Posted On: Oct 6, 2016
Internet Protocol Version 6 (IPv6) is a new version of the Internet Protocol that uses a larger address space than its predecessor IPv4. With IPv6 support, you will be able to meet the requirements for IPv6 adoption set by governments, remove the need for IPv6 to IPv4 translation software or systems, and benefit from IPv6 extensibility, simplicity in network management, and additional built-in support for security
We are pleased to announce that starting today you can use Amazon CloudFront to deliver your content both via IPv6 and IPv4 using HTTP/HTTPS with the same security, availability, performance and scalability you have come to expect from Amazon CloudFront. IPv6 will be enabled by default for all newly created Amazon CloudFront web distributions starting today. For existing web distributions, you can enable IPv6 through the Amazon CloudFront console or API. Viewers and networks that connect to Amazon CloudFront edge locations over IPv6 will automatically be served content over IPv6. Those that connect over IPv4 will continue to work. Connections to your origin servers will remain on IPv4.
Starting today, AWS WAF also supports IPv6. If you use AWS WAF in conjunction with Amazon CloudFront, you can now update your web access control lists (WebACLs) and IP rulesets to blacklist/whitelist IPv6 address. If you use Amazon Route 53 for your DNS needs, you can create Amazon Route 53 alias records pointing to your Amazon CloudFront distribution to support both IPv4 and IPv6 by using “A” and “AAAA” record type respectively.
All existing features of Amazon CloudFront will continue to work on IPv6, though there are two changes you may need for internal IPv6 address processing before you turn on IPv6 for your distributions. First, if you have turned on Amazon CloudFront access logs, you will start seeing your viewer’s IPv6 address in the “c-ip” field and may need to verify that your log processing systems continue to work for IPv6. Second, when you enable IPv6 for your Amazon CloudFront distribution, you will get IPv6 addresses in the ‘X-Forwarded-For’ header that is sent to your origins. If your origin systems are only able to process IPv4 addresses, you may need to verify that your origin systems continue to work for IPv6. Additionally, if you use IP whitelists for Trusted Signers, you should use an IPv4-only distribution for your Trusted Signer URLs with IP whitelists and an IPv4 / IPv6 distribution for all other content. This model sidesteps an issue that would arise if the signing request arrived over an IPv4 address and was signed as such, only to have the request for the content arrive via a different IPv6 address that is not on the whitelist.
We are enabling IPv6 across every Autonomous System (AS) in a phased rollout starting today and expect to complete rollout across all networks over the next few weeks. To learn more about IPv6 support in Amazon CloudFront, see “IPv6 support on Amazon CloudFront” in the Amazon CloudFront Developer Guide and FAQs.
We would also like to invite you to join the upcoming webinar on “Delivering secure content with Amazon CloudFront”, in which we will cover how Amazon CloudFront automatically meets the new iOS App Transport Secure (ATS) requirements and enables easy, economical SSL/TLS management with the AWS Certificate Manager. This webinar will occur on Tuesday, October 18, 2016, 10:00AM PDT and you can register here. You are also invited to join our monthly office hours on Tuesday, October 25, 2016, 10:00AM PDT and register here.
With AWS WAF, you can now inspect and act on HTTP/HTTPS requests coming from both IPv4 and IPv6 addresses. You can also setup new IPv6 match condition(s) for new and existing Web Access Control Lists (ACLs). You will be able to use all the existing features for traffic both over IPv6 and IPv4 without any changes to either performance, scalability or availability of the service. To learn more about IPv6 support in AWS WAF, see here in the AWS WAF Developer Guide.
We would also like to invite you to join the upcoming AWS WAF webinar on “Setup Preconfigured Protections on AWS WAF” on Tuesday, November 8, 2016 10:30 AM PST. This session will introduce AWS WAF, how it integrates with other AWS services and how to use it to help protect your web applications. We will also demo how to deploy preconfigured rules and security automation on AWS WAF. Register here.
Amazon S3 Transfer Acceleration
Your applications can now connect to Amazon S3 Transfer Acceleration endpoints for object storage over IPv6. This release follows Amazon S3’s recently added support for IPv6 announcement. You can get started using this new feature by enabling Transfer Acceleration on a bucket and then pointing your application to Amazon S3 Transfer Acceleration’s new “dual-stack” endpoint (e.g., http://<bucketname>.s3-accelerate.dualstack.amazonaws.com), which supports access over both IPv4 and IPv6. In most cases, no further configuration is required for access over IPv6, because most network clients prefer IPv6 addresses by default. However, you must evaluate your bucket and Identity and Access Management (IAM) policies to ensure that you have the appropriate access configured for your new IPv6 addresses. To learn more about using IPv6 with Amazon S3 Transfer Acceleration, see Getting Started with Transfer Acceleration.
With these services and features, IPv6 will be available at no additional charge.