This article is more than 1 year old
AWS claims 'monumental step forward' with optional IPv6-only networks
10 quintillion IP addresses per subnet but expect some pain
AWS customers can now create IPv6-only virtual private cloud (VPC) networks, with the company claiming it is a "monumental step forward" towards the enablement of IPv6 on its cloud.
Systems running dual network stacks (supporting both IPv4 and IPv6 addresses) are commonplace, but IPv6-only is less common. The new feature allows admins to create a IPv6-only subnet within a dual-stack VPC.
A limitation is that EC2 (Elastic Compute Cloud) instances launched into IP-v6 only subnets must be built on Nitro, a custom hypervisor and network card which has both performance and security advantages.
Each subnet has a /64 CIDR (Classless Inter-Domain Routing) range, offering "approximately 10 quintillion IP addresses for applications," according to AWS.
In a separate post, solutions architect Rohit Aswani and senior product manager Aditya Santhanam said that the capability is "ideal if you have workloads, such as serverless and container applications, that consume a large number of IP addresses."
AWS has enabled its local Instance Metadata Service (IMDS), Time Sync, and VPC DNS server to be accessed with IPv6 addresses. Currently some operations can only be done with the AWS API or CLI (Command-line interface) and not from the web-based console. The IMDS gives the ability to retrieve data about or to configure the EC2 VMs, so it is a critical part of the AWS infrastructure.
Making them a little bit easier to remember, the local addresses for the instance services all have the ULA (Unique Local IPv6 Unicast Address) prefix fd00:ec2. For example, the Time Sync service is at fd00:ec2::123.
IPv6-only interfaces can be exposed to the public internet, subject to security group rules in the normal way. An issue though is what happens if clients are on IPv4-only networks.
Aswani and Santhanam explained that "if the end user is located in a corporate network that doesn’t support IPv6 address space, you need to launch a dual-stack instance in a dual-stack subnet which the user can SSH into via public IPv4 address first. Then, from that dual-stack instance, the user can SSH into the IPv6-only instance."
The same logic would apply to other applications that need to be accessible via IPv4, but to call services in an IPv6-only subnet. The general approach would be IPv6 for the core, and IPv4 for public accessibility. A full walkthrough of setting up an IPv6-only subnet in an AWS VPC is here.
- IPv6 still 5–10 years away from mainstream use, but K8s networking and multi-cloud are now real
- China sets goal of running single-stack IPv6 network by 2030, orders upgrade blitz
- It's 2021 and a printf format string in a wireless network's name can break iPhone Wi-Fi
AWS is ahead of rivals Microsoft and Google in its IPv6-only enablement. Both Azure and GCP support dual-stack virtual networks but do not match what AWS now offers.
It may seem that an IPv6-only subnet is all pain and no gain for administrators. There are some potential benefits, though, one being a strategic one, in that it gives developers and hardware vendors an incentive to ensure applications work correctly in IPv6 and may therefore accelerate its adoption.
Another benefit is eliminating the risk of IP address conflicts, for example when a VPN connects two local networks both of which use the same local IPv4 address range. When will IPv4 become legacy and IPv6 the norm? That moment always seems to be five to 10 years away.®