Networking & Content Delivery
Understanding IPv6 addressing on AWS and designing a scalable addressing plan
An increasing number of organizations are adopting IPv6 in their environments, driven by government mandates, public IPv4 space exhaustion, and private IPv4 scarcity. To accommodate for workload growth, integrate new business needs (for example, mergers and acquisitions), expand into other regions, and increase developer productivity, you need to design and implement a scalable, extensible, and future proof IPv6 addressing plan. In this post we explain the IPv6 addresses types available on Amazon Web Services (AWS), and review the use cases and best practices for using each of them to design scalable IPv6 addressing plans on AWS.
Prerequisites
We assume that you are familiar with the Amazon Virtual Private Cloud (VPC) constructs, IPv4 and IPv6 functionality, and configuration options for the common VPC services, as well as Amazon VPC IP Address Manager (VPC IPAM). You should also be aware of the IPv6 protocol definition, types of addresses, and configuration mechanisms. We do not dive deep into the IPv6 protocol anatomy, but we review addressing best practices as they apply to the IPv6 address types on AWS.
The main types of IPv6 addresses are unicast, multicast, and anycast. A unicast IPv6 address identifies a single interface on a network. In IPv6, there are three categories of unicast addresses: link-local, unique-local, and global. Link-local addresses are local to a layer 2 network, and they do not route beyond a router interface. Unique local addresses are reserved for local use in networks not connected to the internet. Global unicast addresses facilitate internet communication, and they have globally unique addressing. In this post, we do not focus on multicast or anycast IPv6 addresses. We recommend diving deeper into IPv6 addressing for a better understanding of the protocol.
Understanding IPv6 addressing on AWS
On AWS, you can now configure Global Unicast IPv6 addresses (GUA) and Unique Local IPv6 Addresses (ULA) on your Amazon VPC. The Amazon VPC is your isolated logical network on AWS where you can launch your resources, and its private, isolated security posture doesn’t change with IPv6 addressing.
AWS defines public IP addresses as those advertised on the internet from AWS, while private IP addresses are not and cannot be advertised on the internet from AWS. You can choose to use multiple IPv6 prefixes associated with your VPCs, both private and public. For example, you can associate with your VPC only private, only public, or both private and public IPv6 addresses.
Private IPv6 addresses on AWS can include ULA, which are intended for local communication, and private GUA, which could be globally routable according to protocol definition. ULA and private GUA are not and cannot be advertised on the internet from AWS. This behavior is similar to how AWS operates IPv4 private subnets. For example, you can configure a public IPv4 prefix as a VPC CIDR, thus making it a private CIDR, which can never be advertised on the internet. Similarly, you can configure a GUA IPv6 in a VPC as a private prefix that is not and can never be advertised on the internet. You can find more details on the AWS IP address types in the Amazon VPC documentation. The following IPv6 address types are available on AWS:
Amazon-provided IPv6 prefixes
Amazon-provided IPv6 prefixes are public, globally unique, and are assigned from the Amazon pool of GUA IPv6, assigned by Internet Registries. Amazon-provided IPv6 addresses are always advertised on the internet from AWS, and you cannot control or change their advertisement status. You can directly configure a randomly assigned IPv6 GUA prefix on your new or existing VPCs, or you can receive a contiguous block of IPv6 GUA addresses provided by AWS. If you have multiple VPCs in an AWS Region, then we recommend using contiguous Amazon-assigned IPv6 GUA addresses to facilitate summarization, as well as to optimize entries in Security Groups, Network Access Control Lists (NACLs), firewall rules, and route tables.
BYOIPv6 prefixes
Bring Your Own IPv6 (BYOIPv6) allows you to import your IPv6 address space into AWS. With BYOIPv6, you can control the advertisement status of your prefixes. You can configure a BYOIPv6 pool as publicly advertisable or non-publicly advertisable. Based on the pool configuration settings:
- BYOIPv6 prefixes provisioned in publicly advertisable pools must be /48 or larger, and must undergo the RDAP (Registration Data Access Protocol) and ROA (Route Origin Authorization) process, even if you do not intend to advertise them at configuration time. AWS considers these BYOIPv6 prefixes public, regardless of their current advertisement status (advertised or withdrawn).
- BYOIPv6 prefixes configured in non-publicly advertisable pools must be /60 or larger, and they do not need an ROA, but they do need the RDAP process. AWS considers these BYOIPv6 prefixes private, so they cannot be advertised on the internet after configuration.
Private IPv6 GUA
On AWS, you can use IPv6 GUAs as private IPv6 addresses that are not and can never be advertised on the internet. You can configure private IPv6 GUA without the need to undergo the RDAP and ROA processes. You must use only IPv6 GUA addresses allocated to you by a Regional Internet Registry (RIR) as private GUA to avoid overlapping your IPv6 addressing with other endpoints on the internet, as well as other AWS users. When using private GUA, consider that private IPv6 GUA prefixes cannot be made public at a later time. If direct internet connectivity on AWS becomes a requirement, then you must re-create the VPC(s) with public IPv6 addresses or use an address translation mechanism.
IPv6 ULA
IPv6 ULA addresses are defined in RFC 4193. The RFC defines fd00::/8 as the locally-assigned ULA address space, which cannot be advertised on the internet, and is thus private. Amazon-provided ULA prefixes are by default /48. If you need a specific ULA prefix, then you can directly provision it into your Amazon VPC IPAM pool. When using ULAs, we recommend you consider the protocol selection priority in dual stack environments. Currently, the preference is given to IPv4 addresses over ULAs per RFC 6724. To avoid potential address overlaps, we recommend you design a scalable global addressing plan across your organization.
Identify and manage IPv6 addresses on AWS
To help you identify the advertisement status of IPv6 addresses associated with your VPCs, AWS introduced a new attribute for VPC IPv6 CIDRs. In the following table we review the output of the relevant describe call for Amazon VPCs and subnets, depending on the type of IPv6 address you use on AWS:
AWS IPv6 address type | Internet advertisement status | AWS Public/Private | “describe-vpcs” and “describe-subnets”output |
---|---|---|---|
Amazon-provided IPv6 addresses | Always advertised on the internet | Public | Ipv6AddressAttribute = ‘Public’ |
BYOIPv6 GUA prefix in non-advertisable pools | Not advertised, can never be advertised on the internet | Private | Ipv6AddressAttribute = ‘Private’ |
BYOIPv6 GUA prefix in advertisable pools | You control advertisement status | Public | For advertised prefix: Ipv6AddressAttribute = ‘Public’ For withdrawn prefix: Ipv6AddressAttribute = ‘Public’ |
Private IPv6 GUA prefix | Not advertised, can never be advertised on the internet | Private | Ipv6AddressAttribute = ‘Private’ |
IPv6 ULA prefix | Not advertised, can never be advertised on the internet | Private | Ipv6AddressAttribute = ‘Private’ |
Table 1: “describe-vpcs” output for AWS IPv6 address types
Manage IPv6 addresses on AWS
All IPv6 address types can be managed using Amazon VPC IPAM or Amazon Elastic Compute Cloud (EC2). You can bring the IPv6 address to AWS to a single account and AWS Region only. If you choose Amazon VPC IPAM, then the scope of managing and making sure of non-overlapping IPv6 address assignments is AWS Region and account specific for the free tier, or multi-account multi-Region for the advanced tier Amazon VPC IPAM depending on the IPAM tier. For more details on the Amazon VPC IPAM tiers, review the Amazon VPC IPAM pricing documentation. Private IPv6 addresses on AWS, private GUA and ULA, are managed in Amazon VPC IPAM private scopes, while public IPv6 addresses are part of the Amazon VPC IPAM public scope. For more details on private IPv6 address management using Amazon VPC IPAM, review the documentation. BYOIPv6 addresses are always part of the public scope in Amazon VPC IPAM, regardless of the pool configuration or prefix advertisement status. For more details on the Amazon VPC IPAM BYOIP process, review the Amazon VPC IPAM BYOIP tutorial, and the step by step post.
IPv6 address planning best practices and considerations
In the following section we detail some of the key considerations when building an addressing plan on AWS:
- Creating a scalable and efficient IPv6 addressing plan is one of the most important initial tasks for organizations adopting IPv6. The IPv6 address space contains a total of 2^128 or 340 undecillion IPv6 addresses. Therefore, scalability and summarization are important.
- We focus guidance on IPv6 addressing best practices, and how you can use the scale and simplicity of the latest version of the internet protocol, as opposed to just copying IPv4 addressing plans. Simply duplicating the IPv4 addressing scheme in IPv6 might initially prove the most direct way to allocate IPv6 addresses. However, the virtually limitless scale of the IPv6 address space allows for an addressing plan that is no longer constrained by the scarcity of IPv4 addresses.
- Amazon VPCs do not need an internet gateway (IGW) or egress-only internet gateway (EIGW) to use IPv6 addresses. An Amazon VPC is by default a bounded, secure network that allows you to deploy your workloads in an isolated environment, and adding IPv6 addresses does not change the private security posture of the VPC.
- You can choose whether you associate an IGW or EIGW with your VPC. However, only the resources addressed using advertised IPv6 addresses in your VPCs can use associated IGW or EIGW without needing address translation. If you choose to use ULA, private GUA, or withdrawn BYOIPv6 addresses, then you cannot directly use the IGW or EIGW associated with the VPC.
When choosing your IPv6 address type on AWS, consider the definitions of each address type, together with requirements for internet connectivity, security, operations, and monitoring. The following is a checklist you can use when building an addressing plan on AWS:
IPv6 address assignment: Amazon-provided IPv6 GUA addresses are assigned by Internet Registries to AWS, and you can use them in your VPCs. BYOIPv6 addresses are assigned to you by an Internet Registry, and you can choose how and where to use them. Depending on your enterprise requirements, regulations, or types of workloads, you may need to use IPv6 addresses assigned to you for internet-facing workloads. This also allows you to manage your enterprise global IPv6 allocations using provider independent addressing.
Control of the internet advertisement status: With BYOIPv6 you can control the advertisement status of your IPv6 prefixes, marking each as advertised or withdrawn, depending on your needs. Amazon-provided IPv6 GUA prefixes are always advertised on the internet, and you do not have control over advertisement status. Private IPv6 addresses represented by IPv6 ULA and private GUA can never be advertised on the internet.
Using private IPv6 addresses: Private IPv6 address on AWS include IPv6 ULA and private GUA, and they cannot be advertised on the internet. You can use private IPv6 addresses on AWS for resources that do not need internet connectivity, today or in the future. You can also achieve the same functionality by using withdrawn BYOIPv6 GUA. This gives you the flexibility to advertise the IPv6 prefixes at any time in the future if your network connectivity design or requirements change. To prevent misconfigurations, or inadvertently advertising a withdrawn prefix, we recommend configuring guardrails and authorization mechanisms on the principals and roles in your organization that can modify the advertisement status of a BYOIPv6 prefix.
Host IP address selection: Most Operating Systems follow RFC 6724 for IP address selection. You can use a combination of different IPv6 address types in your Amazon VPCs. For example, you can configure a VPC with both IPv6 ULA and GUA prefixes, or advertised IPv6 GUA and withdrawn IPv6 GUA prefixes. Depending on your workload configuration, you can have multiple IPv6 address types configured on an instance. When using multiple IPv6 address scopes, we recommend careful consideration for which address is selected for communication.
Hierarchical summarization: In IPv6, summarization helps you reduce the size of IPv6 routing tables for VPCs, AWS Transit Gateway, AWS Cloud WAN, and AWS Direct Connect. This keeps them manageable and within AWS quotas. Summarization also simplifies the configuration of security groups, NACLs and firewall rules. Maintaining global summarization boundaries is a consideration for using BYOIPv6 addresses. If you have multiple IPv6 prefixes, assigned by different internet registries (such as ARIN, APNIC, RIPE, AFRNIC), then you can continue to maintain regional allocations by configuring BYOIPv6 across multiple pools. For example, you can configure a top-level Amazon VPC IPAM pool for each geographic area, provision the appropriate IPv6 blocks in each, and address VPCs using regional IPv6 prefixes, maintaining the internet hierarchy. Conversely, if you have a single prefix assigned by an internet registry, you can use it globally on AWS, and address VPCs in any AWS Region.
Regional, account and VPC IPv6 prefix boundaries: The minimum size of internet-advertised IPv6 prefixes is /48. Prefixes more specific than /48 cannot be advertised on the internet. For example, if you use BYOIPv6 and want to advertise prefixes from AWS, at configuration time or any time after, you need to maintain per-AWS Region a prefix size of at least /48. IPv6 prefixes configured on Amazon VPCs are by default /56, and can range between /44 and /60, while subnet prefixes are by default /64, and can range between /60 and /64.
IPv6 adoption strategy: Your IPv6 adoption strategy can have an important role in choosing between the different types of IPv6 addresses, because it also drives internet connectivity patterns. Outside-in IPv6 adoption involves creating internet-facing IPv6 endpoints for applications deployed on AWS. You can use Amazon-assigned IPv6 GUA, or advertised BYOIPv6 GUA to address your internet-facing resources. These addresses are advertised to the internet from AWS, thus considered public. Your resources can use the AWS IGW and EIGW for internet connectivity. If your intent is to make sure of internet connectivity for your VPCs through on-premises, you can use withdrawn BYOIPv6 GUA or private GUA, and advertise the prefixes through your on-premises internet connection. Using withdrawn BYOIPv6 GUA instead of private GUA allows you the flexibility to advertise your prefixes from AWS in the future, if your network requirements change. Inside-out IPv6 adoption involves using IPv6 internally to scale beyond the capabilities offered by the IPv4 space. You can use withdrawn BYOIPv6 GUA or private IPv6 for internal workloads, and if your connectivity requirements change, then you can advertise the BYOIPv6 GUA prefixes in the future. For resources using private IPv6 addresses, you can either re-create them using public GUA or use an address translation mechanism for internet connectivity.
Traffic inspection patterns: Depending on your current deployment strategy, and future plans, you can use a distributed internet access and traffic inspection pattern, where VPCs have IGW and EIGW associated and traffic is routed through local firewall endpoints. You can also use a centralized pattern, a combination of the two, or even an on-premises internet access pattern. You can also combine public IPv6 prefixes (Amazon-provided, advertised BYOIPv6) and private IPv6 prefixes (ULA, private IPv6 GUA) in a VPC. Considering internet inbound and outbound connectivity and inspection patterns separately helps you define the IPv6 addressing requirements for each. Security inspection patterns and architectures usually match your internet connectivity patterns, and you can use centralized and distributed inspection patterns, which help you meet security requirements, using all types of IPv6 addresses.
Security requirements: ULA and private GUA IPv6 are not present on the internet IPv6 route table, so hosts using these addresses cannot communicate directly with public endpoints. For resources using public IPv6 addresses, you can implement a broad set of security controls to make sure of privacy and restrict internet connectivity. Adding IPv6 addresses to your VPCs does not require you to associate an IGW/EIGW to a VPC, and controlling which VPCs can have these gateways associated allows you to restrict internet connectivity. Additionally, IPv6 routing configuration in the VPC can be restricted by implementing governance mechanisms around who can modify route tables and when. Security Groups and NACL configuration are applicable for both IPv4 and IPv6, and you can use them to consistently restrict traffic to and from resources and subnets. Finally, services such as AWS WAF, AWS Shield Advanced, Amazon GuardDuty, and Network Access Analyzer support threat detection, traffic filtering, and continuous compliance for both IPv4 and IPv6 resources.
Future proofing: IPv6 adoption is increasing on the internet and in internal networks, thus connectivity patterns evolve and change, together with new needs and use cases. Making sure your IPv6 addressing is future proof, and avoiding one way door decisions, is important to make sure of future flexibility.
Summary
- AWS considers public IP addresses those advertised on the internet from AWS, while private IP addresses are not and cannot be advertised on the internet from AWS.
- To achieve a scalable, future-proof IPv6 addressing plan on AWS, you can use Amazon-provided contiguous IPv6 addresses.
- You can use a combination of IPv6 address types in your VPCs to distinguish between resources that can and cannot have internet access on AWS. For example, you can associate the following with your VPC:
- a public IPv6 prefix from an advertised BYOIPv6 block for internet-facing workloads, and a public IPv6 prefix from a withdrawn BYOIPv6 block for resources that do not currently need internet access on AWS, or
- a public IPv6 prefix from an Amazon-assigned contiguous block for internet-facing workloads, and a private IPv6 prefix (ULA or private GUA) for resources that do not need internet access.
- If you want to use your IPv6 addresses, then we recommend using /48 or larger prefixes per AWS Region. This allows you the flexibility to advertise them if your requirements or architecture change.
- You can dual-home EC2 instances using IPv6 addresses from different IPv6 prefixes in your VPC. However, this configuration needs additional consideration for routing management at the host level.
- You can use the IGW and EIGW only with public IPv6 addresses on AWS.
Conclusion
In this post we explained the types of IPv6 addresses on AWS and reviewed the use cases and best practices for using each of them to design scalable IPv6 addressing plans on AWS. We also showed the key considerations for choosing which address types to use when addressing your workloads on AWS. If you have questions about this post, then start a new thread on AWS re:Post, or contact AWS Support.
About the authors