AWS Logo
Menu

IPv6 Fundamentals for EKS workloads

Essential IPv6 for EKS core information

Randy
Amazon Employee
Published Nov 7, 2024

AWS EKS IPv6 specifics:

  • An EKS cluster can be set to either IPv4 or IPv6 mode
  • The VPC and Subnets must be dual-stack
  • By setting an EKS cluster to IPv6 address mode, each Pod gets an IPv6 address, each Node gets both an IPv4 and an IPv6 address
  • The VPC CNI currently supports only prefix assignment mode for IPv6 clusters and only works with AWS Nitro-based EC2 instances
  • The CNI plugin configures a host-specific non-routable IPv4 address for every pod from the 169.254.172.0/22 range
  • The node performs NAT to enable connectivity from each Pod to IPv4 resources
  • IPv6 on EKS currently supports egress-only IPv4; in the future, NAT64 capabilities will be leveraged
  • Both IPv4 and IPv6 clients can connect to NLB or ALB in dual-stack mode
  • Application Load Balancers and Network Load Balancers can have both IPv4 or IPv6 targets. They communicate with their IPv4 targets using IPv4, and with the IPv6 targets using IPv6. When you configure the target groups, you cannot mix IPv4 and IPv6 targets.
  • Control plane and worker node communications continue to follow the IPv4 model

EKS IPv6 migration path:

  • Add an IPv6 CIDR to the VPC
  • Add IPv6 CIDR ranges to EKS subnets
  • Deploy a new cluster, using the IPv6 address option
  • Re-deploy the application
  • Use the canary deployment method to introduce IPv6 pods

IPv6 Core concepts:

  • IPv6 addresses are 128-bit and are referred to as Global Unicast Addresses (GUA)
  • IPv6 is already the default on most modern operating systems especially mobile devices
  • IPv4 and IPv6 routing requires separate entries in the route table
IPv6 Address Format
IPv6 Address Format

AWS IPv6 specifics:

  • VPCs require an IPv4 CIDR and the IPv4 CIDR is primary. IPv6-only VPCs are not supported at this time.
  • IPv6 CIDR ranges can be allocated to Dualstack and to IPv6-only subnets
  • IPv6-only and Dualstack subnets are bound to an Availability Zone, just like IPv4-only subnets
  • NAT gateway provides NAT64 enabling IPv6-only workloads in a VPC to communicate with IPv4-only workloads anywhere outside the subnet
  • An Amazon provided IPv6 CIDR block can be assigned to a VPC
  • Four additional IPv6 CIDR blocks can be added to a VPC
  • A subnet can have only one IPv6 CIDR block
  • Each (/56) IPv6 CIDR block provides enough address space to create 256 (/64) IPv6 subnets per VPC Note: There is a quota on subnets per VPC, which is 200 by default

Some key Caveats:

  • Resources managed by AWS Systems Manager must have IPv4 connectivity to Systems Manager’s endpoints.
  • CloudFront supports both IPv4 and IPv6 from viewer to CloudFront edge locations but CloudFront communicates with origin server using IPv4 only. IPv6 origins are not yet supported.

Implementation best practices:

  • Avoid making the entire network Dualstack. Instead:
    • Update the Load Balancer configuration from IPv4 to Dualstack
    • Existing segments can continue to operate as IPv4
  • Use IPAM to plan, allocate, and track IPv6 addresses
  • Confirm security groups contain IPv6 entries
  • Confirm DNS includes both A and AAAA records

Dive deeper - general IPv6:

  • Unlike IPv4, the IPv6 standard requires a link-local address on every host interface
  • Link-local address format is: FE80:ec2::1 = 169.254.x.x
  • ::1 = 127.0.0.1
  • All Globally Unique Addresses (GUAs) are in the range: 2000:3/0
  • IPv6 default route: ::/0
  • [Happy Eyeballs RFC](https://en.wikipedia.org/wiki/Happy_Eyeballs) specifies that modern browsers query DNS for IPv6 and IPv4 nearly simultaneously and use the one that connects first

Dive Deeper - AWS specific IPv6:

  • The first four IPv6 addresses and the last (one) IPv6 address in each subnet CIDR block are not available for use.
  • You cannot create Transit Gateway attachments using IPv6-only subnets
  • Direct Connect: You can provision either 0 or 1 peering per address family on to a given VIF, so it is possible to retrofit IPv6 onto an existing VIF without the need to reprovision or deploy a new one.
  • Traffic Mirroring requires that the traffic mirror source can route to the traffic mirror target by IPv4. On Dualstack subnets, IPv4 and IPv6 traffic is mirrored; no special configuration is necessary to mirror the IPv6 traffic. Note that all mirrored traffic is encapsulated in an IPv4 packet.
  • AWS WAF IP sets supports all IPv4 and IPv6 CIDR ranges except for 0.0.0.0/0 and ::/0.
  • All of the AWS Shield detection and mitigations work with IPv4 and IPv6 without any impact to performance, scalability, or availability of the service.
  • AWS Network Firewall can filter IPv4 and IPv6 traffic flows to and from the public internet, on-premises network, or any endpoint in your Amazon VPC.
     

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments