As you probably know AWS is now charging for the use of every public IPv4 IP address used in your environment. The current rate is $.005/hr and while that doesnβt sound like much it amounts to approximately $45/year per IP. In part 2 of this blog we showed you how to determine how many IPs were being used in your account, you may be surprised. If you are running a three tier environment with NAT Gateway, Load Balancer and ASG, some EIPs along with RDS database well there could be at least 10+. Just another line item adding to your monthly bill. There is a way to stop this charge and if you follow along here weβll show you how.
β
Considerations
- You cannot disable IPv4 support for your VPC and subnets; this is the default IP addressing system for Amazon VPC and Amazon EC2.
- There is no migration path from IPv4-only subnets to IPv6-only subnets. For information about creating IPv6-only subnets, see Create a subnet.
- This example assumes that you have an existing VPC with public and private subnets. For information about creating a new VPC for use with IPv6, see Create a VPC.
- Here are AWS services that support IPv6 - AWS services that support IPv6 This table is important to review since many of the services only support dual stack.
β
Step 1: Associate an IPv6 CIDR block with your VPC and subnets
You can associate an IPv6 CIDR block with your VPC, and then associate a /64 CIDR block from that range with each subnet. See Part 1 of this blog to learn how to read IPv6 addresses.
1A. To associate an IPv6 CIDR block with a VPC - This allows your VPC to route both IPv4 and IPv6 traffic.
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Your VPCs then Select your VPC that you want to add IPv6 to.
- Choose Actions, Edit CIDRs and then choose Add new IPv6 CIDR.
- Select one of the following options, and then choose Select CIDR: β¦ Amazon-provided IPv6 CIDR block β Use an IPv6 CIDR block from Amazon's pool of IPv6 addresses. For Network Border Group, choose the group from which AWS advertises IP addresses. β¦ IPAM-allocated IPv6 CIDR block β Use an IPv6 CIDR block from an IPAM pool. Choose the IPAM pool and the IPv6 CIDR block. β¦ IPv6 CIDR owned by me β Use an IPv6 CIDR block from your IPv6 address pool (BYOIP). In case you want to Bring Your Own. Choose the IPv6 address pool and the IPv6 CIDR block.
- Then Close.
1B. To associate an IPv6 CIDR block with a subnet - Associate IPv6 CIDR blocks to your subnets. Each subnet needs to be configured to handle both IPv4 and IPv6 traffic. Note: Repeat this procedure for all subnets in your selected VPC
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Subnets thenn Select a subnet.
- Choose Actions, Edit IPv6 CIDRs and then choose Add IPv6 CIDR.
- Edit the CIDR block as needed (for example, replace the 00).
- Then Save..
For more information, see IPv6 VPC CIDR blocks.
β
Step 2: Update your route tables
When you associate an IPv6 CIDR block with your VPC, AWS automatically adds a local route to each route table for the VPC to allow IPv6 traffic within the VPC.
You must update the route tables for your public subnets to enable instances (such as web servers) to use the internet gateway for IPv6 traffic. You must also update the route tables for your private subnets to enable instances (such as database instances) to use an egress-only internet gateway for IPv6 traffic, because NAT gateways do not support IPv6.
2A. To update the route table for a public subnet
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Subnets. Select the public subnet. On the Route table tab, choose the route table ID to open the details page for the route table.
- Select the route table. On the Routes tab, choose Edit routes.
- Choose Add route. Choose ::/0 for Destination. Choose the ID of the internet gateway for Target.
- Save changes.
2B. To update the route table for a private subnet
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Egress-only internet gateways. Choose Create egress only internet gateway. Choose your VPC from VPC, and then choose Create egress only internet gateway. For more information, see Enable outbound IPv6 traffic using an egress-only internet gateway.
- In the navigation pane, choose Subnets. Select the private subnet. On the Route table tab, choose the route table ID to open the details page for the route table.
- Select the route table. On the Routes tab, choose Edit routes.
- Choose Add route. Choose ::/0 for Destination. Choose the ID of the egress-only internet gateway for Target.
- Save changes.
For more information, see Example routing options.
β
Step 3: Update your Security Group rules
To enable your instances to send and receive traffic over IPv6, you must update your security group rules to include rules for IPv6 addresses. For example you can update your web server security group to add rules that allow inbound HTTP, HTTPS, and SSH access from IPv6 addresses.
3A. To update your inbound Security Group rules
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Security Groups and select your web server security group.
- In the Inbound rules tab, choose Edit inbound rules.
- For each rule that allows IPv4 traffic, choose Add rule and configure the rule to allow the corresponding IPv6 traffic. For example, to add a rule that allows all HTTP traffic over IPv6, choose HTTP for Type and ::/0 for Source.
- When you are finished adding rules, Save rules.
3B. Update your outbound security group rules
- When you associate an IPv6 CIDR block with your VPC, AWS automatically adds an outbound rule to the security groups for the VPC that allows all IPv6 traffic. However, if you modified the original outbound rules for your security group, this rule is not automatically added, and you must add equivalent outbound rules for IPv6 traffic.
3C. Update your Network ACL(NACL) rules
- When you associate an IPv6 CIDR block with a VPC, we automatically add rules to the default Network ACL to allow IPv6 traffic. However, if you modified your default NACL or if you've created a custom NACL, you must manually add rules for IPv6 traffic. For more information, see Work with network ACLs.
3D. Update DNS records, load balancers, application load balancers, etc. to recognize IPv6 addresses. Note: services like S3, Route 53, CloudFront natively support IPv6.
β
Step 4: Assign IPv6 addresses to your EC2 instances
- All current generation instance types support IPv6. If you are using an older instance type that does not support IPv6, then you must resize the instance to a type that supports IPv6 before you can assign an IPv6 address. The process that you'll use depends on whether the new instance type that you choose is compatible with the current instance type. For more information, see Change the instance type in the Amazon EC2 User Guide for Linux Instances. If you must launch an instance from a new AMI to support IPv6, you can assign an IPv6 address to your instance during launch.
- After you've verified that your instance type supports IPv6, you can assign an IPv6 address to your instance using the EC2 console. The IPv6 address is assigned to the primary network interface (eth0) for the instance. For more information, see Assign an IPv6 address to an instance in the Amazon EC2 User Guide for Linux Instances.
- You can connect to an instance using its IPv6 address. For more information, see Connect to your Linux instance using an SSH client in the Amazon EC2 User Guide for Linux Instances or Connect to a Windows instance using its IPv6 address in the Amazon EC2 User Guide for Windows Instances.
- If you launched your instance using an AMI for a current version of your operating system, your instance is configured for IPv6. If you can't ping an IPv6 address from your instance, refer to the documentation for your operating system to configure IPv6.