Migrating to IPv6
If you have an existing VPC that supports IPv4 only, and resources in your subnet that are configured to use IPv4 only, you can enable IPv6 support for your VPC and resources. Your VPC can operate in dual-stack mode — your resources can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 communication are independent of each other.
You cannot disable IPv4 support for your VPC and subnets; this is the default IP addressing system for Amazon VPC and Amazon EC2.
This information assumes that you have an existing VPC with public and private subnets. For information about setting up a new VPC for use with IPv6, see Overview for IPv6.
The following table provides an overview of the steps to enable your VPC and subnets to use IPv6.
Step | Notes |
---|---|
Step 1: Associate an IPv6 CIDR block with your VPC and subnets | Associate an Amazon-provided IPv6 CIDR block with your VPC and with your subnets. |
Step 2: Update your route tables | Update your route tables to route your IPv6 traffic. For a public subnet, create a route that routes all IPv6 traffic from the subnet to the internet gateway. For a private subnet, create a route that routes all internet-bound IPv6 traffic from the subnet to an egress-only internet gateway. |
Step 3: Update your security group rules | Update your security group rules to include rules for IPv6 addresses. This enables IPv6 traffic to flow to and from your instances. If you've created custom network ACL rules to control the flow of traffic to and from your subnet, you must include rules for IPv6 traffic. |
Step 4: Change your instance type | If your instance type does not support IPv6, change the instance type. |
Step 5: Assign IPv6 addresses to your instances | Assign IPv6 addresses to your instances from the IPv6 address range of your subnet. |
Step 6: (Optional) Configure IPv6 on your instances | If your instance was launched from an AMI that is not configured to use DHCPv6, you must manually configure your instance to recognize an IPv6 address assigned to the instance. |
Before you migrate to using IPv6, ensure that you have read the features of IPv6 addressing for Amazon VPC: IPv4 and IPv6 characteristics and restrictions.
Contents
- Example: Enabling IPv6 in a VPC with a public and private subnet
- Step 1: Associate an IPv6 CIDR block with your VPC and subnets
- Step 2: Update your route tables
- Step 3: Update your security group rules
- Step 4: Change your instance type
- Step 5: Assign IPv6 addresses to your instances
- Step 6: (Optional) Configure IPv6 on your instances
Example: Enabling IPv6 in a VPC with a public and private subnet
In this example, your VPC has a public and a private subnet. You have a database instance in your private subnet that has outbound communication with the internet through a NAT gateway in your VPC. You have a public-facing web server in your public subnet that has internet access through the internet gateway. The following diagram represents the architecture of your VPC.

The security group for your web server (sg-11aa22bb11aa22bb1
) has the
following inbound rules:
Type | Protocol | Port range | Source | Comment |
---|---|---|---|---|
All traffic | All | All | sg-33cc44dd33cc44dd3 | Allows inbound access for all traffic from instances associated with sg-33cc44dd33cc44dd3 (the database instance). |
HTTP | TCP | 80 | 0.0.0.0/0 | Allows inbound traffic from the internet over HTTP. |
HTTPS | TCP | 443 | 0.0.0.0/0 | Allows inbound traffic from the internet over HTTPS. |
SSH | TCP | 22 | 203.0.113.123/32 | Allows inbound SSH access from your local computer; for example, when you need to connect to your instance to perform administration tasks. |
The security group for your database instance (sg-33cc44dd33cc44dd3
) has
the following inbound rule:
Type | Protocol | Port range | Source | Comment |
---|---|---|---|---|
MySQL | TCP | 3306 | sg-11aa22bb11aa22bb1 | Allows inbound access for MySQL traffic from instances associated with sg-11aa22bb11aa22bb1 (the web server instance). |
Both security groups have the default outbound rule that allows all outbound IPv4 traffic, and no other outbound rules.
Your web server is t2.medium
instance type. Your database server is an
m3.large
.
You want your VPC and resources to be enabled for IPv6, and you want them to operate in dual-stack mode; in other words, you want to use both IPv6 and IPv4 addressing between resources in your VPC and resources over the internet.
After you've completed the steps, your VPC will have the following configuration.

Step 1: Associate an IPv6 CIDR block with your VPC and subnets
You can associate an IPv6 CIDR block with your VPC, and then associate a
/64
CIDR block from that range with each subnet.
To associate an IPv6 CIDR block with a VPC
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Your VPCs.
-
Select your VPC, choose Actions, Edit CIDRs.
-
Choose Add IPv6 CIDR, choose one of the following options, and then choose Select CIDR:
-
Amazon-provided IPv6 CIDR block: Requests an IPv6 CIDR block from Amazon's pool of IPv6 addresses. For Network Border Group, select the group from which AWS advertises IP addresses.
-
IPv6 CIDR owned by me: (BYOIP) Allocates an IPv6 CIDR block from your IPv6 address pool. For Pool, choose the IPv6 address pool from which to allocate the IPv6 CIDR block.
-
To associate an IPv6 CIDR block with a subnet
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Subnets.
-
Select your subnet, choose Subnet Actions, Edit IPv6 CIDRs.
-
Choose Add IPv6 CIDR. Specify the hexadecimal pair for the subnet (for example,
00
) and confirm the entry by choosing the tick icon. -
Choose Close. Repeat the steps for the other subnets in your VPC.
For more information, see VPC and subnet sizing for IPv6.
Step 2: Update your route tables
For a public subnet, you must update the route table to enable instances (such as web servers) to use the internet gateway for IPv6 traffic.
For a private subnet, you must update the route table to enable instances (such as database instances) to use an egress-only internet gateway for IPv6 traffic.
To update your route table for a public subnet
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Route Tables and select the route table that's associated with the public subnet.
-
On the Routes tab, choose Edit.
-
Choose Add another route. Specify
::/0
for Destination, select the ID of the internet gateway for Target, and then choose Save.
To update your route table for a private subnet
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
If you're using a NAT device in your private subnet, it does not support IPv6 traffic. Instead, create an egress-only internet gateway for your private subnet to enable outbound communication to the internet over IPv6 and prevent inbound communication. An egress-only internet gateway supports IPv6 traffic only. For more information, see Egress-only internet gateways.
-
In the navigation pane, choose Route Tables and select the route table that's associated with the private subnet.
-
On the Routes tab, choose Edit.
-
Choose Add another route. For Destination, specify
::/0
. For Target, select the ID of the egress-only internet gateway, and then choose Save.
For more information, see Example routing options.
Step 3: Update your security group rules
To enable your instances to send and receive traffic over IPv6, you must update your security group rules to include rules for IPv6 addresses.
For example, in the example above, you can update the web server security group
(sg-11aa22bb11aa22bb1
) to add rules that allow inbound HTTP, HTTPS, and
SSH access from IPv6 addresses. You do not need to make any changes to the inbound
rules
for your database security group; the rule that allows all communication from
sg-11aa22bb11aa22bb1
includes IPv6 communication by default.
To update your security group rules
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Security Groups and select your web server security group.
-
In the Inbound Rules tab, choose Edit.
-
For each rule, choose Add another rule, and choose Save when you're done. For example, to add a rule that allows all HTTP traffic over IPv6, for Type, select HTTP and for Source, enter
::/0
.
By default, an outbound rule that allows all IPv6 traffic is automatically added your security groups when you associate an IPv6 CIDR block with your VPC. However, if you modified the original outbound rules for your security group, this rule is not automatically added, and you must add equivalent outbound rules for IPv6 traffic. For more information, see Security groups for your VPC.
Update your network ACL rules
If you associate an IPv6 CIDR block with your VPC, we automatically add rules to the default network ACL to allow IPv6 traffic, provided you haven't modified its default rules. If you've modified your default network ACL or if you've created a custom network ACL with rules to control the flow of traffic to and from your subnet, you must manually add rules for IPv6 traffic. For more information, see Network ACLs.
Step 4: Change your instance type
All current generation instance types support IPv6. For more information, see Instance types.
If your instance type does not support IPv6, you must resize the instance to a
supported instance type. In the example above, the database instance is an
m3.large
instance type, which does not support IPv6. You must resize
the instance to a supported instance type, for example, m4.large
.
To resize your instance, be aware of the compatibility limitations. For more
information, see Compatibility for resizing instances in the
Amazon EC2 User Guide for Linux Instances. In this scenario, if your database instance
was launched from an AMI that uses HVM virtualization, you can resize it to an
m4.large
instance type by using the following procedure.
To resize your instance, you must stop it. Stopping and starting an instance changes the public IPv4 address for the instance, if it has one. If you have any data stored on instance store volumes, the data is erased.
To resize your instance
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the navigation pane, choose Instances, and select the database instance.
-
Choose Actions, Instance State, Stop.
-
In the confirmation dialog box, choose Yes, Stop.
-
With the instance still selected, choose Actions, Instance Settings, Change Instance Type.
-
For Instance Type, choose the new instance type, and then choose Apply.
-
To restart the stopped instance, select the instance and choose Actions, Instance State, Start. In the confirmation dialog box, choose Yes, Start.
If your instance is an instance store-backed AMI, you can't resize your instance using the earlier procedure. Instead, you can create an instance store-backed AMI from your instance, and launch a new instance from your AMI using a new instance type. For more information, see Creating an instance store-backed Linux AMI in the Amazon EC2 User Guide for Linux Instances, and Creating an instance store-backed Windows AMI in the Amazon EC2 User Guide for Windows Instances.
You may not be able to migrate to a new instance type if there are compatibility limitations. For example, if your instance was launched from an AMI that uses PV virtualization, the only instance type that supports both PV virtualization and IPv6 is C3. This instance type may not be suitable for your needs. In this case, you may have to reinstall your software on a base HVM AMI, and launch a new instance.
If you launch an instance from a new AMI, you can assign an IPv6 address to your instance during launch.
Step 5: Assign IPv6 addresses to your instances
After you've verified that your instance type supports IPv6, you can assign an IPv6 address to your instance using the Amazon EC2 console. The IPv6 address is assigned to the primary network interface (eth0) for the instance.
To assign an IPv6 address to your instance
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the navigation pane, choose Instances.
-
Select your instance, and choose Actions, Networking, Manage IP Addresses.
-
Under IPv6 Addresses, choose Assign new IP. You can enter a specific IPv6 address from the range of your subnet, or you can leave the default
Auto-Assign
value to let Amazon choose one for you. -
Choose Yes, Update.
Alternatively, if you launch a new instance (for example, if you were unable to change the instance type and you created a new AMI instead), you can assign an IPv6 address during launch.
To assign an IPv6 address to an instance during launch
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
Select your AMI and an IPv6-compatible instance type, and choose Next: Configure Instance Details.
-
On the Configure Instance Details page, select a VPC for Network and a subnet for Subnet. For Auto-assign IPv6 IP, select Enable.
-
Follow the remaining steps in the wizard to launch your instance.
You can connect to an instance using its IPv6 address. If you're connecting from a local computer, ensure that your local computer has an IPv6 address and is configured to use IPv6. For more information, see Connect to Your Linux Instance in the Amazon EC2 User Guide for Linux Instances and Connecting to Your Windows Instance in the Amazon EC2 User Guide for Windows Instances.
Step 6: (Optional) Configure IPv6 on your instances
If you launched your instance using Amazon Linux 2016.09.0 or later, Windows Server 2008 R2 or later, or Ubuntu Server 2018 or later, your instance is configured for IPv6 and no additional steps are required.
If you launched your instance from a different AMI, it might not be configured for IPv6 and DHCPv6, which means that any IPv6 address that you assign to the instance is not automatically recognized on the primary network interface.
To verify DHCPv6 on Linux
Use the ping6 command as follows.
$
ping6 ipv6.google.com
To verify DHCPv6 on Windows
Use the ping command as follows.
C:\>
ping -6 ipv6.google.com
If your instance is not configured already, you can configure it manually, as shown in the following procedures.
Manual configuration, by operating system
Amazon Linux
To configure your Amazon Linux instance
-
Connect to your instance using the instance's public IPv4 address.
-
Get the latest software packages for your instance:
sudo yum update -y
-
Using a text editor of your choice, open
/etc/sysconfig/network-scripts/ifcfg-eth0
and locate the following line:IPV6INIT=no
Replace that line with the following:
IPV6INIT=yes
Add the following two lines, and save your changes:
DHCPV6C=yes DHCPV6C_OPTIONS=-nw
-
Open
/etc/sysconfig/network
, remove the following lines, and save your changes:NETWORKING_IPV6=no IPV6INIT=no IPV6_ROUTER=no IPV6_AUTOCONF=no IPV6FORWARDING=no IPV6TO4INIT=no IPV6_CONTROL_RADVD=no
-
Open
/etc/hosts
, replace the contents with the following, and save your changes:127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost6 localhost6.localdomain6
-
Reboot your instance. Reconnect to your instance and use the
ifconfig
command to verify that the IPv6 address is recognized on the primary network interface.
Ubuntu
You can configure your Ubuntu instance to dynamically recognize any IPv6 address assigned to the network interface. If your instance does not have an IPv6 address, this configuration may cause the boot time of your instance to be extended by up to 5 minutes.
Ubuntu Server 16
These steps must be performed as the root user.
To configure an Ubuntu Server 16 instance
-
Connect to your instance using the instance's public IPv4 address.
-
View the contents of the
/etc/network/interfaces.d/50-cloud-init.cfg
file:cat /etc/network/interfaces.d/50-cloud-init.cfg
# This file is generated from information provided by # the datasource. Changes to it will not persist across an instance. # To disable cloud-init's network configuration capabilities, write a file # /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following: # network: {config: disabled} auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp
Verify that the loopback network device (
lo
) is configured, and take note of the name of the network interface. In this example, the network interface name iseth0
; the name may be different depending on the instance type. -
Create the file
/etc/network/interfaces.d/60-default-with-ipv6.cfg
and add the following line. If required, replaceeth0
with the name of the network interface that you retrieved in the step above.iface
eth0
inet6 dhcp -
Reboot your instance, or restart the network interface by running the following command. If required, replace
eth0
with the name of your network interface.sudo ifdown
eth0
; sudo ifupeth0
-
Reconnect to your instance and use the
ifconfig
command to verify that the IPv6 address is configured on the network interface.
To configure IPv6 using user data
-
You can launch a new Ubuntu instance and ensure that any IPv6 address assigned to the instance is automatically configured on the network interface by specifying the following user data during launch:
#!/bin/bash echo "iface
eth0
inet6 dhcp" >> /etc/network/interfaces.d/60-default-with-ipv6.cfg dhclient -6In this case, you do not have to connect to the instance to configure the IPv6 address.
For more information, see Running Commands on Your Linux Instance at Launch in the Amazon EC2 User Guide for Linux Instances.
Ubuntu Server 14
If you're using Ubuntu Server 14, you must include a workaround for a known issue
These steps must be performed as the root user.
To configure an Ubuntu Server 14 instance
-
Connect to your instance using the instance's public IPv4 address.
-
Edit the
/etc/network/interfaces.d/eth0.cfg
file so that it contains the following:auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp up dhclient -6 $IFACE
-
Reboot your instance:
sudo reboot
-
Reconnect to your instance and use the
ifconfig
command to verify that the IPv6 address is configured on the network interface.
Starting the DHCPv6 client
Alternatively, to bring up the IPv6 address for the network interface immediately without performing any additional configuration, you can start the DHCPv6 client for the instance. However, the IPv6 address does not persist on the network interface after reboot.
To start the DHCPv6 client on Ubuntu
-
Connect to your instance using the instance's public IPv4 address.
-
Start the DHCPv6 client:
sudo dhclient -6
-
Use the
ifconfig
command to verify that the IPv6 address is recognized on the primary network interface.
RHEL/CentOS
RHEL 7.4 and CentOS 7 and later use cloud-init/etc/sysconfig/network-scripts/ifcfg-eth0
file. You can create
a custom cloud-init
configuration file to enable DHCPv6, which
generates an ifcfg-eth0
file with settings that enable DHCPv6 after
each reboot.
Due to a known issue, if you're using RHEL/CentOS 7.4 with the latest
version of cloud-init-0.7.9, these steps might result in you losing
connectivity to your instance after reboot. As a workaround, you can
manually edit the /etc/sysconfig/network-scripts/ifcfg-eth0
file.
To configure a RHEL/CentOS instance using cloud-init
-
Connect to your instance using the instance's public IPv4 address.
-
Using a text editor of your choice, create a custom file, for example:
/etc/cloud/cloud.cfg.d/99-custom-networking.cfg
-
Add the following lines to your file, and save your changes:
network: version: 1 config: - type: physical name: eth0 subnets: - type: dhcp - type: dhcp6
-
Using a text editor of your choice, add the following line to the interface-specific file under
/etc/sysctl.d
. If you disabled Consistent Network Device Naming, the network-interface-name isethX
, or the secondary interface.net.ipv6.conf.
network-interface-name
.accept_ra=1In the following example, the network interface is
en5
.net.ipv6.conf.en5.accept_ra=1
-
Reboot your instance.
-
Reconnect to your instance and use the ifconfig command to verify that the IPv6 address is configured on the network interface.
Alternatively, you can use the following procedure to modify the
/etc/sysconfig/network-scripts/ifcfg-eth0
file directly.
You must use this method with earlier version of RHEL and CentOS that don't support
cloud-init.
To configure a RHEL/CentOS instance
-
Connect to your instance using the instance's public IPv4 address.
-
Using a text editor of your choice, open
/etc/sysconfig/network-scripts/ifcfg-eth0
and locate the following line:IPV6INIT="no"
Replace that line with the following:
IPV6INIT="yes"
Add the following two lines, and save your changes:
DHCPV6C=yes NM_CONTROLLED=no
-
Open
/etc/sysconfig/network
, add or amend the following line as follows, and save your changes:NETWORKING_IPV6=yes
-
Restart networking on your instance by running the following command:
sudo service network restart
You can use the ifconfig command to verify that the IPv6 address is recognized on the primary network interface.
To troubleshoot RHEL 6 or CentOS 6
If you restart networking and you get an error that an IPv6 address cannot
be obtained, open /etc/sysconfig/network-scripts/ifup-eth
and locate the following line (by default, it's line 327):
if /sbin/dhclient "$DHCLIENTARGS"; then
Remove the quotes that surround $DHCLIENTARGS
and save
your changes. Restart networking on your instance:
sudo service network restart
Windows
Use the following procedures to configure IPv6 on Windows Server 2003 and Windows Server 2008 SP2.
To ensure that IPv6 is preferred over IPv4, download the fix named Prefer IPv6 over IPv4 in prefix policies from the
following Microsoft support page: https://support.microsoft.com/en-us/help/929852/how-to-disable-ipv6-or-its-components-in-windows
To enable and configure IPv6 on Windows Server 2003
-
Get the IPv6 address of your instance by using the describe-instances AWS CLI command, or by checking the IPv6 IPs field for the instance in the Amazon EC2 console.
-
Connect to your instance using the instance's public IPv4 address.
-
From within your instance, choose Start, Control Panel, Network Connections, Local Area Connection.
-
Choose Properties, and then choose Install.
-
Choose Protocol, and choose Add. In the Network Protocol list, choose Microsoft TCP/IP version 6, and then choose OK.
-
Open the command prompt and open the network shell.
netsh
-
Switch to the interface IPv6 context.
interface ipv6
-
Add the IPv6 address to the local area connection using the following command. Replace the value for the IPv6 address with the IPv6 address for your instance.
add address "Local Area Connection" "
ipv6-address
"For example:
add address "Local Area Connection" "
2001:db8:1234:1a00:1a01:2b:12:d08b
" -
Exit the network shell.
exit
-
Use the
ipconfig
command to verify that the IPv6 address is recognized for the Local Area Connection.
To enable and configure IPv6 on Windows Server 2008 SP2
-
Get the IPv6 address of your instance by using the describe-instances AWS CLI command, or by checking the IPv6 IPs field for the instance in the Amazon EC2 console.
-
Connect to your Windows instance using the instance's public IPv4 address.
-
Choose Start, Control Panel.
-
Open the Network and Sharing Center, then open Network Connections.
-
Right-click Local Area Network (for the network interface) and choose Properties.
-
Choose the Internet Protocol Version 6 (TCP/IPv6) check box, and choose OK.
-
Open the properties dialog box for Local Area Network again. Choose Internet Protocol Version 6 (TCP/IPv6) and choose Properties.
-
Choose Use the following IPv6 address and do the following:
-
For IPv6 Address, enter the IPv6 address you obtained in step 1.
-
For Subnet prefix length, enter
64
.
-
-
Choose OK and close the properties dialog box.
-
Open the command prompt. Use the
ipconfig
command to verify that the IPv6 address is recognized for the Local Area Connection.