matches all IPv6 records so you can use it to mirror the 0.0.0.0/0 sources.
- Each rule needs a unique name, I iterated up by 1 as I went.
- Select the “Outbound Rules” tab and “Edit” the rules
- Set up new IPv6 rules mirroring IPv4, just as we did for the Inbound Rules.
- You will need to do items 3 and 4 for each Network ACL in your VPC, if you have more than one.
Congratulations you are now IPv6 ready! and I hope you learnt something new about VPC’s, I certainly learnt a lot researching this post. Please leave any questions in the comments or contact us and see how we can help you. :-)
Now the first part of our IPv6 journey is complete, join us next time where I will show you how to configure the server itself to support this new IPv6 environment.