Building an IPv6 enabled VPC in AWS

Over the past year, Amazon Web Services (AWS) has made IPv6 available for provisioning in all their regions, beginning with the launch of the Ohio region.  In this post, I'll walk through the configuration of a VPC and associated configurations that are IPv6 as well as IPv4 enabled.  

For this exercise, we'll use RFC6598 space (100.64.0.0/10) to allocate the IPv4 space from so as not to cause overlaps or conflicts with networks you may already have.  IPv6 space, to simplify things, will come from AWS's allocations.

To start, go to the VPC console and create a new VPC.



Fill in the respective information in the dialog box, including the required IPv4 block.  Here, we'll use 100.64.0.0/20 which will give us 16 /24 subnets from 100.64.0.0/24 to 100.64.15.0/24.  We'll provision those in a bit.  The key takeaway here is to provision for IPv6 by selecting "Amazon provided IPv6 CIDR block."



Click on "Yes, Create" and after a bit of behind the scenes work, your VPC is ready to go.  We should have something like the following.  Note your IPv6 CIDR block will vary as it's allocated from AWS's global IPv6 address pool.



Now that the overall environment is created, we need to allocate a minimum of one subnet in order to launch instances.  To do that, select "Subnets" from the left hand column.  Then we'll create a subnet.

Several items to note:

  • You'll need to specify an IPv4 subnet that fits within the allocation for the VPC (here, I've selected a /24)
  • Change the "IPv6 CIDR block" to "Specify a custom IPv6 CIDR block".  Note the prefix for it will be derived from the block allocated to the VPC in the prior step.  You have the option of specifying the 10th and 11th octets (I set them equal to the 3rd octet of the IPv4 block).


 Select "Yes, Create" and after a bit you'll have a provisioned subnet showing that will look similar to this (note the IPv6 subnet is now a /64 as it is provisioned out of the /56 allocated to the VPC):



We now have an environment (VPC) and subnet allocated, but we have no path in or out yet.  For this exercise, we'll make the subnet public for both IPv4 and IPv6 by allocating an "Internet Gateway" (IGW) and adding that to the route table.  This will allow bi-directional communication functionality for IPv4 if an Elastic IP is associated with an instance and IPv6.  If you don't want global hosts to be able to reach an instance, you can provision them on a private subnet which is one whose path to the Internet is via a NAT gateway (IPv4)/Egress Only Internet Gateway (IPv6) combination.

To provision an IGW, select "Internet Gateways" from the left column, then "Create Internet Gateway."  Fill in the IGW name.



After creation, you'll have an IGW created, but it will not yet be attached to a VPC.



Select "Attach to VPC" and it select your VPC and it will attach and be available as a Route Table target.

Now we need to associate the default routes in a route table to the IGW.  We go back Subnet on the left column and then select the appropriate subnet the Route Table tab in the bottom window.  Click on the link for the Route Table (red arrow in screen shot) to edit it.



Add two routes to the route table:

  • 0.0.0.0/0
  • ::/0
Each needs to point toward the IGW created in the prior step.  When complete the table should look similar to the following:


At this point, you have a functional IPv4/6 enabled VPC.  The next topic up is launching a Centos instance in the VPC and enabling IPv6 functionality for it.

Leave me your thoughts, questions or comments.

Tags: