Implementing IPv6 Connectivity for Web Servers on AWS: A Technical Guide for Developers


21 views

AWS has fully supported IPv6 since 2016, with all regions now offering dual-stack capabilities. The key components for IPv6 implementation include:

  • VPC IPv6 CIDR blocks (automatically assigned /56)
  • IPv6-enabled subnets (extensions to existing IPv4 subnets)
  • Route tables with IPv6 routes
  • Security groups with IPv6 rules
  • Elastic Load Balancers with IPv6 support

First, enable IPv6 on your VPC using AWS CLI:

aws ec2 associate-vpc-cidr-block \
    --vpc-id vpc-1a2b3c4d \
    --amazon-provided-ipv6-cidr-block

For an EC2 instance, modify the launch configuration:

{
    "NetworkInterfaces": [
        {
            "AssociatePublicIpAddress": true,
            "DeviceIndex": 0,
            "Ipv6AddressCount": 1,
            "SubnetId": "subnet-123456"
        }
    ]
}

Add AAAA records for your domain:

{
    "Changes": [
        {
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "example.com",
                "Type": "AAAA",
                "TTL": 300,
                "ResourceRecords": [
                    {"Value": "2600:1f18:1234:ab00::1"}
                ]
            }
        }
    ]
}

Update security groups to handle IPv6 traffic:

aws ec2 authorize-security-group-ingress \
    --group-id sg-903004f8 \
    --ip-permissions \
    'IpProtocol=tcp,FromPort=80,ToPort=80,Ipv6Ranges=[{CidrIpv6=::/0}]'

Use these commands to verify your setup:

# Check DNS resolution
dig AAAA example.com

# Test direct connection
curl -6 http://example.com

# Verify network interface
ip -6 addr show

1. No IPv6 connectivity: Ensure your subnet is associated with an IPv6 CIDR block

2. DNS resolution failures: Verify AAAA records exist and propagate

3. Connection timeouts: Check security group and NACL rules for IPv6

For ALB setup with IPv6:

aws elbv2 create-load-balancer \
    --name my-dualstack-alb \
    --subnets subnet-123456 subnet-789012 \
    --ip-address-type dualstack \
    --security-groups sg-903004f8

When configuring IPv6 for your AWS infrastructure, you'll need to work with both VPC and EC2 components. First, ensure your AWS region supports IPv6 - most modern regions do. The implementation requires modifications at three levels: VPC configuration, subnet allocation, and EC2 instance settings.

Start by enabling IPv6 on your VPC through the AWS Management Console:


1. Navigate to VPC Dashboard
2. Select "Your VPCs"
3. Choose the target VPC
4. Click "Actions" → "Edit CIDRs"
5. Click "Add IPv6 CIDR"
6. Select "Amazon-provided IPv6 CIDR block"
7. Save changes

Alternatively, use AWS CLI:

aws ec2 associate-vpc-cidr-block \
--vpc-id vpc-1a2b3c4d \
--amazon-provided-ipv6-cidr-block

Each subnet that needs IPv6 support must be configured separately:

aws ec2 associate-subnet-cidr-block \
--subnet-id subnet-123456 \
--ipv6-cidr-block 2001:db8:1234:1a00::/64

For Terraform users:

resource "aws_subnet" "web" {
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.0.1.0/24"
  ipv6_cidr_block   = aws_vpc.main.ipv6_cidr_block
  assign_ipv6_address_on_creation = true
}

For existing instances, you'll need to:

  1. Stop the instance (note: this causes downtime)
  2. Modify the subnet association
  3. Assign an IPv6 address

CloudFormation example for new instances:

WebServer:
  Type: AWS::EC2::Instance
  Properties:
    NetworkInterfaces:
      - AssociatePublicIpAddress: true
        DeviceIndex: 0
        Ipv6AddressCount: 1
        SubnetId: !Ref PublicSubnet

If using ALB/ELB, enable dual-stack support:

aws elbv2 create-load-balancer \
--name my-ipv6-lb \
--subnets subnet-123 subnet-456 \
--scheme internet-facing \
--ip-address-type dualstack

Update security groups to include IPv6 rules:

aws ec2 authorize-security-group-ingress \
--group-id sg-903004f8 \
--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "Ipv6Ranges": [{"CidrIpv6": "::/0"}]}]'

Route table modification example:

aws ec2 create-route \
--route-table-id rtb-1a2b3c4d \
--destination-ipv6-cidr-block ::/0 \
--gateway-id igw-1122aabb

After implementation, verify connectivity:

# Linux/macOS:
curl -6 http://your-ipv6-endpoint

# Windows:
Test-NetConnection -ComputerName your-ipv6-endpoint -Port 80

For DNS configuration, create AAAA records in Route 53:

aws route53 change-resource-record-sets \
--hosted-zone-id Z1PA6795UKMFR9 \
--change-batch '{"Changes":[{"Action":"CREATE","ResourceRecordSet":{"Name":"www.example.com","Type":"AAAA","TTL":300,"ResourceRecords":[{"Value":"2001:0db8:85a3:0000:0000:8a2e:0370:7334"}]}}]}'

If connectivity fails:

  • Verify the instance OS has IPv6 enabled (check /etc/sysctl.conf on Linux)
  • Ensure security groups allow IPv6 traffic
  • Confirm route tables have IPv6 routes
  • Check NACLs for IPv6 rule restrictions

Network interface verification command:

aws ec2 describe-network-interfaces \
--filters Name=ipv6-addresses.ipv6-address,Values='2001:db8::*' \
--query 'NetworkInterfaces[*].{ID:NetworkInterfaceId,IPv6:Ipv6Addresses}'