Amazon ECS announces IPv6-only support

Amazon Elastic Container Service (Amazon ECS) now supports IPv6-only workloads, thus users can run containerized applications in IPv6-only environments without IPv4 dependencies while maintaining compatibility with existing applications and Amazon Web Services (AWS) services. Although Amazon ECS has previously supported IPv4 and dual-stack subnets, this new capability expands networking options to address emerging user needs.

Organizations worldwide are not only rapidly scaling their containerized applications but also facing IPv4 address exhaustion challenges, leading to service disruptions and deployment delays. In IPv4 networks, containers in private subnets need NAT gateways for internet access, adding operational complexity through multi-AZ deployments, ongoing configuration, and increased costs from NAT gateway hours and public IPv4 address charges. Furthermore, many organizations, particularly federal agencies, now face regulatory requirements mandating IPv6 adoption.

IPv6-only support means that Amazon ECS tasks can:

• Run in IPv6-only subnets without dual-stack configurations or IPv4 translation layers
• Integrate with AWS PrivateLink and Amazon Virtual Private Cloud (Amazon VPC) endpoints using IPv6
• Maintain enterprise-grade security through IPv6-aware security groups and VPC Flow Logs monitoring
• Communicate over IPv6 with other AWS services, such as Amazon Elastic Container Registry (Amazon ECR) for container images, Amazon CloudWatch for metrics and logs, and AWS Secrets Manager and AWS Systems Manager Parameter Store for secrets and configuration
• Use awsvpc, bridge, or host networking modes

This native IPv6 support helps organizations streamline network architecture, improve security posture through streamlined access control, and meet compliance requirements for IPv6 adoption.

Configuring IPv6-only networking in Amazon ECS

Setting up IPv6-only networking in Amazon ECS builds on existing AWS networking constructs with minimal configuration changes:

1. Prepare your VPC and subnets: Add an IPv6 CIDR block to your VPC, then create new subnets with only IPv6 CIDR blocks for your IPv6-only workloads. In these subnets, enable automatically assign IPv6 address to ENIs and set IPv6-only to true.
2. Configure security groups: Set up security groups to allow necessary IPv6 traffic, using ::/0 or specific IPv6 CIDRs as needed. Network ACLs must allow IPv6 traffic patterns, including ICMPv6 for functions such as Neighbor Discovery. Route tables should direct IPv6 traffic through internet gateways for public subnets or Egress-Only internet gateways for private subnets.
3. Create IPv6 target groups: For Application Load Balancers (ALBs) and Network Load Balancers (NLBs), create IPv6 target groups with IP as the target type. Configure health checks to match your application endpoints.
4. Deploy your ECS service: Launch your Amazon ECS service in IPv6-enabled subnets using awsvpc network mode. If you are using load balancing, then specify your IPv6 target groups. Amazon ECS automatically handles task placement, network interface configuration, target group registration, and service discovery.

Amazon ECS doesn’t need more IPv6-specific configuration parameters. The service automatically adapts to your subnet configuration. In IPv6-only subnets the tasks receive IPv6 addresses, and in dual-stack subnets the tasks can receive both IPv4 and IPv6 addresses.

Supporting services

This section outlines the following supporting services: Amazon ECR, service discovery and Amazon ECS Service Connect, storage and database integration, and internet services.

Amazon ECR

When running containerized workloads in IPv6-only subnets, container images stored in Amazon ECR and Amazon ECR Public must be downloaded through the dual-stack Amazon ECR public endpoints. When running containerized workloads in IPv4 or dual stack subnets, Amazon ECR VPC endpoints and/or Amazon S3 VPC endpoints, can be used to download container images. Container image operations first authenticate through the Amazon ECR endpoint, then the actual binary data flows directly through the Amazon S3 VPC endpoint.

Service discovery and Amazon Service Connect

AWS Cloud Map supports AAAA records for service discovery in ECS clusters. Amazon ECS Service Connect also handles IPv6 traffic automatically, enabling secure service-to-service communication across same-VPC and cross-VPC scenarios. For users exposing Amazon ECS workloads through VPC Lattice with IPv6-only services, tasks automatically register with IPv6 endpoints.

Storage and database integration

Amazon ECS tasks in IPv6-only subnets can connect seamlessly to the other AWS resources such as S3 bucket, Amazon Elastic File System (Amazon EFS) filesystem, Amazon Relational Database Service (Amazon RDS) or an Amazon Aurora database instance over IPv6. Check the AWS services that support IPv6 documentation for the most up to date information.

Internet services

For integration with internet services that only support IPv4, use DNS64/NAT64 in your VPC for protocol translation. DNS64 automatically converts IPv4 DNS responses into IPv6-mapped addresses, allowing your IPv6-only ECS tasks to connect to IPv4 services seamlessly.

Migration strategies

Several strategies are available for migrating existing IPv4 or dual stack ECS services to IPv6.

If an existing Amazon ECS service is not a web or API workload attached to an ALB or NLB, then this service can be migrated in place. You can use the Amazon ECS updateService API to replace the existing IPv4 subnets and security groups in the service, with equivalent IPv6 resources.

If an existing Amazon ECS service is attached to an ALB or NLB—although it is possible to migrate this service in place—then we would not recommend this approach due to the complexities in routing incoming traffic. For these services, we recommend creating a new IPv6 Amazon ECS service and running it in parallel alongside the existing IPv4 service. Then, depending on how you are exposing traffic into these services, there are multiple ways to gradually shift traffic from the IPv4 ECS services to the new IPv6 ones. For example:

• If your existing ALB is dual-stack, you can configure a new IPv6-based target group for an IPv6-only Amazon ECS service. At the beginning of the migration the IPv6 target groups would not be receiving any traffic, with all traffic flowing to the original IPv4 target group and Amazon ECS service. You can use weighted target groups on your ALB to slowly shift traffic from your old target groups to the new IPv6-based target group.
• You could migrate traffic through a DNS layer by provisioning a new dual-stack ALB with an IPv6 Target Group, and the new IPv6 ECS services is attached to this load balancer. The original IPv4 ECS services are still running alongside this deployment, behind the original IPv4 load balancer. You can use Amazon Route 53 weighted routing policies or Amazon CloudFront to gradually shift traffic from the original IPv4 load balancer to the new dual-stack load balancer.

Regardless of if you are doing an in place or blue/green migration from IPv4 to IPv6, the Amazon ECS deployments can be monitored through the Amazon ECS console and API. Moreover, you should monitor the migration through CloudWatch Container Insights, application logs, and VPC Flow Logs to make sure that the migration has been successful before decommissioning the IPv4-based Amazon ECS service.

For highly secure environments, implement egress-only internet gateways for IPv6 traffic and use PrivateLink where possible to keep traffic within the AWS network. When using NAT64/DNS64 services, enable VPC Flow Logs to effectively monitor and trace IPv6 traffic destined for IPv4 destinations, enhancing your security visibility.

Conclusion

IPv6-only support for Amazon ECS streamlines container networking by eliminating IPv4 dependencies while maintaining seamless integration with AWS services. To get started with IPv6-only workloads in Amazon ECS, visit the Amazon ECS console, explore the Amazon ECS documentation, or contact your AWS account team to learn how this capability can help your organization address IPv4 exhaustion challenges and meet IPv6 compliance requirements.

About the authors

Dumlu Timuralp is a Senior Solutions Architect with AWS based in the United Kingdom. In this role he provides architecture guidance on cloud migration, application modernization and cloud native patterns. He loves working with users and meet their business needs with technology.

Olly Pomeroy is a Senior Container Specialist Solution Architect at AWS.