CloudFront connect to Ipv6 Only EC2 Instance

This is answered on this other Re:Post question. The short answer is that, no, CloudFront will not (at this time) use IPv6 to connect to an IPv6-only origin. So you can allow direct connections to the EC2 instance, and regulate that through Security Groups, NACLs, and host-based firewall rules (e.g., ipfilter or ipfw). The other answer points to the definitive page where you can look up IPv6 support by service. So while this is true at the time of writing, you can expect IPv6 support to improve over time, and those pages are the way to figure out whether IPv6 is possible.

To connect CloudFront to an IPv6-only EC2 instance, you need to ensure that the instance is reachable over IPv6 from the internet because CloudFront will communicate with your origin server over the internet. Here's how you can set this up:

1. Associate an IPv6 Address: Make sure your EC2 instance has an IPv6 address associated with it. If it’s in a VPC, the VPC and subnet need to be enabled for IPv6 as well.

2. DNS Configuration: While EC2 instances do not get a public DNS hostname for IPv6 by default, you can create an AAAA record in your hosted zone that points to the IPv6 address of your EC2 instance. Use AWS Route 53 or another DNS service to manage your domain's DNS records.

3. Security Groups and Network ACLs: Update the Security Groups and Network ACLs attached to your EC2 instance to allow traffic from CloudFront's IP ranges. You can find the latest IP ranges used by CloudFront in the AWS ip-ranges.json file. Make sure to allow both IPv4 and IPv6 CIDR blocks since CloudFront could be communicating over either protocol.

4. CloudFront Origin Settings: When you set up your CloudFront distribution, specify the IPv6 address of your EC2 instance as the origin. Since you don’t have a public DNS name for the IPv6 address, you will need to use an alternate domain name and ensure that the DNS record exists as an AAAA record.

Here’s a summary of the steps for the CloudFront distribution setup:

• Create a new CloudFront distribution.
• In the "Origin Domain Name," you can't directly enter the IPv6 address; you need to use a domain name. This is where your AAAA DNS record comes into play.
• In the "Origin Protocol Policy," choose "HTTPS Only" or "Match Viewer" based on your requirements.
• In the "Viewer Protocol Policy," you can choose to redirect HTTP to HTTPS or use HTTPS only, according to your security preferences.

5. SSL/TLS Certificate: Make sure you have a valid SSL/TLS certificate to serve traffic over HTTPS. You can use AWS Certificate Manager to create and manage certificates and then associate them with your CloudFront distribution.

6. Testing: After setting up, test accessing your content via the CloudFront domain name over IPv6 to ensure that the connection to your EC2 instance is working correctly.

If you follow these steps, you should be able to connect CloudFront to your IPv6-only EC2 instance without adding an IPv4 address. However, keep in mind that the source of the traffic to your EC2 instance (i.e., CloudFront) will still be over IPv4, given that CloudFront edge locations communicate with origins over IPv4. Your EC2 instance will need to be accessible over IPv4 from the internet unless AWS makes changes to support IPv6 from CloudFront to origins.

For the most current information and step-by-step instructions, you should consult the AWS CloudFront Documentation and AWS EC2 Documentation.