Skip to content

Feature Request: Enable IPv6 Outbound Access for Lambda Functions

0

Hello AWS team,

I’m currently using AWS Lambda functions to perform SSL certificate lookups for IPv6-only IP addresses. While my code works correctly and handles IPv6 properly, I’ve discovered that AWS Lambda does not currently support outbound IPv6 connectivity.

This limitation prevents my Lambda functions from connecting to IPv6 hosts and retrieving SSL certificate information.

This is impacting my ability to monitor SSL certificates on modern IPv6 infrastructure.

I’d like to ask if there is any plan or timeline to add native IPv6 outbound support for Lambda functions.

Also, if there are recommended best practices or workarounds for performing IPv6 network calls from Lambda in the meantime, I would appreciate any guidance.

Thanks

asked 16 days ago104 views
7 Answers
2

The answer stating outbound IPv6 access wouldn't be supported is wrong. There is a limitation with Lambda's IPv6 support, but that is that functions can only be attached to IPv6-enabled subnets if they are dual-stack, meaning also having IPv4 addresses. Functions can't be attached to IPv6-only subnets. However, the IPv4 addresses have no requirement to have outbound internet connectivity, if your functional need is still IPv6-only.

Just create an egress-only internet gateway (EIGW) in your VPC and set the route table(s) of the subnet(s) of your Lambda function to route ::/0 towards the EIGW. Ensure that the security group attached to the Lambda function also allows outbound access to ::/0 or a narrower IPv6 range, depending on where you need to connect. It'll work just fine.

More detailed steps on setting up your VPC to allow Lambda functions inside it to connect to the outside, including over IPv6, are explained on this documentation page: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-internet.html

EXPERT
answered 15 days ago
0
Accepted Answer

AWS Lambda supports IPv6 for outbound connections in VPC environments. To enable outbound IPv6 traffic for Lambda functions, you need to select "Allow IPv6 traffic for dual-stack subnets" when configuring your VPC settings. All selected subnets must have both an IPv4 CIDR block and an IPv6 CIDR block to support this functionality.

For proper configuration, ensure your VPC and subnet routing tables are correctly set up, as misconfiguration can lead to connectivity issues. Lambda supports dual-stack endpoints that can handle both IPv4 and IPv6 traffic, allowing the function to resolve to either protocol depending on your network configuration.

When implementing IPv6 connectivity, make sure to:

  1. Configure your VPC with appropriate routing for IPv6 traffic
  2. Select private subnets that can access the internet through NAT gateway
  3. Choose security groups that allow outbound traffic

Reference - https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-internet.html

AWS
EXPERT
answered 14 days ago
0
answered 16 days ago
0

Thanks for the clarification Manvitha.

I subsequently came across the following update from 2023 so it looks like Lambda may indeed support my requirement

https://aws.amazon.com/about-aws/whats-new/2023/10/aws-lambda-ipv6-outbound-connections-vpc

answered 15 days ago
0

Ok I have an update to this.

My Lambda function runs inside a VPC and can successfully look up an IPv6 address.

I have everything mentioned above in @Makendran G post

But if you put Lambda in a VPC, it loses access to Supabase (your database).

It's like this: Option A: Lambda can talk to Supabase ✅, but can't reach IPv6 websites ❌ Option B: Lambda can reach IPv6 websites ✅, but can't talk to Supabase ❌

Is there an issue especially with connecting to Supabase and writing to it from a Lambda IPv6 based function?

answered 8 days ago
0

@Peter a quick internet search suggests Supabase also supports IPv6 (https://supabase.com/docs/guides/troubleshooting/supabase--your-network-ipv4-and-ipv6-compatibility-cHe3BP), so when you enable IPv6 addresses and connectivity for your Lambda function, it most likely connects to Supabase also over IPv6. I'm assuming you've set the security group of your function to allow all IPv6 traffic outbound.

Supabase allows configuring IP address restrictions for accessing the database: https://supabase.com/docs/guides/platform/network-restrictions. I suggest you check if your database has IP restrictions configured. Even if connections are allowed from 0.0.0.0/0, that will only allow IPv4 traffic. You should set Supabase to allow connections additionally from the IPv6 CIDR of your VPC where the Lambda function resides.

EXPERT
answered 7 days ago
-1

As of now, AWS Lambda does not support native outbound IPv6 traffic, even if the function is placed inside a dual-stack VPC subnet. IPv6 egress from Lambda is a known limitation, and unfortunately, there's no publicly announced timeline from AWS for supporting this natively.

Possible Workaround steps: You can try the following workaround using NAT64 + DNS64 pattern:

Set up an EC2 NAT instance or NAT Gateway in a dual-stack subnet.

Use DNS64 (like Amazon Route 53 Resolver with a custom DNS64 server) to synthesize AAAA records from A records.

Connect your Lambda function to the VPC and route IPv6 traffic to the NAT64 translator via IPv4.

This enables your Lambda to connect to IPv6-only endpoints via NAT64 translation, but it’s a bit of a heavy lift for small workloads.

Alternative waays: Move SSL monitoring to EC2 or container-based workloads (e.g., Fargate, ECS, or EKS), which do support outbound IPv6 in VPC.

answered 16 days ago
AWS
EXPERT
reviewed 15 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.