Is there a plan for SSM public endpoints to support IPv6?

As of March 7, 2024, none of the SSM endpoints provides an IPv6 response, so we're still waiting.

SSM can now be used on IPv6 only subnets. You simply need to enable the DNS64 option in the VPC, Subnet configuration. Here are steps to turn on DNS64:

1. Navigate to the VPC console.
2. Click on Virtual private cloud > Subnets in the left navigation panel
3. In the Subnets view, select the desired IPv6 only subnet
4. From the Actions menu on the top right, select Edit subnet settings.
5. In the DNS64 settings:.
   • Select Enable DNS64.
6. Click Save.

The screen shot below show an example of the desired settings:

You will also need to ensure that outbound routing is also configured correctly. Complete these steps to enable these IPv6-only services to connect with IPv4-only services on the internet:

1. Add the following routes to the route table of the subnet containing the IPv6-only workloads:

• 64:ff9b::/96 route pointing to the NAT gateway. This will allow traffic from your IPv6-only workloads destined for IPv4-only services to be routed through the NAT gateway.
• IPv6 ::/0 route pointing to the egress-only internet gateway (or the internet gateway).

Note that pointing ::/0 to the internet gateway will allow external IPv6 hosts (outside the VPC) to initiate connection over IPv6.

Note that you may need to redeploy any EC2 workloads that were previously launched in order for them to pickup the new network settings and for communications with SSM to be initiated.

For more information, see the following document:

• https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-nat64-dns64.html
• https://aws.amazon.com/blogs/aws/let-your-ipv6-only-workloads-connect-to-ipv4-services/