Sign In to the Console
Amazon Virtual Private Cloud
User Guide

AWS Documentation » Amazon VPC » User Guide » IP Addressing in Your VPC » Migrating to IPv6

Migrating to IPv6

If you have an existing VPC that supports IPv4 only, and resources in your subnet that are configured to use IPv4 only, you can enable IPv6 support for your VPC and resources. Your VPC can operate in dual-stack mode — your resources can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 communication are independent of each other.

You cannot disable IPv4 support for your VPC and subnets; this is the default IP addressing system for Amazon VPC and Amazon EC2.

Note

This information assumes that you have an existing VPC with public and private subnets. For information about setting up a new VPC for use with IPv6, see Getting Started with IPv6 for Amazon VPC.

The following table provides an overview of the steps to enable your VPC and subnets to use IPv6.

Step Notes
Step 1: Associate an IPv6 CIDR Block with Your VPC and Subnets Associate an Amazon-provided IPv6 CIDR block with your VPC and with your subnets.
Step 2: Update Your Route Tables Update your route tables to route your IPv6 traffic. For a public subnet, create a route that routes all IPv6 traffic from the subnet to the internet gateway. For a private subnet, create a route that routes all internet-bound IPv6 traffic from the subnet to an egress-only internet gateway.
Step 3: Update Your Security Group Rules Update your security group rules to include rules for IPv6 addresses. This enables IPv6 traffic to flow to and from your instances. If you've created custom network ACL rules to control the flow of traffic to and from your subnet, you must include rules for IPv6 traffic.
Step 4: Change Your Instance Type If your instance type does not support IPv6, change the instance type.
Step 5: Assign IPv6 Addresses to Your Instances Assign IPv6 addresses to your instances from the IPv6 address range of your subnet.
Step 6: (Optional) Configure IPv6 on Your Instances If your instance was launched from an AMI that is not configured to use DHCPv6, you must manually configure your instance to recognize an IPv6 address assigned to the instance.

Before you migrate to using IPv6, ensure that you have read the features of IPv6 addressing for Amazon VPC: IPv4 and IPv6 Characteristics and Restrictions.

Example: Enabling IPv6 in a VPC With a Public and Private Subnet

In this example, your VPC has a public and a private subnet. You have a database instance in your private subnet that has outbound communication with the internet through a NAT gateway in your VPC. You have a public-facing web server in your public subnet that has internet access through the internet gateway. The following diagram represents the architecture of your VPC.

VPC with public and private subnets

The security group for your web server (sg-11aa22bb) has the following inbound rules:

Type Protocol Port range Source Comment
All traffic All All sg-33cc44dd Allows inbound access for all traffic from instances associated with sg-33cc44dd (the database instance).
HTTP TCP 80 0.0.0.0/0 Allows inbound traffic from the internet over HTTP.
HTTPS TCP 443 0.0.0.0/0 Allows inbound traffic from the internet over HTTPS.
SSH TCP 22 203.0.113.123/32 Allows inbound SSH access from your local computer; for example, when you need to connect to your instance to perform administration tasks.

The security group for your database instance (sg-33cc44dd) has the following inbound rule:

Type Protocol Port range Source Comment
MySQL TCP 3306 sg-11aa22bb Allows inbound access for MySQL traffic from instances associated with sg-11aa22bb (the web server instance).

Both security groups have the default outbound rule that allows all outbound IPv4 traffic, and no other outbound rules.

Your web server is t2.medium instance type. Your database server is an m3.large.

You want your VPC and resources to be enabled for IPv6, and you want them to operate in dual-stack mode; in other words, you want to use both IPv6 and IPv4 addressing between resources in your VPC and resources over the internet.

After you've completed the steps, your VPC will have the following configuration.

VPC with public and private subnets

Step 1: Associate an IPv6 CIDR Block with Your VPC and Subnets

You can associate an IPv6 CIDR block with your VPC, and then associate a /64 CIDR block from that range with each subnet.

To associate an IPv6 CIDR block with a VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Your VPCs.

  3. Select your VPC, choose Actions, Edit CIDRs.

  4. Choose Add IPv6 CIDR. After the IPv6 CIDR block has been added, choose Close.

To associate an IPv6 CIDR block with a subnet

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets.

  3. Select your subnet, choose Subnet Actions, Edit IPv6 CIDRs.

  4. Choose Add IPv6 CIDR. Specify the hexadecimal pair for the subnet (for example, 00) and confirm the entry by choosing the tick icon.

  5. Choose Close. Repeat the steps for the other subnets in your VPC.

For more information, see VPC and Subnet Sizing for IPv6.

Step 2: Update Your Route Tables

For a public subnet, you must update the route table to enable instances (such as web servers) to use the internet gateway for IPv6 traffic.

For a private subnet, you must update the route table to enable instances (such as database instances) to use an egress-only internet gateway for IPv6 traffic.

To update your route table for a public subnet

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Route Tables and select the route table that's associated with the public subnet.

  3. On the Routes tab, choose Edit.

  4. Choose Add another route. Specify ::/0 for Destination, select the ID of the internet gateway for Target, and then choose Save.

To update your route table for a private subnet

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. If you're using a NAT device in your private subnet, it does not support IPv6 traffic. Instead, create an egress-only internet gateway for your private subnet to enable outbound communication to the internet over IPv6 and prevent inbound communication. An egress-only internet gateway supports IPv6 traffic only. For more information, see Egress-Only Internet Gateways.

  3. In the navigation pane, choose Route Tables and select the route table that's associated with the private subnet.

  4. On the Routes tab, choose Edit.

  5. Choose Add another route. For Destination, specify ::/0. For Target, select the ID of the egress-only internet gateway, and then choose Save.

For more information, see Routing Options.

Step 3: Update Your Security Group Rules

To enable your instances to send and receive traffic over IPv6, you must update your security group rules to include rules for IPv6 addresses.

For example, in the example above, you can update the web server security group (sg-11aa22bb) to add rules that allow inbound HTTP, HTTPS, and SSH access from IPv6 addresses. You do not need to make any changes to the inbound rules for your database security group; the rule that allows all communication from sg-11aa22bb includes IPv6 communication by default.

To update your security group rules

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups and select your web server security group.

  3. In the Inbound Rules tab, choose Edit.

  4. For each rule, choose Add another rule, and choose Save when you're done. For example, to add a rule that allows all HTTP traffic over IPv6, for Type, select HTTP and for Source, enter ::/0.

By default, an outbound rule that allows all IPv6 traffic is automatically added your security groups when you associate an IPv6 CIDR block with your VPC. However, if you modified the original outbound rules for your security group, this rule is not automatically added, and you must add equivalent outbound rules for IPv6 traffic. For more information, see Security Groups for Your VPC.

Update Your Network ACL Rules

If you associate an IPv6 CIDR block with your VPC, we automatically add rules to the default network ACL to allow IPv6 traffic, provided you haven't modified its default rules. If you've modified your default network ACL or if you've created a custom network ACL with rules to control the flow of traffic to and from your subnet, you must manually add rules for IPv6 traffic. For more information, see Recommended Network ACL Rules for Your VPC.

Step 4: Change Your Instance Type

All current generation instance types support IPv6. For more information, see Instance Types.

If your instance type does not support IPv6, you must resize the instance to a supported instance type. In the example above, the database instance is an m3.large instance type, which does not support IPv6. You must resize the instance to a supported instance type, for example, m4.large.

To resize your instance, be aware of the compatibility limitations. For more information, see Compatibility for Resizing Instances in the Amazon EC2 User Guide for Linux Instances. In this scenario, if your database instance was launched from an AMI that uses HVM virtualization, you can resize it to an m4.large instance type by using the following procedure.

Important

To resize your instance, you must stop it. Stopping and starting an instance changes the public IPv4 address for the instance, if it has one. If you have any data stored on instance store volumes, the data is erased.

To resize your instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances, and select the database instance.

  3. Choose Actions, Instance State, Stop.

  4. In the confirmation dialog box, choose Yes, Stop.

  5. With the instance still selected, choose Actions, Instance Settings, Change Instance Type.

  6. For Instance Type, choose the new instance type, and then choose Apply.

  7. To restart the stopped instance, select the instance and choose Actions, Instance State, Start. In the confirmation dialog box, choose Yes, Start.

If your instance is an instance store-backed AMI, you can't resize your instance using the earlier procedure. Instead, you can create an instance store-backed AMI from your instance, and launch a new instance from your AMI using a new instance type. For more information, see Creating an Instance Store-Backed Linux AMI in the Amazon EC2 User Guide for Linux Instances, and Creating an Instance Store-Backed Windows AMI in the Amazon EC2 User Guide for Windows Instances.

You may not be able to migrate to a new instance type if there are compatibility limitations. For example, if your instance was launched from an AMI that uses PV virtualization, the only instance type that supports both PV virtualization and IPv6 is C3. This instance type may not be suitable for your needs. In this case, you may have to reinstall your software on a base HVM AMI, and launch a new instance.

If you launch an instance from a new AMI, you can assign an IPv6 address to your instance during launch.

Step 5: Assign IPv6 Addresses to Your Instances

After you've verified that your instance type supports IPv6, you can assign an IPv6 address to your instance using the Amazon EC2 console. The IPv6 address is assigned to the primary network interface (eth0) for the instance.

To assign an IPv6 address to your instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances.

  3. Select your instance, and choose Actions, Networking, Manage IP Addresses.

  4. Under IPv6 Addresses, choose Assign new IP. You can enter a specific IPv6 address from the range of your subnet, or you can leave the default Auto-Assign value to let Amazon choose one for you.

  5. Choose Yes, Update.

Alternatively, if you launch a new instance (for example, if you were unable to resize your instance and you created a new AMI instead), you can assign an IPv6 address during launch.

To assign an IPv6 address to an instance during launch

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Select your AMI and an IPv6-compatible instance type, and choose Next: Configure Instance Details.

  3. On the Configure Instance Details page, select a VPC for Network and a subnet for Subnet. For Auto-assign IPv6 IP, select Enable.

  4. Follow the remaining steps in the wizard to launch your instance.

Step 6: (Optional) Configure IPv6 on Your Instances

If you launched your instance using Amazon Linux 2016.09.0 or later, or Windows Server 2008 R2 or later, your instance is configured for IPv6 and no additional steps are required.

If you launched your instance from a different AMI, it may not be configured for DHCPv6, which means that any IPv6 address that you assign to the instance is not automatically recognized on the primary network interface. To verify if the IPv6 address is configured on your network interface, use the ifconfig command on Linux, or the ipconfig command on Windows.

You can configure your instance using the following steps. You'll need to connect to your instance using its public IPv4 address. For more information, see Connect to Your Linux Instance in the Amazon EC2 User Guide for Linux Instances and Connecting to Your Windows Instance in the Amazon EC2 User Guide for Windows Instances.

Amazon Linux

To configure DHCPv6 on Amazon Linux

  1. Connect to your instance using the instance's public IPv4 address.

  2. Get the latest software packages for your instance:

    sudo yum update -y

  3. Using a text editor of your choice, open /etc/sysconfig/network-scripts/ifcfg-eth0 and locate the following line: 

    IPV6INIT=no

    Replace that line with the following:

    IPV6INIT=yes

    Add the following two lines, and save your changes:

    DHCPV6C=yes
DHCPV6C_OPTIONS=-nw

  4. Open /etc/sysconfig/network, remove the following lines, and save your changes: 

    NETWORKING_IPV6=no
IPV6INIT=no
IPV6_ROUTER=no
IPV6_AUTOCONF=no
IPV6FORWARDING=no
IPV6TO4INIT=no
IPV6_CONTROL_RADVD=no

  5. Open /etc/hosts, replace the contents with the following, and save your changes: 

    127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost6 localhost6.localdomain6

  6. Reboot your instance. Reconnect to your instance and use the ifconfig command to verify that the IPv6 address is recognized on the primary network interface.

Ubuntu

You can configure your Ubuntu instance to dynamically recognize any IPv6 address assigned to the network interface. If your instance does not have an IPv6 address, this configuration may cause the boot time of your instance to be extended by up to 5 minutes.

These steps must be performed as the root user.

Ubuntu Server 16

To configure IPv6 on a running Ubuntu Server 16 instance

  1. Connect to your instance using the instance's public IPv4 address.

  2. View the contents of the /etc/network/interfaces.d/50-cloud-init.cfg file: 

    cat /etc/network/interfaces.d/50-cloud-init.cfg
    # This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

    Verify that the loopback network device (lo) is configured, and take note of the name of the network interface. In this example, the network interface name is eth0; the name may be different depending on the instance type.

  3. Create the file /etc/network/interfaces.d/60-default-with-ipv6.cfg and add the following line. If required, replace eth0 with the name of the network interface that you retrieved in the step above. 

    iface eth0 inet6 dhcp

  4. Reboot your instance, or restart the network interface by running the following command. If required, replace eth0 with the name of your network interface. 

    sudo ifdown eth0 ; sudo ifup eth0

  5. Reconnect to your instance and use the ifconfig command to verify that the IPv6 address is configured on the network interface.

To configure IPv6 using user data

  • You can launch a new Ubuntu instance and ensure that any IPv6 address assigned to the instance is automatically configured on the network interface by specifying the following user data during launch: 

    #!/bin/bash
echo "iface eth0 inet6 dhcp" >> /etc/network/interfaces.d/60-default-with-ipv6.cfg
dhclient -6

    In this case, you do not have to connect to the instance to configure the IPv6 address.

    For more information, see Running Commands on Your Linux Instance at Launch in the Amazon EC2 User Guide for Linux Instances.

Ubuntu Server 14

If you're using Ubuntu Server 14, you must include a workaround for a known issue that occurs when restarting a dual-stack network interface (the restart results in an extended timeout during which your instance is unreachable).

These steps must be performed as the root user.

To configure IPv6 on a running Ubuntu Server 14 instance

  1. Connect to your instance using the instance's public IPv4 address.

  2. Edit the /etc/network/interfaces.d/eth0.cfg file so that it contains the following: 

    auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
    up dhclient -6 $IFACE

  3. Reboot your instance: 

    sudo reboot

  4. Reconnect to your instance and use the ifconfig command to verify that the IPv6 address is configured on the network interface.

Starting the DHCPv6 Client

Alternatively, to bring up the IPv6 address for the network interface immediately without performing any additional configuration, you can start the DHCPv6 client for the instance. However, the IPv6 address does not persist on the network interface after reboot.

To start the DHCPv6 client on Ubuntu

  1. Connect to your instance using the instance's public IPv4 address.

  2. Start the DHCPv6 client:

    sudo dhclient -6

  3. Use the ifconfig command to verify that the IPv6 address is recognized on the primary network interface.

RHEL/CentOS

RHEL 7.4 and CentOS 7 and later use cloud-init to configure your network interface and generate the /etc/sysconfig/network-scripts/ifcfg-eth0 file. You can create a custom cloud-init configuration file to enable DHCPv6, which generates an ifcfg-eth0 file with settings that enable DHCPv6 after each reboot.

Note

Due to a known issue, if you're using RHEL/CentOS 7.4 with the latest version of cloud-init-0.7.9, these steps might result in you losing connectivity to your instance after reboot. As a workaround, you can manually edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file.

To configure DHCPv6 on RHEL 7.4 or CentOS 7

  1. Connect to your instance using the instance's public IPv4 address.

  2. Using a text editor of your choice, create a custom file, for example: 

    /etc/cloud/cloud.cfg.d/99-custom-networking.cfg

  3. Add the following lines to your file, and save your changes:

    network:
  version: 1
  config:
  - type: physical
    name: eth0
    subnets:
      - type: dhcp
      - type: dhcp6

  4. Reboot your instance.

  5. Reconnect to your instance and use the ifconfig command to verify that the IPv6 address is configured on the network interface.

For RHEL versions 7.3 and earlier, you can use the following procedure to modify the /etc/sysconfig/network-scripts/ifcfg-eth0 file directly.

To configure DHCPv6 on RHEL 7.3 and earlier

  1. Connect to your instance using the instance's public IPv4 address.

  2. Using a text editor of your choice, open /etc/sysconfig/network-scripts/ifcfg-eth0 and locate the following line: 

    IPV6INIT="no"

    Replace that line with the following:

    IPV6INIT="yes"

    Add the following two lines, and save your changes:

    DHCPV6C=yes
NM_CONTROLLED=no

  3. Open /etc/sysconfig/network, add or amend the following line as follows, and save your changes: 

    NETWORKING_IPV6=yes

  4. Restart networking on your instance by running the following command: 

    sudo service network restart

    You can use the ifconfig command to verify that the IPv6 address is recognized on the primary network interface.

To configure DHCPv6 on RHEL 6 or CentOS 6

  1. Connect to your instance using the instance's public IPv4 address.

  2. Follow steps 2 - 4 in the procedure above for configuring RHEL 7/CentOS 7.

  3. If you restart networking and you get an error that an IPv6 address cannot be obtained, open /etc/sysconfig/network-scripts/ifup-eth and locate the following line (by default, it's line 327): 

    if /sbin/dhclient "$DHCLIENTARGS"; then

    Remove the quotes that surround $DHCLIENTARGS and save your changes. Restart networking on your instance: 

    sudo service network restart

Windows

Use the following procedures to configure IPv6 on Windows Server 2003 and Windows Server 2008 SP2.

To ensure that IPv6 is preferred over IPv4, download the fix named Prefer IPv6 over IPv4 in prefix policies from the following Microsoft support page: https://support.microsoft.com/en-us/help/929852/how-to-disable-ipv6-or-its-components-in-windows.

To enable and configure IPv6 on Windows Server 2003

  1. Get the IPv6 address of your instance by using the describe-instances AWS CLI command, or by checking the IPv6 IPs field for the instance in the Amazon EC2 console.

  2. Connect to your instance using the instance's public IPv4 address.

  3. From within your instance, choose Start, Control Panel, Network Connections, Local Area Connection.

  4. Choose Properties, and then choose Install.

  5. Choose Protocol, and choose Add. In the Network Protocol list, choose Microsoft TCP/IP version 6, and then choose OK.

  6. Open the command prompt and open the network shell.

    netsh

  7. Switch to the interface IPv6 context.

    interface ipv6

  8. Add the IPv6 address to the local area connection using the following command. Replace the value for the IPv6 address with the IPv6 address for your instance. 

    add address "Local Area Connection" "ipv6-address"

    For example:

    add address "Local Area Connection" "2001:db8:1234:1a00:1a01:2b:12:d08b"

  9. Exit the network shell.

    exit

  10. Use the ipconfig command to verify that the IPv6 address is recognized for the Local Area Connection.

To enable and configure IPv6 on Windows Server 2008 SP2

  1. Get the IPv6 address of your instance by using the describe-instances AWS CLI command, or by checking the IPv6 IPs field for the instance in the Amazon EC2 console.

  2. Connect to your Windows instance using the instance's public IPv4 address.

  3. Choose Start, Control Panel.

  4. Open the Network and Sharing Center, then open Network Connections.

  5. Right-click Local Area Network (for the network interface) and choose Properties.

  6. Choose the Internet Protocol Version 6 (TCP/IPv6) check box, and choose OK.

  7. Open the properties dialog box for Local Area Network again. Choose Internet Protocol Version 6 (TCP/IPv6) and choose Properties.

  8. Choose Use the following IPv6 address and do the following:

    • For IPv6 Address, enter the IPv6 address you obtained in step 1.

    • For Subnet prefix length, enter 64.

  9. Choose OK and close the properties dialog box.

  10. Open the command prompt. Use the ipconfig command to verify that the IPv6 address is recognized for the Local Area Connection.