Monday, November 17, 2025

AWS IPv6 in AWS VPC | Overview.

AWS IPv6 in AWS VPC - Overview.

Scope:

Intro,
Addressing Model,
VPC & Subnet Architecture,
Routing & Internet Access,
Egress-Only Internet Gateway,
DHCP, DNS, and SLAAC,
EC2 Behavior,
Load Balancers + IPv6,
PrivateLink, Transit Gateway, IGW, Local Zones, Wavelength,
Hybrid & Direct Connect IPv6,
Security Model (SG, NACL, Firewalling),
Design Patterns + Best Practices.
Insights.

Intro:

AWS provides first-class IPv6 support inside VPCs, enabling:
large-scale,
internet-routable addressing with modern networking semantics.
Unlike IPv4 in AWS (where NAT, exhaustion, and RFC1918 scoping create design complexity), IPv6 is globally unique, NAT-free, and per-interface routable.

1. IPv6 Addressing Model in AWS

1.1 VPC-level IPv6 CIDR

AWS assigns each VPC a /56 IPv6 CIDR block (globally unique).
Customers cannot bring their own IPv6 CIDR (BYOIP IPv6 is available only for public ranges, not VPC internal use).
Sample VPC IPv6 block:
2600:1f18:abcd:7800::/56

1.2 Subnet-level IPv6 CIDRs

Each subnet receives a /64 from the VPC’s /56.
/64 is fixed due to SLAAC (required by RFC).
Example subnet:

2600:1f18:abcd:7801::/64

NB:

twtech cannot assign a larger or smaller IPv6 subnet size than /64 in a VPC.

2. VPC & Subnet Architecture

2.1 Dual-Stack vs IPv6-only

twtech can configure subnets as:

A. Dual-stack subnets (IPv4 + IPv6)

Instances get:

1 private IPv4
Optional public IPv4
1+ IPv6 addresses

Applications can choose which stack to use.

B. IPv6-only subnets

No IPv4 at all.
Uses NAT64 + DNS64 (via Amazon-provided DNS) for IPv6→IPv4 egress.

Great for:

Container workloads (EKS/ECS)
Modern services
Highly scalable architectures needing many IPs

3. Routing & Internet Access

3.1 IPv6 routing differences

IPv6 has no NAT in AWS (by design).
Every IPv6 address is globally reachable, but not necessarily routable unless allowed.

3.2 Internet Gateway (IGW)

Supports both IPv4 and IPv6.
For inbound IPv6:

Instance must have a public IPv6 address
Security Groups and NACLs must permit traffic
Route table must send:
::/0 → IGW

3.3 Egress-Only Internet Gateway (EOIGW)

Key security primitive for IPv6.
Prevents inbound connections even though the address is globally unique.
Route example:
::/0 → EgressOnlyInternetGateway

Use EOIGW when instances should reach the internet but should not be reachable inbound.

4. IPv6 Address Assignment Mechanisms

AWS supports:

A. SLAAC (Stateless Address Auto Configuration)

Instances derive their own IPv6 address from the subnet prefix.
No DHCPv6 required.

B. Manual (static) IPv6 assignment

twtech assigns the IPv6 address in the EC2 console or API.

C. DHCPv6

AWS does not support DHCPv6 for address assignment.
DHCPv6 is supported only for Option 23 (DNS servers) in some cases, but AWS-provided DNS negates the need.

5. DNS Behavior in IPv6 VPCs

AmazonProvidedDNS:

Supports AAAA record lookup
Supports DNS64 when in IPv6-only subnets
Maps IPv4-only destinations into IPv6 space using 64:ff9b::/96

Sample:

IPv4 target 203.0.113.10

DNS64 returns IPv6: 64:ff9b::203.0.113.10

6. EC2 IPv6 Behavior

6.1 Interface-level addressing

Each ENI can have:

1 primary IPv6 address (required)
Additional IPv6 secondary addresses (up to quotas)

6.2 OS considerations

Linux:

SLAAC works out of the box.
RA (router advertisements) manages default routes.

Windows:

Also supports SLAAC.
Some OS versions require RA tweaks.

7. Load Balancers & IPv6

Application Load Balancer (ALB)

Supports dual-stack (IPv4+IPv6)
Can front IPv4-only or IPv6-enabled targets

Network Load Balancer (NLB)

Supports dual-stack
NLB in dual-stack assigns both:

IPv4 public IP
IPv6 public IP

Gateway Load Balancer (GWLB)

Control plane uses IPv4
VPC traffic carries IPv6 as payload
Middlebox tools (Suricata, Firewalls) can inspect IPv6 mirrored traffic.

8. PrivateLink + IPv6

AWS PrivateLink now supports IPv6 for:

Interface Endpoints
Service Endpoints
Cross-account services

twtech can expose its service over IPv6-only or dual-stack.

9. Transit Gateway (TGW) IPv6

Capabilities:

IPv6 routing supported
Attachments may be dual-stack or IPv6-only
TGW route tables can have:
::/0 → attachment

Limitations:

Some legacy regions didn’t support IPv6 TGW early on—now widely supported.

10. Hybrid Connectivity (Direct Connect & VPN)

Direct Connect

Supports IPv6 on virtual interfaces (private and public)
BGP exchanges IPv6 prefixes
twtech can form an IPv6-only hybrid architecture

Site-to-Site VPN

IPv6 supported both over AWS-managed and customer-initiated tunnels

11. Security Model (SG, NACL, Firewalls)

Security Groups

Support IPv6 ranges (/128 allowed)

Sample:

Allow TCP port 443 from 2600:1f18:abcd:7802::/64

NACLs

Must explicitly allow IPv6 traffic
Stateless rules: remember return traffic

Firewall Appliances (Suricata, Palo Alto, etc.)

Fully IPv6-capable
GWLB + VPC Traffic Mirroring works for IPv6

12. Best Practices for IPv6 in AWS

1. Use IPv6-only subnets for container platforms

Massive scalability
No NAT bottlenecks

2. Use Egress-Only Internet Gateway for outbound-only workloads

Prevents inbound access while preserving IPv6 routing

3. Prefer dual-stack load balancers

Seamless transition strategy
Applications gradually adopt IPv6

4. Use DNS64/NAT64 for legacy IPv4 dependencies

Enables IPv6-only workloads to reach IPv4-only services

5. Avoid mixing IPv4 security assumptions

IPv6 has:

No NAT
Public addresses by default→ Strengthen Security Group hygiene.

6. For hybrid networking, test MTU and PMTUD

IPv6 often negotiates larger MTUs
Validate across VPN and DX

Architecture of Diagram of IPv6 in AWS VPC

Insights:

The difference between NAT and NAT64

NAT translates between different private and public IPv4 addresses,
NAT64 specifically translates between IPv6 and IPv4 addresses

Network Address Translation (NAT)

Standard NAT was primarily designed as a method to conserve the diminishing supply of IPv4 addresses.
It allows multiple devices within a private network (each with a private IPv4 address) to share a single public IPv4 address when communicating with the internet.

Key characteristics of Network Address Translation (NAT):

Protocol: Translates IPv4 private addresses to IPv4 public addresses.
Purpose: Primarily address conservation and hiding internal network structure.
Mechanism: Typically involves mapping multiple private addresses to one or a few public addresses, usually via Port Address Translation (PAT).
Communication: Both source and destination endpoints must be running IPv4.

NAT64

NAT64 is a mechanism developed as a transition technology to facilitate communication between devices running the newer IPv6 protocol and devices or servers still using the older IPv4 protocol.
As the internet moves towards global IPv6 adoption, NAT64 bridges the gap, allowing an IPv6-only network to access IPv4-only content.

Key characteristics of NAT64:

Protocol: Translates IPv6 addresses to IPv4 addresses (and vice versa).
Purpose: To enable connectivity between the two different IP versions during the global transition period.
Mechanism: It requires a special DNS server, typically DNS64, to synthesize IPv6 addresses that correspond to the IPv4 addresses of the destination servers. The NAT64 device then uses this information to perform the actual protocol translation.
Communication: The client uses IPv6, while the server it communicates with uses IPv4.

Summary Table

Feature	NAT	NAT64
Primary Use	Translate between private IPv4 and public IPv4 addresses.	Translate between IPv6 and IPv4 addresses
Goal	IPv4 address conservation and security.	IPv6/IPv4 interoperability (transition technology)
Protocol Translation	None (both sides are IPv4).	Yes (translates the entire packet header from one version to the other)
Requirement	Both endpoints must use IPv4.	One endpoint uses IPv6, the other uses IPv4