- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
IPv4 vs. IPv6 speed ^
For days, I noticed my connection to 4sysops was kind of slow at certain times of the day. Since there was no real load on the EC2 instance, I suspected that it could be a networking issue. When I accessed the site via a local IPv4 VPN server, speed was back to normal. At first, I thought the VPN connection took a faster route through the internet; then it occurred to me that my local provider works with IPv6, and this problem might be related.
Indeed, when I assigned an IPv6 address to an EC2 instance, the bandwidth with IPv6 to IPv6 was sometimes 100 times faster than with IPv6 to IPv4. It is hard to tell if my provider (Deutsche Telekom) caused the problem, if the IPv6 packets traveled through a faster route than the IPv4 packets, or if the problem might also be located in Amazon's clouds.
It is interesting to note that I noticed the same issue when I connected to an Amazon host (Washington) with speedtest.net. Using IPv4 on the client was always significantly faster than IPv6. However, when I chose another speetest.net host in the same region, I measured no bandwidth difference between IPv4 and IPv6. This is what I would expect. Theoretically, there should be no significant speed difference between the two protocols.
Anyway, it seems IPv6 has been picking up the pace in recent years, and I guess it makes sense now to work with a dual stack (IPv4 and IPv6) on public servers.
AWS networking primer ^
If you think you only have to enable IPv6 for your EC2 instance, you will be surprised at how complicated it still is to assign an IPv6 address in AWS more than 20 years after the first IPv6 packets were wired through the internet. (I can't believe that I wrote an IPv6 tutorial almost 10 years ago and that I only just started to work with IPv6 recently.)
If you are a Windows admin, you are used to either just enabling DHCP in the network settings for your server or manually entering an IP address, and you are done. In AWS, things are a bit more complicated. This is the list of objects that have to be dealt with:
Virtual Private Cloud (VPC)—Think of a VPC as a virtual network that corresponds to a physical network (cables, switches, routers, etc.) The main components of a VPC are the subnet, the route table, and the internet gateway.
Subnet—A subnet is a logical division of an IP network. It essentially defines which IP addresses count as local and are therefore switched instead of being routed. You can house several subnets in your VPC.
Route Table—IP packets that need to be delivered to different subnets than the originating subnet (the internet, for instance) need to be routed. The route table is assigned to the VPC and determines the next destination for these packets.
Internet Gateway—This is the virtual router that will accept those packets with an external destination. The internet gateway is attached to the VPC.
Network Interface—Everything in the cloud is virtual, including network interfaces. Every EC2 instance has at least one network interface.
Security Group—This is Amazon's term for a network firewall. Here, you define which external TCP (and ICMP) packets are allowed to access your EC2 instance.
That's quite a list for such a simple task, isn't it?
Assigning the IPv6 address ^
I will assume here that you already have an EC2 instance with properly configured IPv4 settings. Notice that you have to follow the guide in the exact order as described below; otherwise, you will fail at some point.
If you want to launch a new instance with IPv6, you should be good to go after you read the guide below. You essentially have to create all the resources that I mentioned in the last paragraph in the VPC section of the AWS console.
- Launch the EC2 service in the AWS console and locate the EC2 instance where you want to add the IPv6 address. Click the VPC ID.
- Click the link under the VPC ID again and then click Edit CIDRs on the VPC page. Classless inter-domain routing (CIDR) is used to allocate our IPv6 network.
- On the next screen, click Add new IPv6 CIDR.
- Select Amazon-provided IPv6 CIDR block and choose the AWS zone where your EC2 instance resides.
- Navigate to your VPC and click the route table.
- Click the Routes tab and then Edit routes.
- You should already see a local IPv6 network here. We now have to add a route that ensures that external IPv6 traffic is routed to the internet gateway. Click Add route and then enter “::/0” under Destination. This stands for the default route in CIDR notation, and it means the route applies for all IPv6 traffic. For the target, choose Internet gateway. It is the same as for your IPv4 traffic.
- Navigate to your VPC and click the subnet ID. On the Subnets page, click the ID again. Then click the Actions menu and select Edit IPv6 CIDRs.
- On the next page, click Add IPv6 CIDR and enter 00 in the field next to the IPv6 address. Don't forget to click Save.
- Navigate to your EC2 instance, click the Networking tab, and then click the network interface ID. On the Network interfaces page, click the ID again. In the Actions menu, you'll find the Manage IP addresses link.
- On the Manage IP addresses page, click the arrow next to the ID, and then in the IPv6 section, click Assign new IP address. Click Save.
- If you reload the webpage in your browser, you should be able to see the IPv6 address that has been assigned to the network interface. Copy the IP address to your clipboard because we will need it later.
- Navigate to your EC2 instance and click the Security tab and the ID of the attached security group.
- Click Edit inbound rules on the Security Group
- Now add the firewall rules that you want to use for your instance. In the source field, you can enter ://0 or just select Anywhere. In the latter case, the corresponding IPv4 rule will be added together with the IPv6 rule. In the example here, I allowed IPv4 for SSH, ICMP traffic for IPv6, and HTTP/HTTPS for IPv4 and IPv6.
Wait a couple of seconds, open a terminal, and ping the IPv6 using the ping6 command (the ping command won't do, at least not on a Mac). Of course, this only works if your provider supports IPv6. You can check hereif you have an IPv6 address.
IPv6 DNS record ^
If your server responds, you can add the IPv6 address to your DNS server. IPv6 addresses require AAAA record whereas IPv4 addresses need A records. Likewise, if you query a DNS server with with nslookup you need to change the query type: set q=AAAA.
Elastic IP Address for IPv6? ^
You've probably noticed that assigning a public IPv6 address works differently in AWS than with IPv4 addresses. There are no elastic IPv6 addresses, which means that you can't reserve an IPv6 address in AWS. The reason is probably that Amazon can't charge for an IPv6 address because no shortage exists as for IPv4 addresses. That is, Amazon doesn't have to worry that their AWS customers start hoarding IPv6 addresses, which would be a problem with IPv4.
The downside is that once you terminate the EC2 instance, the IPv6 address is lost for you. This can be a problem if you want to move your application to a completely new instance and you don't want to go through the hassle of changing DNS records, which always causes outages.
However, if you keep the virtual machine and just reboot or stop the EC2 instance, the IPv6 address of your instance won't change.
By the way, another difference between elastic IPv4 addresses and public IPv6 addresses is that you can see the IP address in the guest OS. This allows you to verify that the IPv6 address has been assigned properly in case you have connection issues.
Subscribe to 4sysops newsletter!
Now you understand why DevOps is so popular in the cloud. That's lots of click-click for such a simple task. On the other hand, I guess it wouldn't be a big deal for Amazon to simply add an "Enable IPv6" option to the VPC settings, so that instead of 15 steps, just one click would do the trick. Of course, you don't have to repeat all the steps for every instance, assuming all your instances are in the same VPC.