Is the Public Cloud Ready for IPv6?

When connecting machines over the public Internet (or over private networks), we use IPv4 addresses.

For many years we heard about IPv4 address exhaustion or the fact that sometime in the future we will not able to request new IPv4 addresses to connect over the public Internet.

We all heard that IPv6 address space will resolve our problem, but is it?
In this blog post, I will try to compare common use cases for using cloud services and see if they are ready for IPv6.

Before we begin, when working with IPv6, we need to clarify what “Dual Stack” means - A device with dual-stack implementation in the operating system has an IPv4 and IPv6 address, and can communicate with other nodes in the LAN or the Internet using either IPv4 or IPv6.

Source: https://en.wikipedia.org/wiki/IPv6

Step 1 – Cloud Network Infrastructure

The first step in building our cloud environment begins with the network services.

The goal is to be able to create a network environment with subnets, an access control list, be able to create peering between cloud accounts (for the same cloud provider), and get ingress access to our cloud environment (either from the public Internet or from our on-premise data center).

Vendor documentation:

• AWS VPC that supports IPv6 addressing https://docs.aws.amazon.com/vpc/latest/userguide/get-started-ipv6.html
• What is IPv6 for Azure Virtual Network? https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview
• Google VPC networks https://cloud.google.com/vpc/docs/vpc

Step 2 – Private Network Connectivity – Managed VPN Services

Now that we have a network environment in the cloud, how do we connect to it from our on-premise data center using Site-to-Site VPN?

Let us compare the cloud providers' alternatives:

Vendor documentation:

• Hybrid connectivity design - Amazon-managed VPN https://docs.aws.amazon.com/whitepapers/latest/ipv6-on-aws/hybrid-connectivity-design.html#amazon-managed-vpn
• Google Cloud VPN overview - IPv6 support https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview#ipv6_support

Step 3 - Private Network Connectivity – Dedicated Network Connections

Assuming we managed to create a VPN tunnel between our on-premise data center and the cloud environment, what happens if we wish to set up a dedicated network connection (and have low latency and promised bandwidth)?

Let us compare the cloud providers' alternatives:

Vendor documentation:

• Hybrid connectivity design - AWS Direct Connect https://docs.aws.amazon.com/whitepapers/latest/ipv6-on-aws/hybrid-connectivity-design.html#aws-direct-connect
• Add IPv6 support for private peering using the Azure portal https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-add-ipv6-portal
• Create and manage ExpressRoute public peering https://learn.microsoft.com/en-us/azure/expressroute/about-public-peering
• Can I reach my instances using IPv6 over Cloud Interconnect? https://cloud.google.com/network-connectivity/docs/interconnect/support/faq#ipv6

Step 4 – Private Network Connectivity – Resources on the subnet level

We have managed to provision the network environment in the cloud using IPv6.

What happens if we wish to connect to managed services using private network connectivity (inside the cloud provider's backbone and not over the public Internet)?

Let us compare the cloud providers' alternatives:

Vendor documentation:

• Expedite your IPv6 adoption with PrivateLink services and endpoints https://aws.amazon.com/blogs/networking-and-content-delivery/expedite-your-ipv6-adoption-with-privatelink-services-and-endpoints
• Create a Private Link service by using the Azure portal https://learn.microsoft.com/en-us/azure/private-link/create-private-link-service-portal?tabs=dynamic-ip

Step 5 – Name Resolution – Managed DNS Service

In the previous step we configured network infrastructure, now, before provisioning resources, let us make sure we can access resources, meaning having a managed DNS service.

By name resolution, I mean both external customers over the public Internet and name resolution from our on-premise data centers.

Let us compare the cloud providers' alternatives:

Vendor documentation:

• Designing DNS for IPv6 https://docs.aws.amazon.com/whitepapers/latest/ipv6-on-aws/designing-dns-for-ipv6.html
• Azure DNS FAQ https://learn.microsoft.com/en-us/azure/dns/dns-faq
• General Google Cloud DNS overview https://cloud.google.com/dns/docs/dns-overview

Step 6 – Resource Provisioning – Compute (Virtual Machines)

In the previous steps we have set up the network infrastructure and name resolution, and now it is time to provision resources.

The most common resource we can find in IaaS is compute or virtual machines.

Let us compare the cloud providers' alternatives:

Vendor documentation:

• Amazon EC2 IPv6 addresses https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#ipv6-addressing
• Create an Azure Virtual Machine with a dual-stack network using the Azure portal https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/create-vm-dual-stack-ipv6-portal
• Configuring IPv6 for instances and instance templates https://cloud.google.com/compute/docs/ip-addresses/configure-ipv6-address

Step 7 – Resource Provisioning – Compute (Managed Kubernetes)

Another common use case is to provision containers based on a managed Kubernetes service.

Let us compare the cloud providers' alternatives:

Vendor documentation:

• Running IPv6 EKS Clusters https://aws.github.io/aws-eks-best-practices/networking/ipv6/
• Use dual-stack kubenet networking in Azure Kubernetes Service (AKS) (Preview) https://learn.microsoft.com/en-us/azure/aks/configure-kubenet-dual-stack?tabs=azure-cli%2Ckubectl
• GKE - IPv4/IPv6 dual-stack networking https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips#dual_stack_network

Step 8 – Resource Provisioning – Compute (Serverless / Function as a Service)

If we have already managed to provision VMs and containers, what about provisioning serverless or Function as a Service?

Let us compare the cloud providers' alternatives:

Vendor documentation:

• AWS Lambda now supports Internet Protocol Version 6 (IPv6) endpoints for inbound connections https://aws.amazon.com/about-aws/whats-new/2021/12/aws-lambda-ipv6-endpoints-inbound-connections

Step 9 – Resource Provisioning – Managed Load Balancers

If we are planning to expose services either to the public internet or allow connectivity from our on-premise, we will need to use a managed load-balancer service.

Let us compare the cloud providers' alternatives:

Vendor documentation:

• Application Load Balancer and Network Load Balancer end-to-end IPv6 support https://aws.amazon.com/about-aws/whats-new/2021/11/application-load-balancer-network-load-balancer-end-to-end-ipv6-support
• Overview of IPv6 for Azure Load Balancer https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ipv6-overview
• GCP - IPv6 termination for External HTTP(S), SSL Proxy, and External TCP Proxy Load Balancing https://cloud.google.com/load-balancing/docs/ipv6

Step 10 – Resource Provisioning – Managed Object Storage

The next step after provisioning compute services is to allow us to store data in an object storage service.

Let us compare the cloud providers' alternatives:

Vendor documentation:

• Making requests to Amazon S3 over IPv6 https://docs.aws.amazon.com/AmazonS3/latest/userguide/ipv6-access.html

Step 11 – Resource Provisioning – Managed Database Services

Most of the application we provision requires a backend database to store and retrieve data.

Let us compare the cloud providers' alternatives:

Vendor documentation:

• IPv6 addressing with Amazon RDS https://aws.amazon.com/blogs/database/ipv6-addressing-with-amazon-rds
• Connectivity architecture for Azure SQL Managed Instance - Networking constraints https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/connectivity-architecture-overview?view=azuresql&tabs=current#networking-constraints

Step 12 – Protecting Network Access - Managed Firewall Services

If we are planning to expose services to the public Internet using IPv6 or allow access from on-premise, we need to consider a managed network firewall service.

Let us compare the cloud providers' alternatives:

Vendor documentation:

• AWS Network Firewall announces IPv6 support https://aws.amazon.com/about-aws/whats-new/2023/01/aws-network-firewall-ipv6-support

Step 13 – Protecting Network Access – Managed DDoS Protection Services

On the topic of exposing services to the public Internet, we need to take into consideration protection against DDoS attacks.

Let us compare the cloud providers' alternatives:

Vendor documentation:

• AWS Shield FAQs https://aws.amazon.com/shield/faqs
• About Azure DDoS Protection SKU Comparison https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-sku-comparison
• Google Cloud Armor - Security policy overview https://cloud.google.com/armor/docs/security-policy-overview

Step 14 – Protecting Network Access – Managed Web Application Firewall

We know that protection against network-based attacks is possible using IPv6.

What about protection against application-level attacks?

Let us compare the cloud providers' alternatives:

Vendor documentation:

• IPv6 Support Update – CloudFront, WAF, and S3 Transfer Acceleration https://aws.amazon.com/blogs/aws/ipv6-support-update-cloudfront-waf-and-s3-transfer-acceleration
• What is Azure Front Door? https://learn.microsoft.com/en-us/azure/frontdoor/front-door-overview

Summary

In this blog post we have compared various cloud services, intending to answer the question – Is the public cloud ready for IPv6?

As we have seen, many cloud services do support IPv6 today (mostly in dual-stack mode), and AWS does seem to be more mature than its competitors, however, at the time of writing this post, the public cloud is not ready to handle IPv6-only services.

The day we will be able to develop cloud-native applications while allowing end-to-end IPv6-only addresses, in all layers (from the network, compute, database, storage, event-driven / message queuing, etc.), is the day we know the public cloud is ready to support IPv6.

For the time being, dual stack (IPv4 and IPv6) is partially supported by many services in the cloud, but we cannot rely on end-to-end connectivity.

Additional References

• AWS services that support IPv6 https://docs.aws.amazon.com/general/latest/gr/aws-ipv6-support.html
• An Introduction to IPv6 on Google Cloud https://cloud.google.com/blog/products/networking/getting-started-with-ipv6-on-google-cloud

About the Author

Eyal Estrin is a cloud and information security architect, the owner of the blog Security & Cloud 24/7 and the author of the book Cloud Security Handbook, with more than 20 years in the IT industry.

Eyal is an AWS Community Builder since 2020.

You can connect with him on Twitter and LinkedIn.