Add IPv6 support to your VPC - Amazon Virtual Private Cloud

Add IPv6 support to your VPC

If you have an existing VPC that supports IPv4 only, and resources in your subnet that are configured to use IPv4 only, you can add IPv6 support for your VPC and resources. Your VPC can operate in dual-stack mode — your resources can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 communication are independent of each other.

You cannot disable IPv4 support for your VPC and subnets; this is the default IP addressing system for Amazon VPC and Amazon EC2.

Considerations
  • There is no migration path from IPv4-only subnets to IPv6-only subnets.

  • This example assumes that you have an existing VPC with public and private subnets. For information about creating a new VPC for use with IPv6, see Create a VPC.

  • Before you begin using IPv6, ensure that you have read the features of IPv6 addressing for Amazon VPC: Compare IPv4 and IPv6.

Process

The following table provides an overview of the process to enable IPv6 for your VPC.

Step Notes
Step 1: Associate an IPv6 CIDR block with your VPC and subnets Associate an Amazon-provided or BYOIP IPv6 CIDR block with your VPC and with your subnets.
Step 2: Update your route tables Update your route tables to route your IPv6 traffic. For a public subnet, create a route that routes all IPv6 traffic from the subnet to the internet gateway. For a private subnet, create a route that routes all internet-bound IPv6 traffic from the subnet to an egress-only internet gateway.
Step 3: Update your security group rules Update your security group rules to include rules for IPv6 addresses. This enables IPv6 traffic to flow to and from your instances. If you've created custom network ACL rules to control the flow of traffic to and from your subnet, you must include rules for IPv6 traffic.
Step 4: Assign IPv6 addresses to your instances Assign IPv6 addresses to your instances from the IPv6 address range of your subnet.

Example: Enable IPv6 in a VPC with a public and private subnet

In this example, your VPC has a public and a private subnet. You have a database instance in your private subnet that has outbound communication with the internet through a NAT gateway in your VPC. You have a public-facing web server in your public subnet that has internet access through the internet gateway. The following diagram represents the architecture of your VPC.


                    A VPC with a public, a private subnet, a NAT gateway, and an internet gateway

The security group for your web server (for example with the security group ID sg-11aa22bb11aa22bb1) has the following inbound rules:

Type Protocol Port range Source Comment
All traffic All All sg-33cc44dd33cc44dd3 Allows inbound access for all traffic from instances associated with sg-33cc44dd33cc44dd3 (the database instance).
HTTP TCP 80 0.0.0.0/0 Allows inbound traffic from the internet over HTTP.
HTTPS TCP 443 0.0.0.0/0 Allows inbound traffic from the internet over HTTPS.
SSH TCP 22 203.0.113.123/32 Allows inbound SSH access from your local computer; for example, when you need to connect to your instance to perform administration tasks.

The security group for your database instance (for example with the security group ID sg-33cc44dd33cc44dd3) has the following inbound rule:

Type Protocol Port range Source Comment
MySQL TCP 3306 sg-11aa22bb11aa22bb1 Allows inbound access for MySQL traffic from instances associated with sg-11aa22bb11aa22bb1 (the web server instance).

Both security groups have the default outbound rule that allows all outbound IPv4 traffic, and no other outbound rules.

Your web server is t2.medium instance type. Your database server is an m3.large.

You want your VPC and resources to be enabled for IPv6, and you want them to operate in dual-stack mode; in other words, you want to use both IPv6 and IPv4 addressing between resources in your VPC and resources over the internet.

Step 1: Associate an IPv6 CIDR block with your VPC and subnets

You can associate an IPv6 CIDR block with your VPC, and then associate a /64 CIDR block from that range with each subnet.

To associate an IPv6 CIDR block with a VPC
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Your VPCs.

  3. Select your VPC.

  4. Choose Actions, Edit CIDRs and then choose Add new IPv6 CIDR.

  5. Select one of the following options, and then choose Select CIDR:

    • Amazon-provided IPv6 CIDR block – Use an IPv6 CIDR block from Amazon's pool of IPv6 addresses. For Network Border Group, choose the group from which AWS advertises IP addresses.

    • IPAM-allocated IPv6 CIDR block – Use an IPv6 CIDR block from an IPAM pool. Choose the IPAM pool and the IPv6 CIDR block.

    • IPv6 CIDR owned by me – Use an IPv6 CIDR block from your IPv6 address pool (BYOIP). Choose the IPv6 address pool and the IPv6 CIDR block.

  6. Choose Close.

To associate an IPv6 CIDR block with a subnet
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets.

  3. Select a subnet.

  4. Choose Actions, Edit IPv6 CIDRs and then choose Add IPv6 CIDR.

  5. Edit the CIDR block as needed (for example, replace the 00).

  6. Choose Save.

  7. Repeat this procedure for any other subnets in your VPC.

For more information, see IPv6 VPC CIDR blocks.

Step 2: Update your route tables

When you associate an IPv6 CIDR block with your VPC, we automatically add a local route to each route table for the VPC to allow IPv6 traffic within the VPC.

You must update the route tables for your public subnets to enable instances (such as web servers) to use the internet gateway for IPv6 traffic. You must also update the route tables for your private subnets to enable instances (such as database instances) to use an egress-only internet gateway for IPv6 traffic, because NAT gateways do not support IPv6.

To update the route table for a public subnet
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets. Select the public subnet. On the Route table tab, choose the route table ID to open the details page for the route table.

  3. Select the route table. On the Routes tab, choose Edit routes.

  4. Choose Add route. Choose ::/0 for Destination. Choose the ID of the internet gateway for Target.

  5. Choose Save changes.

To update the route table for a private subnet
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Egress-only internet gateways. Choose Create egress only internet gateway. Choose your VPC from VPC, and then choose Create egress only internet gateway.

    For more information, see Enable outbound IPv6 traffic using an egress-only internet gateway.

  3. In the navigation pane, choose Subnets. Select the private subnet. On the Route table tab, choose the route table ID to open the details page for the route table.

  4. Select the route table. On the Routes tab, choose Edit routes.

  5. Choose Add route. Choose ::/0 for Destination. Choose the ID of the egress-only internet gateway for Target.

  6. Choose Save changes.

For more information, see Example routing options.

Step 3: Update your security group rules

To enable your instances to send and receive traffic over IPv6, you must update your security group rules to include rules for IPv6 addresses. For example, in the example above, you can update the web server security group (sg-11aa22bb11aa22bb1) to add rules that allow inbound HTTP, HTTPS, and SSH access from IPv6 addresses. You don't need to make any changes to the inbound rules for your database security group; the rule that allows all communication from sg-11aa22bb11aa22bb1 includes IPv6 communication.

To update your inbound security group rules
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security groups and select your web server security group.

  3. In the Inbound rules tab, choose Edit inbound rules.

  4. For each rule that allows IPv4 traffic, choose Add rule and configure the rule to allow the corresponding IPv6 traffic. For example, to add a rule that allows all HTTP traffic over IPv6, choose HTTP for Type and ::/0 for Source.

  5. When you are finished adding rules, choose Save rules.

Update your outbound security group rules

When you associate an IPv6 CIDR block with your VPC, we automatically add an outbound rule to the security groups for the VPC that allows all IPv6 traffic. However, if you modified the original outbound rules for your security group, this rule is not automatically added, and you must add equivalent outbound rules for IPv6 traffic.

Update your network ACL rules

When you associate an IPv6 CIDR block with a VPC, we automatically add rules to the default network ACL to allow IPv6 traffic. However, if you modified your default network ACL or if you've created a custom network ACL, you must manually add rules for IPv6 traffic. For more information, see Work with network ACLs.

Step 4: Assign IPv6 addresses to your instances

All current generation instance types support IPv6. If your instance type does not support IPv6, you must resize the instance to a supported instance type before you can assign an IPv6 address. The process that you'll use depends on whether the new instance type that you choose is compatible with the current instance type. For more information, see Change the instance type in the Amazon EC2 User Guide for Linux Instances. If you must launch an instance from a new AMI to support IPv6, you can assign an IPv6 address to your instance during launch.

After you've verified that your instance type supports IPv6, you can assign an IPv6 address to your instance using the Amazon EC2 console. The IPv6 address is assigned to the primary network interface (eth0) for the instance. For more information, see Assign an IPv6 address to an instance in the Amazon EC2 User Guide for Linux Instances.

You can connect to an instance using its IPv6 address. For more information, see Connect to your Linux instance using an SSH client in the Amazon EC2 User Guide for Linux Instances or Connect to a Windows instance using its IPv6 address in the Amazon EC2 User Guide for Windows Instances.

If you launched your instance using an AMI for a current version of your operating system, your instance is configured for IPv6. If you can't ping an IPv6 address from your instance, refer to the documentation for your operating system to configure IPv6.