How to whitelist an IPv6 address in VPC security groups on AWS?

8

1

I cannot enter an IPv6 address in the inbound rules in AWS VPC security group settings. It says

The source must be a valid CIDR (e.g. 0.0.0.0/0) or the ID of another security group

and It wont let me save it. How do I authorize my machine without using the 0.0.0.0 wildcard for all?

FlavorScape

Posted 2015-08-21T19:57:07.637

Reputation: 199

AWS now supports IPv6 in VPC security groups - see: https://aws.amazon.com/blogs/aws/new-ipv6-support-for-ec2-instances-in-virtual-private-clouds/

– IanB – 2017-03-05T21:11:22.037

Answers

3

Had this same problem. According to this post: IPv4 and IPv6 from different browsers on same computer, many ISPs provide both IPv4 and IPv6. If you go to a site like http://ip-lookup.net/ (or Google for what is my IPv4? ), it'll show you your IPv4 address if it is available. You can then use that to add to the EC2 whitelist. Hope this helps.

Adrian Carr

Posted 2015-08-21T19:57:07.637

Reputation: 131

1

So, weird solution was to not go through the VPC secrurity settings. Leaving my own answer in case anyone else is baffled. Also, this is specific to enabling inbound traffic for a DB. If I go via my RDB instance's "details" tab and click on the security group, a new dropdown is available for custom or "my ip" which worked. No idea why this modal dialog is not available in the VPC security settings. Seems like an oversight or defect in the AWS console.

FlavorScape

Posted 2015-08-21T19:57:07.637

Reputation: 199

Your method is the old way of doing it. It's only available when the EC2-Classic Platform is supported. That platform is unavailable in many regions. – David – 2015-12-23T22:11:45.873

Hm. Odd, maybe this is legacy or leftover functionality, but this DB instance was created with the last six months.... – FlavorScape – 2016-01-06T00:55:09.460

0

Following this Stack Overflow answer, you can find your LAN IPv4 address with Python:

>>> import socket
>>> socket.gethostbyname(socket.gethostname())
'xxx.xxxx.x.xxx'

In order to specify that every digit of the octect is significant (i.e. put the address in CIDR notation) you can enter, 

xxx.xxxx.x.xxx/32

Into your VPC security group rule. That should provide a cleaner solution to your work around, but I’m not sure it would be a security best practice to whitelist a protocol from an IP address across your VPC.

I’m not sure what precedence constraints their are for allowed actions. i.e. Does security at the VPC override constraints you place on individual resources within?

user191503

Posted 2015-08-21T19:57:07.637

Reputation: 9

Asked: 2015-08-21T19:57:07.637

Viewed: 8 062 times

Active: 2016-05-17T13:11:38.477