By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EFS upport in IPv6-only VPC subnets

0

I'm experimenting with IPv6-only VPC subnets and EC2 instances but failed to connect them to EFS. Is this supported? If not, when is it expected to?

I tried to add an EFS Mount Target on the IPv6-only subnet to be certain and it failed with an error (sorry, didn't capture which one). Then I tried adding the mount target to a regular subnet that had automatic IPv6 assignment enabled; while that succeeded, no IPv6 address was assigned to the network interface. If I try to assign one manually by editing the network interface, I get the answer that I don't have permission to do that.

In general, it looks like most AWS services cannot be used from IPv6-only subnets. Does AWS have in general a dashboard we can consult on the enabling of IPv6 support for its services and command-line tools?

Topics
StorageNetworking & Content DeliveryCompute
Tags
Amazon Elastic File SystemAmazon VPCAmazon EC2
Language
English
Thiago
asked 2 years ago635 views
1 Answer
2

As of this writing, you cannot create IPv6 mount targets for EFS file systems in an AWS VPC.

As a workaround, you can create a mount target in an IPv4 (or dual-stack) subnet in the same VPC, and use NAT64+DNS64 to perform IPv6-to-IPv4 translation in your subnet so that the instance can access the mount target. To do this, perform the following steps:

  1. Ensure DNS64 support is enabled for your IPv6-only subnet.
  2. If you don't have one already, create an IPv4 subnet in the same VPC. This subnet can be private.
  3. Create a NAT Gateway in your VPC, either in the subnet you created above, or in a different IPv4 subnet in the VPC. (You cannot put it in an IPv6-only subnet.) Many customers place their NAT Gateways in public subnets; the choice is yours.
  4. In the routing table associated with your IPv6-only subnet, add a route to the destination 64:ff9b::/96, using your NAT Gateway as the target. (The IPv6 prefix 64:ff9b is used for mapping IPv4 names to IPv6 addresses that can be accessed by your IPv6-only instance via the NAT Gateway.)
  5. Create a Security Group in your VPC. For the ingress rule, allow inbound traffic over the NFS port from the IPv4 subnet in which your NAT Gateway resides (e.g., 10.0.0.0/24).
  6. Add a mount target to your EFS filesystem. Specify one of the IPv4 subnets as the subnet. It cannot be an IPv6-only subnet. Specify the Security Group you created in the previous step.

Once those steps have been completed, you should be able to mount the filesystem from your IPv6-only EC2 instance. For example:

$ ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 02:62:78:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 169.254.29.180/32 scope global dynamic eth0
       valid_lft 2356sec preferred_lft 2356sec
    inet6 2600:1f14:31b:xxxx:xxxx:xxxx:xxxx:xxxx/128 scope global dynamic 
       valid_lft 413sec preferred_lft 103sec
    inet6 fe80::62:78ff:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
$ sudo mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-xxxxxxxxxxx.efs.us-west-2.amazonaws.com:/ /mnt
$ ls /mnt
...
$ $ mount | grep /mnt
fs-xxxxxxxxxxxxxxxxxxxx.efs.us-west-2.amazonaws.com:/ on /mnt type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,noresvport,proto=tcp6,timeo=600,retrans=2,sec=sys,clientaddr=2600:1f14:31b:2b80:xxxx:xxxx:xxxx:xxxx,local_lock=none,addr=64:ff9b::a00:1d5)
AWS
EXPERT
MichaelFischer
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content