Recipes for the Cloud (Amazon Web Services)

IPv6 has finally come to the Cloud – at least on Amazon Web Services. Recently AWS started supporting IPv6, but the documentation is a bit difficult for some people to navigate. Here are detailed recipes anyone can follow to deploy real dual stack operating systems in the AWS Cloud.

Other Cloud Service Providers (MS Azure, Google, etc) do not have real support for IPv6 yet. You can provision a load balancer to map an IPv6 address onto an IPv4-only cloud instance, but this is a far cry from what AWS has done. With the load balancer approach there is no IPv6 address on the actual instance, and you can’t make outgoing connections over IPv6.

Note: It seems that DigitalOcean has recently started supporting IPv6 in their VPCs. I have not tried this personally, but provide a link to their documentation for what it’s worth.

AWS created a curious thing – an “Egress only” IPv6 deployment. This only allows outgoing connections over IPv6. This is similar in nature to the limited access of IPv4 private internets. I’m not sure who might want such a thing, other than someone who cannot think in terms of accepting connections from outside the LAN without NAT (and there is no NAT for IPv6).

IPv6 addresses are assigned to an instance via DHCPv6, as configured in the AWS control panel. These addresses are usually randomly generated. However, you can manually assign any valid global IPv6 address within the VPC /64 block and it will work. So if you want a simple to remember address like 2001:470:ed3a:1000::2:1, you can do that. We will include an example of that.

The following recipes assume you already have an AWS account. If you don’t there is plenty of information online on how to do that.

 

Creating your Dual Stack Virtual Private Cloud (VPC)

As a first step towards deploying dual stack Operating Systems in AWS, you need to create a dual stack Virtual Private Cloud. AWS will let you allocate a /56 block of public (global) IPv6 addresses for your VPC (e.g. 2600:1f14:611:b600/56), in addition to a block of IPv4 internal addresses (e.g. 10.0.0.0/8) that will be mapped behind a public IPv4 address with NAT44. You can then create one or more VPC subnets, each of which has one /64 block of IPv6 from your VPC /56 (e.g. 2600:1f14:611:b601/64), and a block of internal IPv4 addresses from your VPC block (e.g. 10.1.0.0/16). In each subnet you can then deploy one ore more OS instances that use addresses in your subnet IP blocks.

You will also have to learn how to work with the AWS firewall associated with each instance. This controls traffic to and from each instance. It has full support for both IPv4 and IPv6. Basic instance firewall operation is also covered.

Create Dual Stack Virtual Private Cloud (VPC) on AWS

 

Dual Stack FreeBSD 10.3 amd64 on AWS

This recipe is for installing FreeBSD 10.3 amd64 version in your AWS VPC. From this instance you will be able to accept incoming connections directly to your public IPv6 address, as well as making outgoing connections to other public IPv6 nodes. The processor, memory and storage requirements for this easily qualify for the AWS free tier.

You can also deploy a dual stack host-based firewall for FreeBSD using pf. This will be covered in a separate writeup.

Deploy Dual Stack FreeBSD 10.3 Instance on AWS

 

Dual Stack CentOS 7 Linux on AWS

You can deploy CentOS 7 on AWS with full dual stack network support as well. This can be deployed in the Free Tier.

Deploy Dual Stack CentOS 7 (Linux) Instance on AWS

 

Dual Stack Windows Server 2012 R2 on AWS

You can also deploy a copy of Microsoft Windows Server 2012 R2 with full dual stack network support in AWS. You can provide dual stack DNS for nodes in your VPC with this, but DHCP (v4 and v6) is provided by AWS, so you should not try to deploy the Microsoft DHCP here.

Deploy Dual Stack Windows Server 2012R2 in AWS