Networking & Content Delivery
Expedite your IPv6 adoption with PrivateLink services and endpoints
AWS now supports IPv6 for AWS PrivateLink services and endpoints. PrivateLink support for IPv6 expedites IPv6 adoption by decoupling the service consumer and service provider IP protocol version. Even if a service provider has not started to support IPv6 for all their back-end services, service consumers can use IPv6 within their VPCs to access the service endpoints. Service providers can focus on the core functionality of their applications, and service consumers can connect to service endpoints in their VPC over IPv6 from on-premises or other private connections.
A growing number of customers are telling us they want to adopt IPv6. IPv4’s 32-bit addressing scheme results in a shortage of available addresses, and limits the pace at which our customers can grow. Customers with large Internet footprints feel the strain of public IP address exhaustion, and enterprises feel this strain with a finite IPv4 private address pool, so they want the ability to expand usage of IPv6. There are also other advantages to IPv6 adoption, such as built-in support for IPSec, and network management simplicity. AWS is also committed to enabling the US federal government’s move to IPv6.
As more adoption of IPv6 occurs, IPv4 resources cannot automatically communicate with IPv6 resources. Communication can only be achieved through either dualstack, IPv4 to IPv6 translation, or refactoring every resource to use only IPv6. This can be a heavy lift to implement.
IPv6 support for PrivateLink services and endpoints allows service providers to implement dualstack at the network border, and service consumers and service providers alike can adopt IPv6 at their own pace. Existing consumers and services can continue to use IPv4, and new consumers can begin to use IPv6.
Figure 1 shows an example architecture of consumers using a service provider’s PrivateLink service. A service provider’s back-end services can remain IPv4 while some consumers use IPv4 endpoints, and others adopt IPv6 compatible endpoints.
This post explains how to 1/ adopt IPv6 for PrivateLink services, and then 2/adopt it for PrivateLink endpoints. If you are a service provider, this post provides the changes required to enable a VPC Endpoint Service to be consumed with IPv6, even if your back-end services are still running IPv4. If you are a service consumer, this post provides the steps for using IPv6 compatible Interface endpoints.
Overview
- Retains existing functionality: VPC Endpoints with IPv6 have all existing functionality, such as support for private DNS names, endpoint policies, and security groups. There are no changes to bandwidth, quotas, source IP preservation, nor proxy protocol version 2 (PPv2) capabilities. For more information, refer to AWS PrivateLink Concepts.
- Internet access disabled by default: VPC Endpoint Elastic Network Interfaces (ENIs) with IPv6 addresses are private and not addressable from the Internet. The ENIs cannot receive any traffic over your VPC’s Internet Gateway (IGW), due to the DenyAllIGWTraffic attribute enabled on them. This cannot be disabled upon creation nor once deployed.
- IP address type depends on VPC subnets: When you call the create-vpc-endpoint and modify-vpc-endpoint APIs, the IpAddressType value indicates whether your VPC Endpoint ENIs are assigned an IPv4 address, an IPv6 address, or both. A VPC Endpoint can only be created in subnets with a compatible IP version. For more information, refer to IP address types in Share your services through AWS PrivateLink.
- DNS record type depends on IP address type: When you call the create-vpc-endpoint and modify-vpc-endpoint APIs, under DnsOptions, the DnsRecordIpType value specifies if your VPC Endpoint’s Private, Regional, and Zonal DNS have an A record, AAAA record, or both. The allowed values for DnsRecordIpType are ipv4, ipv6, dualstack, or service-defined, but are contingent on the IpAddressType For more information, refer to Make your endpoint service available to service consumers in Create an AWS PrivateLink-powered service.
- AWS service private DNS: When an AWS service launches a *.aws domain publicly, it will be supported by PrivateLink as an additional private DNS name.
Enable IPv6 for PrivateLink
VPC Endpoint Services
If you are a service provider, you must follow steps 1-4 to enable consumers to create IPv6 VPC Interface endpoints against their VPC Endpoint Service. Service providers are AWS customers or partners, such as ISVs, affiliated organizations such as regulators, or simply applications you are exposing to other VPCs within your organization without requiring network connectivity such as VPC peering or VPC sharing.
Step 1: Configure VPC and subnets to be dualstack
Your VPC must be associated with an IPv6 CIDR, and your subnets must be dualstack. To migrate your existing IPv4-only VPC and subnets to dualstack, refer to Migrate existing VPCs from IPv4 to IPv6, or to create a new VPC with an IPv6 CIDR block and subnets, refer to Create a dual-stack VPC and subnets using the AWS CLI in the Amazon Virtual Private Cloud User Guide.
Step 2: Configure Network Load Balancer to use dualstack IP address type
You need to configure your Network Load Balancer (NLB) to have the IP address type of dualstack to allow IPv6 traffic.
To update an existing NLB’s IP address type from IPv4-only to dualstack, run the following command.
aws elbv2 set-ip-address-type \
--load-balancer-arn <nlb-arn> \
--ip-address-type dualstack
To create a dualstack NLB, refer to Create your dual stack load balancer in the Network Load Balancing User Guide. For more information, refer to IP address types for your Network Load Balancer. Once your new NLB is created, you can associate its target groups, listener configuration, and your desired monitoring. Targets do not need to support IPv6 traffic. During Step 4: Enable VPC Endpoint Service for IPv6 Interface endpoints, you will need to add the new NLB to your VPC Endpoint Service.
Step 3: If your application processes IP addresses from the PPv2 header, your application must also process IPv6
If you are not using PPv2 on your NLB target groups, you can skip this step.
Enabling PPv2 on your target group ensures each request has a prepended header which contains IP address information as well as the source consumer VPC Endpoint ID. If PPv2 is enabled, and your target application is processing the source IPv4 address, such as for filtering traffic, your target application must also allow processing of IPv6 addresses.
For more information on PPv2, refer to Proxy Protocol in Target groups for your Network Load Balancer.
Step 4: Enable VPC Endpoint Service for IPv6 Interface endpoints
Add IPv6 as a supported IP address type on your VPC Endpoint Service by running the following command. This enables your VPC Endpoint Service to run in dualstack mode, accepting both IPv4 and IPv6 requests.
aws ec2 modify-vpc-endpoint-service-configuration \
--service-id vpce-svc-12345678 \
--add-supported-ip-address-types ipv6
Note: The command errors if any NLBs associated to the VPC Endpoint Service are not configured for dualstack (refer to Step 2: Configure Network Load Balancer to use dualstack IP address type). You can add or remove NLBs from the VPC Endpoint Service by using the --add-network-load-balancer-arns
and --remove-network-load-balancer-arns
options, respectively.
The following command creates a new IPv6-enabled VPC Endpoint Service. The --network-load-balancer-arns
option must specify only dualstack NLBs, and the --supported-ip-address-types
option must be ipv4,ipv6. The command errors if any NLBs associated to the VPC Endpoint Service are not configured for dualstack.
aws ec2 create-vpc-endpoint-service-configuration \
--network-load-balancer-arns <nlb-arns> \
--supported-ip-address-types ipv4,ipv6
VPC Endpoints
Once a VPC Endpoint Service supports IPv6, its consumers can enable IPv6 or dualstack for the associated VPC Endpoints. If you are consuming a PrivateLink service, you must follow steps 1-4 to create IPv6 or dualstack VPC Interface endpoints.
Step 1: Confirm the VPC Endpoint Service allows IPv6 endpoints
To enable IPv6 on your VPC Endpoint, the service must have IPv6 as a SupportedIpAddressType. You can call the describe-vpc-endpoint-services API to find out whether a service supports IPv6.
aws ec2 describe-vpc-endpoint-services
--filters "Name=supported-ip-address-types,Values=ipv4,ipv6"
In the response, the SupportedIpAddressTypes provides the IP address type(s) enabled on the PrivateLink service. A dualstack VPC Endpoint Service response includes both IPv4 and IPv6.
{
"ServiceNames": [
"com.amazonaws.vpce.region.vpce-svc-12345678"
],
"ServiceDetails": [
{
"ServiceName": "com.amazonaws.vpce.region.vpce-svc-12345678",
"ServiceId": "vpce-svc-12345678",
...
"Owner": "098765432109",
"BaseEndpointDnsNames": [
"vpce-svc-12345678.region.vpce.amazonaws.com"
],
...
"SupportedIpAddressTypes": [
"ipv4",
"ipv6"
]
}
]
}
Step 2: IpAddressType value must be compatible with IP version of your subnets
You must select which IP version your VPC Endpoint will use as the IpAddressType value, which you will need for Step 4: Enable IPv6 on your Interface endpoints. VPC Endpoints must be created in subnets with compatible IP versions. For more information, refer to Requirements to enable IPv6 for an interface endpoint in Share your services through AWS PrivateLink. The specified IP address type must be supported by the VPC Endpoint Service.
To migrate your existing IPv4-only VPC and subnets to dualstack or IPv6-only, refer to Migrate existing VPCs from IPv4 to IPv6 in the Amazon Virtual Private Cloud user guide.
Step 3: DNS record IP address type must be based on IP version
Your DnsRecordIpType must be based on your IpAddressType value. You will need this for Step 4: Enable IPv6 on your Interface endpoints. For more information about the record sets created based on the DnsRecordIpType value, refer to DNS record IP address type for an interface endpoint in Share your services through AWS PrivateLink.
Step 4: Enable IPv6 on your Interface endpoints
You can create or modify your IPv6-enabled endpoint. Using the service which you verified supports IPv6, and using the values you determined in Step 2 and Step 3, you can call either the create-vpc-endpoint API or modify-vpc-endpoint API.
The following example uses the create-vpc-endpoint API to create a new dualstack Interface endpoint.
aws ec2 create-vpc-endpoint \
--vpc-id vpc-12345678 \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.vpce.region.vpce-svc-12345678 \
--subnet-id subnet-12345678 \
--security-group-id sg-12345678 \
--ip-address-type dualstack \
--dns-options "DnsRecordIpType=dualstack"
Depending on the PrivateLink service configuration, newly created endpoint connections may need to be accepted by the VPC Endpoint Service provider before it can be used. For more information, refer to Accept and reject endpoint connection requests in the AWS PrivateLink and VPC Endpoints user guide.
The following example uses the modify-vpc-endpoint API to enable an existing IPv4-only VPC Endpoint for use with IPv6 by changing the endpoint to dualstack.
aws ec2 modify-vpc-endpoint \
--vpc-endpoint-id vpce-12345678 \
--add-subnet-ids subnet-12345678 \
--remove-subnet-ids subnet-12345678 \
--ip-address-type dualstack \
--dns-options "DnsRecordIpType=dualstack"
You can call the describe-vpc-endpoints API to ensure IPv6 is enabled on the endpoint. The following example returns your VPC Endpoints with an IpAddressType value of dualstack.
aws ec2 describe-vpc-endpoints \
--vpc-endpoint-ids vpce-12345678
In the response, the IpAddressType and DnsOptions should return with the values you specified when creating or modifying the endpoint. Below is our example which shows both values as dualstack.
{
"VpcEndpoints": [
{
"VpcEndpointId": "vpce-12345678",
...
"IpAddressType": "dualstack",
"DnsOptions": {
"DnsRecordIpType": "dualstack"
},
...
}
]
}
You can also use the filters option to list all endpoints matching criteria you specify. The following example returns all VPC Endpoints with an IpAddressType value of dualstack.
aws ec2 describe-vpc-endpoints \
--filters Name=ip-address-type,Values=dualstack
Conclusion
PrivateLink endpoint IPv6 compatibility allows customers to adopt IPv6 faster by decoupling service provider and service consumer IP version. If you’re a service provider running your stack on IPv4, you can make your service endpoint available to consumers over IPv6. If you’re a consumer needing to adopt IPv6, you now have the option to interface with your PrivateLink endpoints over IPv6. This post explains the PrivateLink IPv6 feature and provides steps you can follow to adopt the feature for your services and endpoints, with minimal engineering work required. For more information about PrivateLink, refer to the AWS PrivateLink and VPC Endpoints User Guide. To get started with PrivateLink, refer to Endpoint Services or Endpoints in the AWS management console for VPC.