Menu
Amazon Virtual Private Cloud
User Guide

Migrating to IPv6

If you have an existing VPC that supports IPv4 only, and resources in your subnet that are configured to use IPv4 only, you can enable IPv6 support for your VPC and resources. Your VPC can operate in dual-stack mode — your resources can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 communication are independent of each other.

You cannot disable IPv4 support for your VPC and subnets; this is the default IP addressing system for Amazon VPC and Amazon EC2.

The following table provides an overview of the steps to enable your VPC and subnets to use IPv6.

Step Notes
Step 1: Associate an IPv6 CIDR Block with Your VPC and Subnets Associate an Amazon-provided IPv6 CIDR block with your VPC and with your subnets.
Step 2: Create and Configure an Egress-Only Internet Gateway NAT devices do not support IPv6 traffic; therefore create an egress-only Internet gateway for your private subnets to enable outbound communication to the Internet over IPv6 and prevent inbound communication. An egress-only Internet gateway supports IPv6 traffic only.
Step 3: Update Your Route Tables Update your route tables to route your IPv6 traffic. For example, create a route that routes all IPv6 traffic from the public subnet to the Internet gateway, and create a route that routes all internet-bound IPv6 traffic from the private subnet to the egress-only Internet gateway.
Step 4: Update Your Security Group Rules Update your security group rules to include rules for IPv6 addresses. This enables IPv6 traffic to flow to and from your instances. If you've created custom network ACL rules to control the flow of traffic to and from your subnet, you must include rules for IPv6 traffic.
Step 5: Change Your Instance Type If your instance type does not support IPv6, change the instance type.
Step 6: Assign IPv6 Addresses to Your Instances Assign IPv6 addresses to your instances from the IPv6 address range of your subnet.
(Optional) Configure IPv6 on Your Instances If your instance was launched from an AMI that is not configured to use DHCPv6, you must manually configure your instance to recognize an IPv6 address assigned to the instance.

Before you migrate to using IPv6, ensure that you have read the features of IPv6 addressing for Amazon VPC: IPv4 and IPv6 Characteristics and Restrictions.

Example: Enabling IPv6 in a VPC With a Public and Private Subnet

In this example, your VPC has a public and a private subnet. You have a database instance in your private subnet that has outbound communication with the Internet through a NAT gateway in your VPC. You have a public-facing web server in your public subnet that has Internet access through an Internet gateway. The following diagram represents the architecture of your VPC.


                    VPC with public and private subnets

The security group for your web server (sg-11aa22bb) has the following inbound rules:

Type Protocol Port range Source Comment
All traffic All All sg-33cc44dd Allows inbound access for all traffic from instances associated with sg-33cc44dd (the database instance).
HTTP TCP 80 0.0.0.0/0 Allows inbound traffic from the Internet over HTTP.
HTTPS TCP 443 0.0.0.0/0 Allows inbound traffic from the Internet over HTTPS.
SSH TCP 22 203.0.113.123/32 Allows inbound SSH access from your local computer; for example, when you need to connect to your instance to perform administration tasks.

The security group for your database instance (sg-33cc44dd) has the following inbound rule:

Type Protocol Port range Source Comment
MySQL TCP 3306 sg-11aa22bb Allows inbound access for MySQL traffic from instances associated with sg-11aa22bb (the web server instance).

Both security groups have the default outbound rule that allows all outbound IPv4 traffic, and no other outbound rules.

Your web server is t2.medium instance type. Your database server is an m3.large.

You want your VPC and resources to be enabled for IPv6, and you want them to operate in dual-stack mode; in other words, you want to use both IPv6 and IPv4 addressing between resources in your VPC and resources over the Internet.

After you've completed the steps, your VPC will have the following configuration.


                    VPC with public and private subnets

Step 1: Associate an IPv6 CIDR Block with Your VPC and Subnets

You can associate an IPv6 CIDR block with your VPC, and then associate a /64 CIDR block from that range with each subnet.

To associate an IPv6 CIDR block with a VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Your VPCs.

  3. Select your VPC, choose Actions, Edit CIDRs.

  4. Choose Add IPv6 CIDR. After the IPv6 CIDR block has been added, choose Close.

To associate an IPv6 CIDR block with a subnet

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets.

  3. Select your subnet, choose Subnet Actions, Edit IPv6 CIDRs.

  4. Choose Add IPv6 CIDR. Specify the hexadecimal pair for the subnet (for example, 00) and confirm the entry by choosing the tick icon.

  5. Choose Close. Repeat the steps for the other subnets in your VPC.

For more information, see VPC and Subnet Sizing for IPv6.

Step 2: Create and Configure an Egress-Only Internet Gateway

Create an egress-only Internet gateway for your VPC.

To create an egress-only Internet Gateway

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Egress Only Internet Gateways, Create Egress Only Internet Gateway.

  3. Select the VPC in which to create the egress-only Internet gateway. Choose Create.

For more information, see Egress-Only Internet Gateways.

Step 3: Update Your Route Tables

For the example above, update the custom route table for the private subnet so that your database instance can use the egress-only Internet gateway for IPv6 traffic. You must also update the custom route table for the public subnet so that your web server can use the Internet gateway for IPv6 traffic.

To update your route tables

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Route Tables and select the route table that's associated with the private subnet.

  3. On the Routes tab, choose Edit, specify ::/0 for Destination, select the egress-only Internet gateway ID for Target, and then choose Save.

  4. Select the route table that's associated with the public subnet.

  5. On the Routes tab, choose Edit, specify ::/0 for Destination, select the Internet gateway ID for Target, and then choose Save.

For more information, see Routing Options.

Step 4: Update Your Security Group Rules

For the example above, your web server security group (sg-11aa22bb) allows inbound access from IPv4 addresses over specific ports. You must add rules that allow the same inbound access from IPv6 addresses, namely HTTP and HTTPS access from all IPv6 addresses, and SSH access from a specific IPv6 address (if applicable). You do not need to make any changes to the inbound rules for your database security group; the rule that allows all communication from sg-11aa22bb includes IPv6 communication by default.

To update your security group rules

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups and select your web server security group.

  3. In the Inbound Rules tab, choose Edit.

  4. For each rule, choose Add another rule, and choose Save when you're done:

    • For Type, select HTTP. For Source, enter ::/0.

    • For Type, select HTTPS. For Source, enter ::/0.

    • For Type, select SSH. For Source, enter the IPv6 address of your local computer or the range of addresses for your local network.

In this scenario, an outbound rule that allows all IPv6 traffic is automatically added your security groups when you associate an IPv6 CIDR block with your VPC. However, if you modified the original outbound rules for your security group, this rule is not automatically added, and you must add equivalent outbound rules for IPv6 traffic. For more information, see Security Groups for Your VPC.

Update Your Network ACL Rules

If you associate an IPv6 CIDR block with your VPC, we automatically add rules to the default network ACL to allow IPv6 traffic, provided you haven't modified its default rules. If you've modified your default network ACL or if you've created a custom network ACL with rules to control the flow of traffic to and from your subnet, you must manually add rules for IPv6 traffic. For more information about recommended network ACL rules for a VPC with a private and public subnet, see Recommended Rules for Scenario 2.

Step 5: Change Your Instance Type

In this example, your web server instance t2.medium instance type, which supports IPv6. Your database instance is an m3.large instance type, which does not support IPv6. You must resize the instance to a supported instance type, for example, m4.large. For more information, see Instance Types.

To resize your instance, be aware of the compatibility limitations. For more information, see Compatibility for Resizing Instances in the Amazon EC2 User Guide for Linux Instances. In this scenario, if your database instance was launched from an AMI that uses HVM virtualization, you can resize it to an m4.large instance type by using the following procedure.

Important

To resize your instance, you must stop it. Stopping and starting an instance changes the public IPv4 address for the instance, if it has one. If you have any data stored on instance store volumes, the data is erased.

To resize your instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances, and select the database instance.

  3. Choose Actions, Instance State, Stop.

  4. In the confirmation dialog box, choose Yes, Stop.

  5. With the instance still selected, choose Actions, Instance Settings, Change Instance Type.

  6. For Instance Type, choose m4.large, Apply.

  7. To restart the stopped instance, select the instance and choose Actions, Instance State, Start. In the confirmation dialog box, choose Yes, Start.

If your instance is an instance store-backed AMI, you can't resize your instance using the earlier procedure. Instead, you can create an instance store-backed AMI from your instance, and launch a new instance from your AMI using a new instance type. For more information, see Creating an Instance Store-Backed Linux AMI in the Amazon EC2 User Guide for Linux Instances, and Creating an Instance Store-Backed Windows AMI in the Amazon EC2 User Guide for Windows Instances.

You may not be able to migrate to a new instance type if there are compatibility limitations. For example, if your instance was launched from an AMI that uses PV virtualization, the only instance type that supports both PV virtualization and IPv6 is C3. This instance type may not be suitable for your needs. In this case, you may have to reinstall your software on a base HVM AMI, and launch a new instance.

If you launch an instance from a new AMI, you can assign an IPv6 address to your instance during launch.

Step 6: Assign IPv6 Addresses to Your Instances

After you've verified that your instance type supports IPv6, you can assign an IPv6 address to your instance using the Amazon EC2 console. The IPv6 address is assigned to the primary network interface (eth0) for the instance.

To assign an IPv6 address to your instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances.

  3. Select your instance, and choose Actions, Networking, Manage IP Addresses.

  4. Under IPv6 Addresses, choose Assign new IP. You can enter a specific IPv6 address from the range of your subnet, or you can leave the default Auto-Assign value to let Amazon choose one for you.

  5. Choose Yes, Update.

Alternatively, if you launch a replacement instance (for example, if you were unable to resize your instance and you created a new AMI instead), you can assign an IPv6 address during launch.

To assign an IPv6 address to an instance during launch

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Select your AMI and an IPv6-compatible instance type, and choose Next: Configure Instance Details.

  3. On the Configure Instance Details page, select a VPC for Network and a subnet for Subnet. For Auto-assign IPv6 IP, select Enable.

  4. Follow the remaining steps in the wizard to launch your instance.

(Optional) Configure IPv6 on Your Instances

If you launched your instance using Amazon Linux 2016.09.0 or later, or Windows Server 2008 R2 or later, your instance is configured for IPv6 and no additional steps are required.

If you launched your instance from a different AMI, it may not be configured for DHCPv6, which means that any IPv6 address that you assign to the instance is not automatically recognized on the primary network interface. To verify if the IPv6 address is configured on your network interface, use the ifconfig command on Linux, or the ipconfig command on Windows.

You can configure your instance using the following steps. You'll need to connect to your instance using its public IPv4 address. For more information, see Connect to Your Linux Instance in the Amazon EC2 User Guide for Linux Instances and Connecting to Your Windows Instance in the Amazon EC2 User Guide for Windows Instances.

Amazon Linux

To configure DHCPv6 on Amazon Linux

  1. Connect to your instance using the instance's public IPv4 address.

  2. Get the latest software packages for your instance:

    Copy
    sudo yum update -y
  3. Using a text editor of your choice, open /etc/sysconfig/network-scripts/ifcfg-eth0 and locate the following line:

    Copy
    IPV6INIT=no

    Replace that line with the following:

    Copy
    IPV6INIT=yes

    Add the following two lines, and save your changes:

    Copy
    DHCPV6C=yes DHCPV6C_OPTIONS=-nw
  4. Open /etc/sysconfig/network, remove the following lines, and save your changes:

    Copy
    NETWORKING_IPV6=no IPV6INIT=no IPV6_ROUTER=no IPV6_AUTOCONF=no IPV6FORWARDING=no IPV6TO4INIT=no IPV6_CONTROL_RADVD=no
  5. Open /etc/hosts, replace the contents with the following, and save your changes:

    Copy
    127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost6 localhost6.localdomain6
  6. Reboot your instance. Reconnect to your instance and use the ifconfig command to verify that the IPv6 address is recognized on the primary network interface.

Ubuntu

You can configure your Ubuntu instance to dynamically recognize any IPv6 address assigned to the network interface. If your instance does not have an IPv6 address, this configuration may cause the boot time of your instance to be extended by up to 5 minutes.

These steps must be performed as the root user.

Ubuntu Server 16

To configure IPv6 on a running Ubuntu Server 16 instance

  1. Connect to your instance using the instance's public IPv4 address.

  2. View the contents of the /etc/network/interfaces.d/50-cloud-init.cfg file:

    Copy
    cat /etc/network/interfaces.d/50-cloud-init.cfg # This file is generated from information provided by # the datasource. Changes to it will not persist across an instance. # To disable cloud-init's network configuration capabilities, write a file # /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following: # network: {config: disabled} auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp

    Verify that the loopback network device (lo) is configured, and take note of the name of the network interface. In this example, the network interface name is eth0; the name may be different depending on the instance type.

  3. Create the file /etc/network/interfaces.d/60-default-with-ipv6.cfg and add the following line. If required, replace eth0 with the name of the network interface that you retrieved in the step above.

    Copy
    iface eth0 inet6 dhcp
  4. Reboot your instance, or restart the network interface by running the following command. If required, replace eth0 with the name of your network interface.

    Copy
    sudo ifdown eth0 ; sudo ifup eth0
  5. Reconnect to your instance and use the ifconfig command to verify that the IPv6 address is configured on the network interface.

To configure IPv6 using user data

You can launch a new Ubuntu instance and ensure that any IPv6 address assigned to the instance is automatically configured on the network interface by specifying the following user data during launch:

Copy
#!/bin/bash echo "iface eth0 inet6 dhcp" >> /etc/network/interfaces.d/60-default-with-ipv6.cfg dhclient -6

In this case, you do not have to connect to the instance to configure the IPv6 address.

For more information, see Running Commands on Your Linux Instance at Launch in the Amazon EC2 User Guide for Linux Instances.

Ubuntu Server 14

If you're using Ubuntu Server 14, you must include a workaround for a known issue that occurs when restarting a dual-stack network interface (the restart results in an extended timeout during which your instance is unreachable).

These steps must be performed as the root user.

To configure IPv6 on a running Ubuntu Server 14 instance

  1. Connect to your instance using the instance's public IPv4 address.

  2. Edit the /etc/network/interfaces.d/eth0.cfg file so that it contains the following:

    Copy
    auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp up dhclient -6 $IFACE

  3. Reboot your instance:

    Copy
    sudo reboot

  4. Reconnect to your instance and use the ifconfig command to verify that the IPv6 address is configured on the network interface.

Starting the DHCPv6 Client

Alternatively, to bring up the IPv6 address for the network interface immediately without performing any additional configuration, you can start the DHCPv6 client for the instance. However, the IPv6 address does not persist on the network interface after reboot.

To start the DHCPv6 client on Ubuntu

  1. Connect to your instance using the instance's public IPv4 address.

  2. Start the DHCPv6 client:

    Copy
    sudo dhclient -6
  3. Use the ifconfig command to verify that the IPv6 address is recognized on the primary network interface.

RHEL/CentOS

To configure DHCPv6 on RHEL 7 or CentOS 7

  1. Connect to your instance using the instance's public IPv4 address.

  2. Using a text editor of your choice, open /etc/sysconfig/network-scripts/ifcfg-eth0 and locate the following line:

    Copy
    IPV6INIT="no"

    Replace that line with the following:

    Copy
    IPV6INIT="yes"

    Add the following two lines, and save your changes:

    Copy
    DHCPV6C=yes NM_CONTROLLED=no
  3. Open /etc/sysconfig/network, add or amend the following line as follows, and save your changes:

    Copy
    NETWORKING_IPV6=yes
  4. Restart networking on your instance by running the following command:

    Copy
    sudo service network restart

    You can use the ifconfig command to verify that the IPv6 address is recognized on the primary network interface.

To configure DHCPv6 on RHEL 6 or CentOS 6

  1. Connect to your instance using the instance's public IPv4 address.

  2. Follow steps 2 - 4 in the procedure above for configuring RHEL 7/CentOS 7.

  3. If you restart networking and you get an error that an IPv6 address cannot be obtained, open /etc/sysconfig/network-scripts/ifup-eth and locate the following line (by default, it's line 327):

    Copy
    if /sbin/dhclient "$DHCLIENTARGS"; then

    Remove the quotes that surround $DHCLIENTARGS and save your changes. Restart networking on your instance:

    Copy
    sudo service network restart

Windows

Use the following procedures to configure IPv6 on Windows Server 2003 and Windows Server 2008 SP2.

To ensure that IPv6 is preferred over IPv4, download the fix named Prefer IPv6 over IPv4 in prefix policies from the following Microsoft support page: https://support.microsoft.com/en-us/help/929852/how-to-disable-ipv6-or-its-components-in-windows.

To enable and configure IPv6 on Windows Server 2003

  1. Get the IPv6 address of your instance by using the describe-instances AWS CLI command, or by checking the IPv6 IPs field for the instance in the Amazon EC2 console.

  2. Connect to your instance using the instance's public IPv4 address.

  3. From within your instance, choose Start, Control Panel, Network Connections, Local Area Connection.

  4. Choose Properties, and then choose Install.

  5. Choose Protocol, and choose Add. In the Network Protocol list, choose Microsoft TCP/IP version 6, and then choose OK.

  6. Open the command prompt and open the network shell.

    Copy
    netsh
  7. Switch to the interface IPv6 context.

    Copy
    interface ipv6
  8. Add the IPv6 address to the local area connection using the following command. Replace the value for the IPv6 address with the IPv6 address for your instance.

    Copy
    add address "Local Area Connection" "ipv6-address"

    For example:

    Copy
    add address "Local Area Connection" "2001:db8:1234:1a00:1a01:2b:12:d08b"
  9. Exit the network shell.

    Copy
    exit
  10. Use the ipconfig command to verify that the IPv6 address is recognized for the Local Area Connection.

To enable and configure IPv6 on Windows Server 2008 SP2

  1. Get the IPv6 address of your instance by using the describe-instances AWS CLI command, or by checking the IPv6 IPs field for the instance in the Amazon EC2 console.

  2. Connect to your Windows instance using the instance's public IPv4 address.

  3. Choose Start, Control Panel.

  4. Open the Network and Sharing Center, then open Network Connections.

  5. Right-click Local Area Network (for the network interface) and choose Properties.

  6. Choose the Internet Protocol Version 6 (TCP/IPv6) check box, and choose OK.

  7. Open the properties dialog box for Local Area Network again. Choose Internet Protocol Version 6 (TCP/IPv6) and choose Properties.

  8. Choose Use the following IPv6 address and do the following:

    • For IPv6 Address, enter the IPv6 address you obtained in step 1.

    • For Subnet prefix length, enter 64.

  9. Choose OK and close the properties dialog box.

  10. Open the command prompt. Use the ipconfig command to verify that the IPv6 address is recognized for the Local Area Connection.