All Articles

Quick EC2 IPv6 Tutorial

My girlfriend is working on a project for her university studies to create a portknocker and I’m helping her out by hosting a cheap server for her to test and demo on.

As I was setting up the security group rules for her, I figured it would be cool to try out ipv6 too. Here’s a quick howto on the steps I did on AWS to get the server to also route on ipv6. I originally followed this guide, so this will be mostly the same but hopefully better formatted.

Assuming you already have an EC2 instance that you want to host on ipv6, these are the steps required. Basically what you do is add an IPv6 range for the VPC to assign from, allow for routing on IPv6 outwards, and then optionally modify your security groups to allow for the IPv6 traffic.

1. Add an IPv6 CIDR to the VPC

  1. Go to your VPC Dashboard.
  2. Select the VPC the EC2 instance is in, under Actions select Edit CIDRs
  3. Press Add IPv6 CIDR

2. Set up the Subnet IPv6 CIDR

Next you need to add a sub-CIDR to the each of subnets you want to be IPv6 accessible. For each subnet, the steps are the same.

  1. Go to the subnets dashboard, filter by the VPC.
  2. Select the subnet you want to add IPv6 to, and again under Actions there should be an Edit IPv6 CIDRS
  3. Again you just need to Add IPv6 CIDR, although this time it will ask you for a single byte in hex for the range. E.g. 00 is fine. Make sure it is unique for this subnet. Here’s a calculator that can help you calculate the exact range. It will be huge.

3. Add IPv6 to the VPC Route Table

Next you need to allow for hosts inside the vpc and subnet(s) to connect back to the outside world. By default the route table for your VPC won’t be set up to allow for this.

  1. Go to the Route Table’s dashboard and select the one for your VPC.
  2. Under Actions, select Edit routes
  3. Probably you’ll see a table with a route with target igw-blabla. This is simply routing all outgoing traffic into your internet gateway. For IPv6 you just need to add a new ::/0 route with the same igw-blabla target.

4. Assign an IPv6 Address to your EC2 Instance

That should now be everything done for the VPC settings. Next you need to assign a new address to the EC2 instance.

  1. Go to your EC2 dashboard and select your instance.
  2. Under Actions -> Networking, select Manage IP Addresses
  3. In the IPv6 Addresses table, press Assign New IP. Leave it blank to automatically assign one. Press save and your instance should now have an IPv6 address.

Optional: Modify Security Group to allow ports on IPv6

You might find that even though your EC2 instance has an IPv6 address now, it still can’t connect on whatever service you are running. Likely what you’ll need to do is update your Security Group rules for the EC2 instance, because by default it will only be configured for IPv4.

If you’re intending to allow traffic to the instance from anywhere, simply add ::/0 to the source field in your rules or select Anywhere in the dropdown.

Done 🍾

Hopefully now you can access your instance via both IPv6 and IPv4.

Published Feb 20, 2019

Security Engineer with a dash of software. Originally from Stockholm, now in Berlin. I like to hack things.