At the moment we’re saying two new capabilities for Amazon Digital Personal Cloud (VPC) NAT gateway and Amazon Route 53, permitting your IPv6-only workloads to transparently talk with IPV4-only companies. Curious? Learn on; I’ve particulars for you.
A few of you might be working very massive workloads involving tens of 1000’s of digital machines, containers, or micro-services. To take action, you configured these workloads to work within the IPv6 deal with house. This avoids the issue of working out of accessible IPv4 addresses (a single VPC has a most theoretical measurement of 65,536 IPv4 addresses, in comparison with /56 ranges for IPv6, permitting for a most theoretical measurement of two^73 -1 IPv6 addresses), and it saves you from extra complications brought on by managing complicated IPv4-based networks (take into consideration non-overlapping subnets in between VPCs belonging to a number of AWS accounts, AWS Areas, or on-premises networks).
However can you actually run an IPv6 workload in isolation from the remainder of the IPv4 world? Most of you instructed us you will need to let such workloads proceed to speak with IPv4 companies, both to make calls to older APIs or simply as a transient design, if you are migrating a number of dependent workloads from IPv6 to IPv4. Not being able to name an IPv4 service from IPv6 hosts makes migrations slower and harder than it must be. It obliged a few of you to construct customized options which might be arduous to keep up.
Because of this we’re launching two new capabilities permitting your IPv6 workloads to transparently talk with IPv4 companies: NAT64 (learn “six to 4”) for the VPC NAT gateway and DNS64 (additionally “six to 4”) for the Amazon Route 53 resolver.
How Does It Work?
As illustrated by the next diagram, let’s think about I’ve an Amazon Elastic Compute Cloud (Amazon EC2) occasion with an IPv6-only deal with that has to make an API name to an IPv4 service working on one other EC2 occasion. Within the diagram, I selected to have the IPv4-only host in a separate VPC in the identical AWS account, however these capabilities work to connect with any IPv4 service, whether or not in the identical VPC or in one other AWS account’s VPC, your on-premises community, and even on the general public web. My IPv6-only host solely is aware of the DNS identify of the service.
Right here is the sequence occurring when the IPv6-only host initiates a connection to the IPv4 service:
1. The IPV6 host makes a DNS name to resolve the service identify to an IP deal with. With out DNS64, Route 53 would have returned an IPv4 deal with. The IPv6-only hosts wouldn’t have been in a position to connect with that IPv4 deal with. However beginning at present, you possibly can activate DNS64 to your subnet. The DNS resolver first checks if the report comprises an IPv6 deal with (
AAAA report). If it does, the IPv6 deal with is returned. The IPv6 host can hook up with the service utilizing simply IPv6. When the report solely comprises an IPv4 deal with, the Route 53 resolver synthesizes an IPv6 deal with by prepending the well-known
64:ff9b::/96 prefix to the IPv4 deal with.
For instance, when the IPv4 service has the deal with
220.127.116.11, Route 53 returns
|IPv6 (hexadecimal) :||64:ff9b::ffff:||22||cf||fa||3e|
|IPv4 (decimal) :||–||34||207||250||62|
64:ff9b::/96is a well known prefix outlined within the RFC 6052 proposed commonplace to the IETF. Studying the textual content of the usual is a good way
to go to sleep quickly to study all the small print about IPv6 to IPv4 translation.
2. The IPv6 host initiates a connection to
64:ff9b::ffff:22cf:fa3e. Chances are you’ll configure subnet routing to ship all packets beginning with
64:ff9b::/96 to the NAT gateway. The NAT gateway acknowledges the IPv6 deal with prefix, extracts the IPv4 deal with from it, and initiates an IPv4 connection to the vacation spot. As regular, the supply IPv4 deal with is the IPv4 deal with of the NAT gateway itself.
three. When the packet response arrives, the NAT gateway repopulates the vacation spot host IPv6 deal with and prepends the well-known prefix
64:ff9b::/96 to the supply IP deal with of the response packet.
Now that you simply perceive the way it works, how are you going to configure your VPC to make the most of these two new capabilities?
Find out how to Get Began
To allow these two capabilities, I’ve to regulate two configurations: first, I flag the subnets that require DNS64 translation, and second, I add a path to the IPv6 subnet routing desk to ship a part of the IPv6 visitors to the NAT gateway.
To allow DNS64, I’ve to make use of the brand new
--enable-dns64 choice to change my current subnets. On this demo, I take advantage of the
modify-subnet-attribute command. This can be a one-time operation. I can do it utilizing the VPC API, the AWS Command Line Interface (CLI), or the AWS Administration Console. Discover it is a subnet-level configuration that have to be turned on explicitly. By default, the prevailing conduct is maintained.
aws ec2 modify-subnet-attribute --subnet-id subnet-123 --enable-dns64
I’ve so as to add a path to the subnet’s routing desk to permit VPC to ahead IPv6 packets prefixed by DNS64 to the NAT gateway. It tells it to route all packets with vacation spot
64:ff9b::/96 to the NAT gateway.
aws ec2 create-route --route-table-id rtb-123 –-destination-ipv6-cidr-block 64:ff9b::/96 –-nat-gateway-id nat-123
The next diagram illustrates these two easy configuration adjustments.
With these two easy adjustments, my IPv6-only workloads within the subnet might now talk with IPv4 companies. The IPv4 service may reside in the identical VPC, in one other VPC, or wherever on the web.
You possibly can proceed to make use of your current NAT gateway, and no change is required on the gateway itself or on the routing desk connected to the NAT gateway subnet.
Pricing and Availability
These two new capabilities to the VPC NAT gateway and Route 53 can be found at present in all AWS Areas at no extra prices. Common NAT gateway expenses might apply.
Go and construct your IPv6-only networks!