An Essential Guide to Migrating A VPC from IPv4 to IPv6

In the vast realm of cloud computing, where communication is imperative, IP addresses are the lifeblood of connectivity. As the digital landscape burgeons, the demand for IP addresses escalates. Computers and smart devices use IP addresses to communicate with each other over the internet and other networks. While IPv4 has been the go-to standard, the evolution to IPv6 offers an expansive address space to satiate the growing appetite for the internet.

Why Do We Need IPv6?

The surge in AWS adoption underscores the criticality of IPv6. IPv4-centric VPCs often grapple with the relentless expansion, necessitating the addition of more CIDR blocks. IPv6, however, eliminates these constraints, offering a harmonious blend of BYOIPv6 and AWS-assigned CIDRs. It enables meticulous control over routed IPv6 addresses, fostering a clear demarcation between internal and external applications within VPCs.

Is it Possible to Enable IPv6 on Existing IPv4-Only VPCs?

The flexibility of IPv6 integration shines through as customers can seamlessly enable IPv6 support for VPCs entrenched in IPv4. Dual-stack functionality empowers resources to communicate independently over IPv4, IPv6, or both. However, it’s crucial to note that there’s no direct migration path from IPv4-only to IPv6-only subnets.

Considerations

• There is no migration path from IPv4-only subnets to IPv6-only subnets.
• This example assumes that you have an existing VPC with public and private subnets

Enable IPv6 in A VPC with A Public and Private Subnet

In this example, your VPC has a public and a private subnet. A private subnet has a database instance that has outbound internet connectivity through a NAT gateway in your VPC. An internet-facing web server in a public subnet that has internet access through the internet gateway.

You want your VPC and resources to be enabled for IPv6, and you want them to operate in dual-stack mode; in other words, you want to use both IPv6 and IPv4 addressing between resources in your VPC and resources over the internet.

High-Level Steps Involved

• Associate an IPv6 CIDR block with your VPC and subnets.
• Update your route tables.
• Update your security group rules.
• Change your instance type.
• Assign IPv6 addresses to your instances

With the current architectural overview in mind, let’s delve into each step of the migration process, starting with associating an IPv6 CIDR block with your VPC and subnets.

Associate an IPv6 CIDR block with your VPC and Subnets

• Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
• In the navigation pane, choose Your VPCs.
• Select your VPC, choose Actions, and Edit CIDRs.
• Choose Add IPv6 CIDR, choose one of the following options, and then choose Select CIDR:
  1. Amazon-provided IPv6 CIDR block: Requests an IPv6 CIDR block from Amazon’s pool of IPv6 addresses. For Network Border Group, select the group from which AWS advertises IP addresses.
  2. IPv6 CIDR owned by me: (BYOIP) Allocates an IPv6 CIDR block from your IPv6 address pool. For Pool, choose the IPv6 address pool from which to allocate the IPv6 CIDR block.

To Associate an IPv6 CIDR Block With A Subnet

• Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
• In the navigation pane, choose Subnets.
• Select your subnet, choose Subnet Actions, and Edit IPv6 CIDRs.
• Choose Add IPv6 CIDR. Specify the hexadecimal pair for the subnet (for example, 00) and confirm the entry by choosing the tick icon.
• Choose Close. Repeat the steps for the other subnets in your VPC.
• For more information, see IPv6 VPC CIDR blocks.

Update your route tables

For a public subnet, you must update the route table to enable instances (such as web servers) to use the internet gateway for IPv6 traffic.

For a private subnet, you must update the route table to enable instances (such as database instances) to use an egress-only internet gateway for IPv6 traffic.

To Update your Route Table for a Public Subnet

• Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
• In the navigation pane, choose Route Tables and select the route table that’s associated with the public subnet.
• On the Routes tab, choose Edit Routes.
• Choose Add route. Specify::/0 for Destination, select the ID of the internet gateway for Target and then choose Save changes.

To Update your Route Table for a Private Subnet

• Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
• If you’re using a NAT device in your private subnet, it does not support IPv6 traffic. Instead, create an egress-only internet gateway for your private subnet to enable outbound communication to the internet over IPv6 and prevent inbound communication. An egress-only internet gateway supports IPv6 traffic only. For more information, see Enable outbound IPv6 traffic using an egress-only internet gateway.
• In the navigation pane, choose Route Tables and select the route table that’s associated with the private subnet.
• On the Routes tab, choose Edit Routes.
• Choose Add route. For Destination, specify::/0. For Target, select the ID of the egress-only internet gateway, and then choose Save changes.

Update Your Security Group Rules

To enable your instances to send and receive traffic over IPv6, you must update your security group rules to include rules for IPv6 addresses. For example, you can update the web server security group (sg-11aa22bb11aa22bb1) to add rules that allow inbound HTTP, HTTPS, and SSH access from IPv6 addresses.

To update your security group rules

• Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
• In the navigation pane, choose Security Groups and select your web server security group.
• In the Inbound Rules tab, choose Edit.
• For each rule, choose Add another rule, and choose Save when you’re done. For example, to add a rule that allows all HTTP traffic over IPv6, for Type, select HTTP, and for Source, enter::/0.

By default, an outbound rule that allows all IPv6 traffic is automatically added to your security groups when you associate an IPv6 CIDR block with your VPC. However, if you modified the original outbound rules for your security group, this rule is not automatically added, and you must add equivalent outbound rules for IPv6 traffic.

Change your Instance Type

All current generation instance types support IPv6. For more information, see Instance types. If your instance type does not support IPv6, you must resize the instance to a supported instance type.

Assign IPv6 Addresses to your Instances

After you’ve verified that your instance type supports IPv6, you can assign an IPv6 address to your instance using the Amazon EC2 console. The IPv6 address is assigned to the primary network interface (eth0) for the instance.

To Assign an IPv6 Address to your Instance

• Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
• In the navigation pane, choose Instances.
• Select your instance, and choose Actions, Networking, and Manage IP Addresses.
• Under IPv6 Addresses, choose Assign new IP. You can enter a specific IPv6 address from the range of your subnet, or you can leave the default Auto-Assign value to let Amazon choose one for you.
• Choose Yes, Update.

Alternatively, if you launch a new instance (for example, if you were unable to change the instance type and you created a new AMI instead), you can assign an IPv6 address during launch. You can connect to an instance using its IPv6 address. If you’re connecting from a local computer, ensure that your local computer has an IPv6 address and is configured to use IPv6.

Conclusion

This post helps you get started with IPv6 CIDRs on an Amazon VPC and enable IPv6 CIDR on existing VPCs and Subnets. Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6.html