14

Recently apple has imposed IPv6 support as mandatory for all its vendors who use its mobile-api and aws vpc doesn't provide IPv6 support. How can I achieve this. I have checked https://aws.amazon.com/blogs/aws/elastic-load-balancing-ipv6-zone-apex-support-additional-security/ however I am not sure what to do.

I would need expert advise here.

Shailesh Sutar
  • 1,427
  • 4
  • 22
  • 40
  • Do you use AWS ELB in front of your AWS instances? If so, you should already have IPv6 forwarding through the ELB. `dig -t aaaa your-elb-assigned-name.amazonaws.com` – user4556274 Aug 09 '16 at 14:52
  • 2
    @user4556274 v6 is only available on non-VPC ELBs. The OP is using a VPC, so this is not available. – EEAA Aug 09 '16 at 15:15
  • Yes I use AWS ELB in front aws instances however I am using non default aws VPC. Instances are hosted in vpc and I want to route traffic there which is not possible using ELB's inside vpc – Shailesh Sutar Aug 09 '16 at 15:20
  • IPv6 **is** possible for public-facing ELBs. See my answer. – Craig Watson Aug 09 '16 at 18:55
  • 3
    I thought apple imposed NAT64/DNS64 support as mandatory, and you can still access IPv4 servers on a NAT64/DNS64 network (albeit suboptimally)? – user253751 Aug 10 '16 at 05:47
  • 1
    Please see my edit below. Yes, ELBs *do* have a v6 address, but it's not usable for traffic. – EEAA Aug 10 '16 at 16:24
  • I am not sure about this but, Is it possible to have a Ec2-classic ELB ==> Ec2 classic instance. And configure HAProxy or nginx as load balancer on ec2-classic instance to route traffic to VPC ELB or instances? – Shailesh Sutar Aug 11 '16 at 09:55
  • Akamai will also front your app with IPv6, for a fee. – user84215 Oct 14 '16 at 17:32
  • @immibis That is also my understanding of the requirement. And yes, NAT64 is suboptimal, but the same is the case for NAT44. NAT64 has the advantage that it is possible to migrate users between different NAT64 gateways by simply updating your DNS64 without breaking existing connections or needing to migrate state. NAT64 has the disadvantage that it will not work with severely broken sites which publish a correct A record but an incorrect AAAA record. – kasperd Dec 14 '16 at 22:23
  • All fixed: https://aws.amazon.com/blogs/aws/aws-ipv6-update-global-support-spanning-15-regions-multiple-aws-services/ – dsadinoff Jan 26 '17 at 12:17

5 Answers5

16

Unfortunately AWS has been severely neglecting meaningful IPv6 support. Their "solution", if you can call it that, is to throw a non-VPC ELB in front of your application. For many reasons that is a non-tenable solution for many use cases.

As a stopgap fix, the tactic I've seen used by several organizations is to stand up an IPv6-capable VPS with another provider, point the AAAA record there, and then use haproxy or another similar software package to proxy requests to your IPv4 infrastructure. Yes, this is a really awkward and admittedly broken way of doing things, but until AWS releases meaningful IPv6 support, there aren't all that many other options.

Edit:

Regarding Craig's assertion that all ELBs (VPC or otherwise) have IPv6 addresses. Yes, that is correct, but in my testing, and in discussions with other AWS experts, the ELBs don't actually listen on those IPs for traffic. My guess is that enabling IPv6 on the ELBs as they've done is a first step towards offering full IPv6 support at some point. My suspicion is that they will make an announcement about this during or right before their re:Invent conference the first week of December 2016.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • VPC ELBs are dual-stack. See my answer. – Craig Watson Aug 09 '16 at 18:54
  • @CraigWatson They don't appear to listen to the AAAA address. – ceejayoz Aug 10 '16 at 16:27
  • 1
    @EEAA I understand that its not possible to use those IPv6 assigned to that ELB end-point which we are getting when we dig it. And hence can't route traffic through IPv6 addresses. Hence we are back to the solution you proposed that using a third party VPS which supports IPv6. Correct me If I am wrong. – Shailesh Sutar Aug 10 '16 at 16:55
  • @ShaileshSutar Yep, back to my original suggestion unfortunately. – EEAA Aug 10 '16 at 17:00
  • I am not sure about this but, Is it possible to have a Ec2-classic ELB ==> Ec2 classic instance. And configure HAProxy or nginx as load balancer on ec2-classic instance to route traffic to VPC ELB or instances? – Shailesh Sutar Aug 11 '16 at 09:56
  • 1
    EC2 support for IPv6 available: https://aws.amazon.com/blogs/aws/aws-ipv6-update-global-support-spanning-15-regions-multiple-aws-services/ – dsadinoff Jan 26 '17 at 12:18
7

You can create IPv6 records for your ELB by prepending ipv6. to your ELB's public hostname.

Hostnames and IPs redacted due to it being a customer environment - this is in the eu-west-1 region in a non-default VPC.

craig@zeus:~$ dig AAAA ipv6.blah-0000000000.eu-west-1.elb.amazonaws.com +short
2a01:xxx:3::xxx:3314
2a01:xxx:3::xxx:ff14
2a01:xxx:3::xxx:7f20

craig@zeus:~$ dig A blah-0000000000.eu-west-1.elb.amazonaws.com +short
54.xxx.xxx.xxx
52.xxx.xxx.xxx
54.xxx.xxx.xxx

Note that you can also use the dualstack prefix to return both A and AAAA records for your ELB.

Craig Watson
  • 9,370
  • 3
  • 30
  • 46
  • Interesting. Is that new behavior? Regardless, ELBs are not a tenable solution for many use cases. – EEAA Aug 09 '16 at 19:00
  • 2
    The `dualstack` prefix has been around for a good year plus, but I'm not sure if Amazon have even bothered to update their docs - the KB still says that IPv6 is for EC2-Classic only, which has been deprecated for years and actively disabled on all accounts created after 4th December 2013. – Craig Watson Aug 09 '16 at 19:04
  • 1
    That said, I do agree that AWS are still behind in not offering IPv6 EIPs - hopefully they will soon, but until then the only option is to use an ELB. – Craig Watson Aug 09 '16 at 19:06
  • 2
    So, I actually looked into this, and even though the ELBs have a v6 address, it is not actually listening on that address, at least not in my case. – EEAA Aug 10 '16 at 02:32
  • I am not sure about this but, Is it possible to have a Ec2-classic ELB ==> Ec2 classic instance. And configure HAProxy or nginx as load balancer on ec2-classic instance to route traffic to VPC ELB or instances? – Shailesh Sutar Aug 11 '16 at 09:55
  • As EEAA already said: Yeah AWS is delivering an AAAA record and IPv6 adresses for the ELBs BUT a VPC-ELB still doesn't accept IPv6 traffic on these addresses (and AWS support confirmed that to me). So please don't mark this as an answer as it is really misleading! – Osterjour Aug 12 '16 at 14:45
3

In us-east I use an IPv6 tunnel broker to provide an IPv6 tunnel which allows the instance to be addressed directly using an IPv6 address. Since the tunnel broker's point of presence is cross-connected to Amazon locally, this adds only about 1ms of latency.

The down side is that, to get IPv6 to other instances in the subnet, you have to route it yourself (e.g. with radvd).

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • or be your own tunnel-broker with a v6 capable VPS. i use two of them for added redundancy. – Skaperen Aug 11 '16 at 04:44
  • @Skaperen You can do it yourself, up to a point. I have yet to find the VPS provider who will give me a /48. – Michael Hampton Aug 11 '16 at 04:49
  • I am not sure about this but, Is it possible to have a Ec2-classic ELB ==> Ec2 classic instance. And configure HAProxy or nginx as load balancer on ec2-classic instance to route traffic to VPC ELB or instances? – Shailesh Sutar Aug 11 '16 at 09:56
3

Came across an interesting article (published 1 December 2016).

https://aws.amazon.com/about-aws/whats-new/2016/12/announcing-internet-protocol-version-6-support-for-ec2-instances-in-amazon-virtual-private-cloud/

You can enable IPv6 on VPC's in the "Ohio" region.

Chris
  • 153
  • 6
2

Put CloudFlare in front of your application. They will accept requests on IP6 but route traffic to your IP4 ELB.

Tim
  • 30,383
  • 6
  • 47
  • 77