- Newest
- Most votes
- Most comments
The answer stating outbound IPv6 access wouldn't be supported is wrong. There is a limitation with Lambda's IPv6 support, but that is that functions can only be attached to IPv6-enabled subnets if they are dual-stack, meaning also having IPv4 addresses. Functions can't be attached to IPv6-only subnets. However, the IPv4 addresses have no requirement to have outbound internet connectivity, if your functional need is still IPv6-only.
Just create an egress-only internet gateway (EIGW) in your VPC and set the route table(s) of the subnet(s) of your Lambda function to route ::/0 towards the EIGW. Ensure that the security group attached to the Lambda function also allows outbound access to ::/0 or a narrower IPv6 range, depending on where you need to connect. It'll work just fine.
More detailed steps on setting up your VPC to allow Lambda functions inside it to connect to the outside, including over IPv6, are explained on this documentation page: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-internet.html
AWS Lambda supports IPv6 for outbound connections in VPC environments. To enable outbound IPv6 traffic for Lambda functions, you need to select "Allow IPv6 traffic for dual-stack subnets" when configuring your VPC settings. All selected subnets must have both an IPv4 CIDR block and an IPv6 CIDR block to support this functionality.
For proper configuration, ensure your VPC and subnet routing tables are correctly set up, as misconfiguration can lead to connectivity issues. Lambda supports dual-stack endpoints that can handle both IPv4 and IPv6 traffic, allowing the function to resolve to either protocol depending on your network configuration.
When implementing IPv6 connectivity, make sure to:
- Configure your VPC with appropriate routing for IPv6 traffic
- Select private subnets that can access the internet through NAT gateway
- Choose security groups that allow outbound traffic
Reference - https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-internet.html
Ah, think I just found the docs I was looking for https://aws.amazon.com/about-aws/whats-new/2023/10/aws-lambda-ipv6-outbound-connections-vpc/?nc1=h_ls
Thanks for the clarification Manvitha.
I subsequently came across the following update from 2023 so it looks like Lambda may indeed support my requirement
https://aws.amazon.com/about-aws/whats-new/2023/10/aws-lambda-ipv6-outbound-connections-vpc
Ok I have an update to this.
My Lambda function runs inside a VPC and can successfully look up an IPv6 address.
I have everything mentioned above in @Makendran G post
But if you put Lambda in a VPC, it loses access to Supabase (your database).
It's like this: Option A: Lambda can talk to Supabase ✅, but can't reach IPv6 websites ❌ Option B: Lambda can reach IPv6 websites ✅, but can't talk to Supabase ❌
Is there an issue especially with connecting to Supabase and writing to it from a Lambda IPv6 based function?
@Peter a quick internet search suggests Supabase also supports IPv6 (https://supabase.com/docs/guides/troubleshooting/supabase--your-network-ipv4-and-ipv6-compatibility-cHe3BP), so when you enable IPv6 addresses and connectivity for your Lambda function, it most likely connects to Supabase also over IPv6. I'm assuming you've set the security group of your function to allow all IPv6 traffic outbound.
Supabase allows configuring IP address restrictions for accessing the database: https://supabase.com/docs/guides/platform/network-restrictions. I suggest you check if your database has IP restrictions configured. Even if connections are allowed from 0.0.0.0/0, that will only allow IPv4 traffic. You should set Supabase to allow connections additionally from the IPv6 CIDR of your VPC where the Lambda function resides.
As of now, AWS Lambda does not support native outbound IPv6 traffic, even if the function is placed inside a dual-stack VPC subnet. IPv6 egress from Lambda is a known limitation, and unfortunately, there's no publicly announced timeline from AWS for supporting this natively.
Possible Workaround steps: You can try the following workaround using NAT64 + DNS64 pattern:
Set up an EC2 NAT instance or NAT Gateway in a dual-stack subnet.
Use DNS64 (like Amazon Route 53 Resolver with a custom DNS64 server) to synthesize AAAA records from A records.
Connect your Lambda function to the VPC and route IPv6 traffic to the NAT64 translator via IPv4.
This enables your Lambda to connect to IPv6-only endpoints via NAT64 translation, but it’s a bit of a heavy lift for small workloads.
Alternative waays: Move SSL monitoring to EC2 or container-based workloads (e.g., Fargate, ECS, or EKS), which do support outbound IPv6 in VPC.
Relevant content
- asked 2 years ago
- asked 3 years ago
- asked 3 months ago
- asked 5 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 9 months ago