IPv6 in your VPC

Nothing to do with the course or the exam, but just for fun I configured IPv6 in my VPC.

As a starting point I used a completed lab of Architecting on AWS. The final lab is as follows:

So its the classic 2 public, 2 private subnets across 2 AZs, with an ALB handling incoming traffic to the Web App. To test the incoming traffic, we browse to the DNS name of the ALB. To test the Nat Gateways, the Web App is querying an internet site freegeoip for its coordinates. The public IP we see is the EIP of one of the Nat Gateways.

Copying the coordinates (removing the “/”) into Google Maps shows that the IP is located in the middle of a canal in Dublin.

Which just happens to be about 200m from Amazon Ireland.

Lets change to using ipv6 for this outgoing traffic.

VPC>Actions>Edit CIDRs>Add ipv6 CIDR

We get a CIDR range for the VPC.


Its always a /56, which means we have 8 bits to assign a unique prefix to each subnet, which means in theory we can have 256 subnets, at least according to the IPv6 rules.

The addresses are from a public range, as is usual with IPv6.

For each Subnet:

Actions>Edit IPv6 CIDRs>Add IPv6 CIDR. You will be presented with something like this:


and you are prompted to enter the last 2 digits of the prefix, that is the bit before the double colon. This uniquely identifies each subnet, and you could use the range 00-03 for the 4 subnets.

For each EC2 instance:

Actions>Networking>Manage IP Addresses>Assign IPv6 Address

You get something like this:


The last 64 bits is the auto-generated interface ID.

According to the rules of IPv6 we could have 2 to the 64 addresses in the subnet.

For the Load Balancer:

Actions>Edit IP address type>dualstack

Now the LB has an IPv4 and an IPv6 stack.

For the route tables associated with the private subnets, add a route ::/0 and choose the internet gateway as the target.

The security groups need to allow outbound traffic. In this case mine was already wide open, it had a rule ALL Traffic ::/0.

Refresh the web page. it worked!

The IPv6 address we see is now the IPv6 address of the EC2 instance.

We no longer need the Nat gateways, so we can save about 8 pence an hour!

Now the private subnets are no longer private as far as IPv6 is concerned. To increase security we could use an “Egress Only Internet Gateway” or tighten up the security groups.