Enabling IPv6 for public incoming traffic - AWS App Runner

Enabling IPv6 for public incoming traffic

If you want your service to receive incoming network traffic from IPv6 addresses, or from both IPv4 and IPv6 addresses, choose the Dual-stack address type for the public endpoint. When you’re creating a new application, you can find this setting under Configure service > Networking section. For more information about how to enable IPv6 using App Runner console or App Runner API, see Managing dual stack for public incoming traffic.

For more information about adopting IPv6 on AWS, see IPv6 on AWS.

App Runner supports dual stack only for public App Runner service endpoints. For all App Runner private services, only IPv4 is supported.

Note

When you have IP address type set to Dual-stack and you change your network configuration from public to private endpoint, App Runner will automatically change your address type to IPv4. This is because App Runner supports IPv6 only for public endpoints.

Learn background information about IPv4 vs IPv6

The IPv4 network layer, commonly used to route network traffic across the internet, uses a 32-bit address scheme. This address space is limited and can be exhausted with large numbers of network devices. For this reason, Network Address Translation (NAT) is typically used to route multiple IPv4 addresses through a single public network address.

IPv6, a more recent version of the Internet Protocol, builds upon IPv4 and expands the address space with a 128-bit addressing scheme. With IPv6, you can build a network with an almost unlimited number of connected devices. Due to the vast amount of network addresses, NAT is not needed by IPv6.

IPv4 and IPv6 endpoints are not compatible with each other because IPv4 endpoints cannot receive incoming IPv6 traffic and vice versa. Dual stack provides a convenient solution, where both IPv4 and IPv6 network traffic can be supported simultaneously.

Managing dual stack for public incoming traffic

Manage the dual-stack address type for public incoming traffic using one of the following methods:

App Runner console

You can choose dual-stack address type for the incoming internet traffic, when you create a service using the App Runner console, or when you update its configuration later.

To enable dual-stack address type
  1. When creating or updating a service, expand the Networking section under Configure service.

  2. Choose Public endpoint, for Incoming network traffic. Public endpoint IP address type option opens.

  3. Expand Public endpoint IP address type to view the following IP address types.

    • IPv4

    • Dual-stack (IPv4 and IPv6)

    Note

    If you do not expand Public endpoint IP address type to make a selection, then App Runner assigns IPv4 as the default configuration.

  4. Choose Dual-stack (IPv4 and IPv6).

  5. Choose Next and then Create & Deploy if you are creating a service. Else, choose Save changes if you are updating a service.

    When the service is deployed, your application starts receiving network traffic from both IPv4 and IPv6 endpoints.

Note

Currently, App Runner supports IPv6 only for public endpoints. IPv6 endpoints are not supported for App Runner services hosted in an Amazon Virtual Private Cloud (Amazon VPC). If you udpate a service that's using dual-stack public endpoint to a private endpoint, your App Runner service will default to support traffic from only IPv4 endpoints and fail to receive traffic from IPv6 endpoints.

To change the address type
  1. Follow the steps to update a service and navigate to Networking.

  2. Navigate to Public endpoint IP address type under Incoming network traffic and select the required address type.

  3. Choose Save changes. Your service is updated with your selection.

App Runner API or AWS CLI

When you call the CreateService or UpdateService App Runner API actions, use the IpAddressType member of the NetworkConfiguration parameter to specify the address type. The supported values that you can specify are IPv4 and DUAL_STACK. Specify DUAL_STACK if you want your service to receive internet traffic from IPv4 and IPv6 endpoints. If you do not specify any value for IpAddressType, by default IPv4 is applied.

The following is the example to create a service with the dual stack as IP address. This example calls an input.json file.

Example Request to create a service with dual stack support
aws apprunner create-service \ --cli-input-json file://input.json
Example Contents of input.json
{ "ServiceName": "example-service", "SourceConfiguration": { "ImageRepository": { "ImageIdentifier": "public.ecr.aws/aws-containers/hello-app-runner:latest", "ImageConfiguration": { "Port": "8000" }, "ImageRepositoryType": "ECR_PUBLIC" }, "NetworkConfiguration": { "IpAddressType": "DUAL_STACK" } } }
Example Response
{ "Service": { "ServiceName": "example-service", "ServiceId": "<service-id>", "ServiceArn": "arn:aws:apprunner:us-east-2:123456789012:service/example-service/<service-id>", "ServiceUrl": "1234567890.us-east-2.awsapprunner.com", "CreatedAt": "2023-10-16T12:30:51.724000-04:00", "UpdatedAt": "2023-10-16T12:30:51.724000-04:00", "Status": "OPERATION_IN_PROGRESS", "SourceConfiguration": { "ImageRepository": { "ImageIdentifier": "public.ecr.aws/aws-containers/hello-app-runner:latest", "ImageConfiguration": { "Port": "8000" }, "ImageRepositoryType": "ECR_PUBLIC" }, "AutoDeploymentsEnabled": false }, "InstanceConfiguration": { "Cpu": "1024", "Memory": "2048" }, "HealthCheckConfiguration": { "Protocol": "TCP", "Path": "/", "Interval": 5, "Timeout": 2, "HealthyThreshold": 1, "UnhealthyThreshold": 5 }, "AutoScalingConfigurationSummary": { "AutoScalingConfigurationArn": "arn:aws:apprunner:us-east-2:123456789012:autoscalingconfiguration/DefaultConfiguration/1/00000000000000000000000000000001", "AutoScalingConfigurationName": "DefaultConfiguration", "AutoScalingConfigurationRevision": 1 }, "NetworkConfiguration": { "IpAddressType": "DUAL_STACK", "EgressConfiguration": { "EgressType": "DEFAULT" }, "IngressConfiguration": { "IsPubliclyAccessible": true } } }, "OperationId": "24bd100b1e111ae1a1f0e1115c4f11de" }
Note

Currently, App Runner supports IPv6 only for public endpoints. IPv6 endpoints are not supported for App Runner services hosted in an Amazon Virtual Private Cloud (Amazon VPC). If you udpate a service that's using dual-stack public endpoint to a private endpoint, your App Runner service will default to support traffic from only IPv4 endpoints and fail to receive traffic from IPv6 endpoints.

For more information on the API parameter, see NetworkConfiguration.