AWS News Blog

Elastic Load Balancing – IPv6, Zone Apex Support, Additional Security

Update (September, 2017) – The IPv6 information in this blog post has grown outdated over time. For current information, take a look at Internet-Facing Classic Load Balancers.


We’ve added three new features to EC2’s Elastic Load Balancing feature:

  • IPv6 Support – All Elastic Load Balancers in the US East (Northern Virginia) and EU (Ireland) regions now have publicly routable IPv6 addresses in addition to their existing IPv4 addresses.
  • Zone Apex Support – You can now point the root or apex of your Route 53 hosted zone to your Elastic Load Balancer.
  • EC2 Security Group Support – You can now configure an EC2 Security Group for your application instances such that they accept traffic only from an Elastic Load Balancer.

Here’s the scoop:

IPv6 Support
You’ve probably read some panic-inducing articles about the fact that the Internet is running out of IP addresses! In order to support the continued growth in the number of devices connected to the Internet, it will soon become necessary to use a new version of the IP protocol, commonly known as IPv6. This version of the protocol raises the theoretical limit on the number of devices to an incredible 2128, and also lays the groundwork for other capabilities in the future.

The migration from IPv4 to IPv6 is now underway across the globe. This migration creates many technical and challenges for all concerned. We’re providing this new support in order to allow you to test your systems on World IPv6 day (June 8, 2011).

IPv6 support is available in the US East (Northern Virginia) and EU (Ireland) regions to start.

If you currently use a CNAME to map your domain name to your Elastic Load Balancer, you can use one of two new domain names for your Elastic Load Balancer. The ipv6 DNS name will resolve to an AAAA record and can be used to test an IPv6 client. The dualstack name will return both A and AAAA records and can be used when some clients speak IPv4 and others speak IPv6.

If you use Route 53 to handle your DNS needs, you can create the appropriate alias records from your DNS name to the Elastic Load Balancer to support IPv4, IPv6, or both.

Your application can check the X-Forwarded-For header to see if it has been accessed by way of an IPv6 address.

Zone Apex Support
As described in my post on new Route 53 features, you can now map the root or apex of your hosted zone to your Elastic Load Balancer. You can now host a web site using an Elastic Load Balancer at http://example.com just as easily as you can have one at http://www.example.com .

EC2 Security Group Support
You can now configure EC2 instances sitting behind an Elastic Load Balancer to receive traffic only from the Load Balancer by using a special Security Group associated with the Elastic Load Balancer. To do this, you call the DescribeLoadBalancers API to get the name of the Security Group, and then include that group in the group list when you subsequently launch some EC2 instances. The name of the Security Group can also be obtained from the load balancer details pane in the AWS Management Console.

These features were motivated, in part, by requests from our customers. We love to get feedback. Please feel free to post yours to the appropriate AWS forum or as a comment to this post.

— Jeff;