In June 2021, we announced our continued commitment and innovation towards the enablement of IPv6 on AWS. Today, we take a monumental step forward with the ability to create an IPv6-only architecture on AWS. With this launch, Amazon Virtual Private Cloud (VPC) now allows you to create IPv6-only subnets in your dual-stack VPCs and launch EC2 instances built on the Nitro System in these subnets. This capability is ideal if you have workloads, such as serverless and container applications, that consume a large number of IP addresses. Workloads that are constrained by the limited size of the IPv4 address space can now migrate to an IPv6-only environment on AWS to scale up. Additionally, with this launch, you will be able to meet the requirements for adoption of IPv6-only network environments set by US federal government agencies and minimize the need for translation software or systems, thereby creating a simplified IPv6-only architecture.
Within a VPC, the size of the IPv6 CIDR block for IPv6-only subnets has a fixed prefix length of /64. This provides 2^64 (approximately 18 quintillion) IPv6 addresses and allows you to scale your deployments on AWS without requiring any IPv4 addressing in the subnet. The EC2 instances launched in the IPv6-only subnet and the Elastic Network Interfaces (ENI) attached to them are assigned an IPv6 address through Dynamic Host Configuration Protocol version 6 (DHCPv6) options set from the IPv6 CIDR block of your subnet. These instances do not require private IPv4 addresses to be assigned. The instances can access the local instance services such as Amazon EC2 Instance Metadata Service, Amazon Time Sync Service, and Amazon VPC DNS server (also known as Amazon Route 53 Resolver) over IPv6 Unique Local Addresses (ULA). Additionally, we are also introducing a new naming scheme called Resource-based naming (RBN) that allows you to configure the EC2 instance guest OS hostname. This also includes the functionality to allow privately resolving the instance to IPv6 addresses.
In this blog post, you will learn how to create an IPv6-only subnets within a dual-stack VPC and launch an EC2 instance into this subnet. You will also learn about Resource-based naming and how to access local instance services over the IPv6 endpoint.
Now let’s get started by creating an IPv6-only subnet and launch an EC2 instance within this subnet.
Pre-requisites
Before we get into any of the setup, you need to make sure that the following prerequisite is fulfilled:
- You have created a new VPC in any region and associated a secondary IPv6 CIDR block with your VPC. Optionally, you can also choose an existing VPC that has an associated secondary IPv6 CIDR block. We will refer to this VPC as dual-stack VPC for the rest of the blog.
Create an IPv6-only subnet within a dual-stack VPC
You can create a IPv6-only subnet using the AWS Management Console or Command Line Interface (CLI). In this blog post, we’ll do it by using the console.
- Open the Amazon VPC console and navigate to Subnets and then click on Create subnet as shown in Figure 1 below.
- Choose the VPC for which you’re creating the subnet, specify the subnet name, select an Availability Zone, select the checkbox to enable “IPv6-only” and then specify the hexadecimal pair for one of the 256 possible /64 subnets out of the /56 VPC CIDR (for example, select 20) and confirm the entry by choosing the tick icon. This is shown in Figure 1 below.
- Once you have specified the subnet details as necessary, you can choose Create.
You need the subnet ID later so note it now. Please note that the IPv6 CIDR 2001:db8:1234:1a00::/56 used in Figure 1 above belongs to the documentation-only prefix 2001:db8::/32 reserved by IANA, which is used for documentation purposes only. In your case, you can use either AWS provided IPv6 addresses or Bring your own IPv6 addresses (BYOIPv6) for your VPC, so the CIDRs will differ. You can now verify that the subnet is IPv6-only by navigating to Subnets and selecting your specific subnet. Under the Details (refer to figure 2 below), look for these fields:
a. IPv4 CIDR should NOT be defined since this is a IPv6-only subnet
b. Available IPv4 addresses should be 0
c. IPv6 CIDR should be populated with the appropriate CIDR. In reality, the IPv6 CIDR for your subnet will be a subset of AWS-assigned IPv6 address space from Amazon’s pool of IPv6 addresses.
d. IPv6-only should be set to ‘Yes’ since this is a IPv6-only subnet
e. Resource name DNS A record should be ‘Disabled’
f. Resource name DNS AAAA record should be ‘Enabled’
Resource-based naming (RBN)
Resource-based naming (RBN) is a new private DNS name for instances in place of IP based naming (IPBN). When you launch an instance, the EC2 instance ID is included in the hostname of the instance. The resource-based name exists for the life of the EC2 instance. When you use RBN as the Private DNS hostname for an IPv6-only instance, it returns the IPv6 Global Unicast Address (AAAA record).
When you launch an EC2 instance with a Resource-based hostname type, the guest OS hostname is configured to use the EC2 instance ID. A resource based name (RBN) looks like the following:
Format for an instance in us-east-1: ec2-instance-id.ec2.internal
Example: i-0123456789abcdef.ec2.internal
Format for an instance in any other AWS Region: ec2-instance-id.region.compute.internal
Example: i-0123456789abcdef.us-west-2.compute.internal
As mentioned above, let’s understand these new fields:
Hostname type – This field determines the options for the guest OS hostname of the EC2 instance. It can be either Resource name (RBN) or IP name (IPBN). An instance hostname is based on the IPv4 address or ID of the instance. The default values are inherited from the subnet.
The DNS Hostname field shows two attributes Enable resource-based IPv4 (A record) DNS requests and Enable resource-based IPv6 (AAAA record) DNS requests.
- Enable resource-based IPv4 (A record) DNS requests – Indicates whether to respond to DNS queries for a hostname that is based on a resource ID with DNS A records.
- Enable resource-based IPv6 (AAAA record) DNS requests – Indicates whether to respond to DNS queries for a hostname that is based on a resource ID with DNS AAAA records.
When you launch an EC2 instance into an IPv6-only subnet, Resource-based naming is used automatically and “Resource-based IPv6 (AAAA record) DNS requests” is enabled as we will see in the below section.
Launch an IPv6-only EC2 instance into the IPv6-only subnet
After you’ve created your subnet, you can launch an IPv6-only EC2 instance into your IPv6-only subnet using the Amazon EC2 console.
- Open the Amazon EC2 console and choose Launch Instance.
- Follow the directions in the wizard. Select an AMI and a Nitro instance type (for example, t3.micro) and choose Next: Configure Instance Details.
- On the Configure Instance Details page, ensure that you have selected the required dual-stack VPC in the Network list, then select the IPv6-only subnet in to which to launch the instance as shown in figure 3 below. Here, you can notice the following fields:
a. Auto-assign Public IP is disabled since this is for IPv6-only subnet.
b. Auto-assign IPv6 IP can be modified but it is set to default subnet settings
c. Hostname type is automatically set to Resource name so that it uses Resource-based naming for the instance DNS name. It cannot be modified.
d. DNS Hostname options are displayed but Enable resource-based IPv6 (AAAA record) DNS requests is checked automatically to ensure that requests to your resource-name will resolve to the IPv6 address of this EC2 instance.Keep the other default settings on this page and choose Next: Add Storage.
- On the Configure Security Group page, choose from any existing security group that you own, or follow the wizard directions to create a new security group to allow SSH from a specific IPv6 address or range of IPv6 addresses to access your instance. Choose Review and Launch when you’re done.
To connect to your IPv6-only instance using Secure Shell (SSH), you need to add inbound rules in your security group to allow access from a specific IPv6 address or range of IPv6 addresses on the Internet to access your EC2 instance. For more information, please refer to the documentation on adding rules in your security groups. You will also need to modify the route table associated with the IPv6-only subnet and add a route to allow access from a specific IPv6 address or range of IPv6 addresses on the Internet to access your EC2 instance. Once you have configured your route table, you can then SSH into the IPv6-only instance using the following command. For more information, please refer to the documentation on Connect to your Linux instance using SSH.
ssh -i /path/my-key-pair.pem my-instance-user-name@my-instance-IPv6-address
If the end user is located in a corporate network that doesn’t support IPv6 address space, you need to launch a dual-stack instance in a dual-stack subnet which the user can SSH into via public IPv4 address first. Then, from that dual-stack instance, the user can SSH into the IPv6-only instance.
Accessing local instance services over IPv6 Endpoints
Once you have SSH’d into the IPv6-only EC2 instance, you can now access Amazon EC2 Instance Metadata Service, Amazon Time Sync Service, and Amazon VPC DNS server over IPv6 endpoints using instances built on the Nitro System.
- The Amazon EC2 Instance Metadata Service is available at fd00:ec2::254 IPv6 address. To access the IMDS IPv6 endpoint from within the IPv6-only EC2 instance, you need to enable it. The IPv6 address of the instance metadata service is compatible with IMDSv2 commands. Today, you can modify the instance metadata options on existing instances using AWS SDK or AWS CLI only. You can’t use the Amazon EC2 console for modifying instance metadata options. If you have already launched an IPv6-only EC2 instance, you can use the modify-instance-metadata-options API call to enable access for IMDS IPv6 Endpoint as mentioned here.
aws ec2 modify-instance-metadata-options --instance-id <your-instance-id> --http-protocol-ipv6 enabled
Additionally, if you are launching EC2 instance using API or CLI, you can use the run-instances API call to enable access to the IMDS IPv6 endpoint.
aws --region <region> ec2 run-instances --instance-type <instance-type> --image-id <ami-id> --subnet-id <your-ipv6-only-subnet-id> --key-name <your-keyname> --ipv6-address-count 1 --security-group-ids <your-security-group-id> --metadata-options "HttpEndpoint=enabled,HttpProtocolIpv6=enabled"
Once you have enabled access to the IMDS IPv6 Endpoint, you can then access it from within the IPv6-only EC2 instance using the following curl command:
curl -w "\n" --connect-timeout 10 'http://[fd00:ec2::254]/latest/meta-data/hostname'
Check if the output includes the following:
For instance in us-east-1 region: ec2-instance-id.compute.internal
For instance in all other AWS regions: ec2-instance-id.region.compute.internal
- The Amazon Time Sync Service is available through NTP at the fd00:ec2::123 IPv6 address. To configure your IPv6-only EC2 instance to use the Amazon Time Sync Service over IPv6 address, please refer to the documentation on
Configure the time for EC2 instances with IPv6 addresses on your Linux instances. For Windows based EC2 instances, please refer to Set the time for a Windows instance.
To test the Amazon Time Sync Service through NTP, you can run the following command (make sure to install ntpdate on your distribution):
- The Amazon VPC DNS server is available at fd00:ec2::253 IPv6 address. To perform a DNS name lookup using Amazon VPC DNS server over IPv6 endpoint, you can run the following command:
dig @fd00:ec2::253 -6 AAAA <domain-name>
Verify if you get IPv6 address(es) in the Answer section of your dig output.
Things to keep in mind
- You can launch Amazon EC2 instances based on the Nitro system only in the IPv6-only subnets.
- Resource-based naming is only supported for Private DNS hostnames. Public DNS hostnames are not supported.
- You can access the local instance services over both IPv4 and IPv6 endpoints from an EC2 instance launched within the IPv6-only subnet.
Now Available
IPv6-only subnets, IPv6-only EC2 instances and Resource-based naming are available in all public AWS Regions, AWS GovCloud (US-West), AWS GovCloud (US-East), Amazon Web Services China (Beijing) Region operated by Sinnet, and Amazon Web Services China (Ningxia) Region operated by NWCD, at no additional cost. You can start using them today. Please send feedback to the AWS forum for Amazon EC2 or through your usual AWS support contacts. To get started with these new features, visit the following documentation links:
Creating an IPv6-only subnet – VPCs and subnets
Understanding Resource-based naming – Amazon EC2 instance hostname types
Launching an EC2 instance within IPv6-only subnet – Launch your EC2 instance
Rohit Aswani
Rohit is a Senior Specialist Solutions Architect focused on Networking at AWS, where he helps customers build and design scalable, highly-available, secure, resilient and cost effective networks. He holds a MS in Telecommunication Systems Management from Northeastern University, specializing in Computer Networking.
Aditya Santhanam
Aditya Santhanam is a Senior Product Manager at AWS in the VPC product team. He is passionate about improving AWS cloud networking experience and accelerate IPv6 adoption across various customer verticals. Before joining AWS, he has spent over decade working in the areas of Telco Cloud, Content Delivery Networks and Cybersecurity. In his spare time, he likes to spend time with his family and enjoys outdoor activities.
from Hacker News https://ift.tt/3CNbwoW
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.