In AWS, when you create a VPC, it's a private space. All AWS resources are not automatically given a public IPV4 address. The resources in the private subnets cannot communicate with the public internet directly, so we use a process called NAT- Network Address Translation. To understand NAT better look into (NAT Gateway).
With IPV6 the poverty of IP addresses have come to an end. There is no realistic challenge of running out of IPV6, so there is no concept of Public and Private IP addresses. No need of NAT. The number of IPV6 addresses are so huge that even if you pin one IPV6 address to every single thing in the world it wont be exhausted. So its no surprise that all IPV6 addresses within AWS are publicly routable.
How do we enable IPV6 in a VPC in AWS?
Step1: We have to enable IPV6 on a VPC. We can either bring our own IPV6 or use the range from AWS( more common approach). AWS allocates a unique /56 range of IPV6. What makes it unique in the range is the hex pair which is used at the end of the IP. The hex pair can range from 00 to ff accounting for 256 separate /64 networks in a VPC.
Step 2: We enable the IPV6 range for the subnets as well.
Step 3: Add proper route entries in the route tables.
Routing of IPV6 is handled separately than IPV4, so we have the same Route tables and same internet gateway but different routes-IPV4 routes and IPV6 routes. So now the IGW( internet gateway of the vpc) can route the traffic both incoming and outgoing.
We had the gift of a NAT gateway while using our IPV4 addresses which would protect our instances from traffic generated outside the VPC. But now we know that IPV6 does not support NAT. But there is an equivalent to the NAT here- Egress only Internet Gateway. This allows the traffic out but not in. You need to make minor changes in the route tables for this.
And yes a single VPC can have both IGW and Egress Only IGW.
Another important point about the Egress only IGW is it is stateful and you cannot associate a security group with it.
Step 4: Configure the IPV6 on the services wherever you want. Also remember not all AWS services support IPV6.
Happy Learning Guys !!!!
Sabiha Ali, Solutions Architect, ScaleCapacity
Top comments (0)