- Newest
- Most votes
- Most comments
The answer stating outbound IPv6 access wouldn't be supported is wrong. There is a limitation with Lambda's IPv6 support, but that is that functions can only be attached to IPv6-enabled subnets if they are dual-stack, meaning also having IPv4 addresses. Functions can't be attached to IPv6-only subnets. However, the IPv4 addresses have no requirement to have outbound internet connectivity, if your functional need is still IPv6-only.
Just create an egress-only internet gateway (EIGW) in your VPC and set the route table(s) of the subnet(s) of your Lambda function to route ::/0 towards the EIGW. Ensure that the security group attached to the Lambda function also allows outbound access to ::/0 or a narrower IPv6 range, depending on where you need to connect. It'll work just fine.
More detailed steps on setting up your VPC to allow Lambda functions inside it to connect to the outside, including over IPv6, are explained on this documentation page: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-internet.html
Ah, think I just found the docs I was looking for https://aws.amazon.com/about-aws/whats-new/2023/10/aws-lambda-ipv6-outbound-connections-vpc/?nc1=h_ls
Thanks for the clarification Manvitha.
I subsequently came across the following update from 2023 so it looks like Lambda may indeed support my requirement
https://aws.amazon.com/about-aws/whats-new/2023/10/aws-lambda-ipv6-outbound-connections-vpc
AWS Lambda supports IPv6 for outbound connections in VPC environments. To enable outbound IPv6 traffic for Lambda functions, you need to select "Allow IPv6 traffic for dual-stack subnets" when configuring your VPC settings. All selected subnets must have both an IPv4 CIDR block and an IPv6 CIDR block to support this functionality.
For proper configuration, ensure your VPC and subnet routing tables are correctly set up, as misconfiguration can lead to connectivity issues. Lambda supports dual-stack endpoints that can handle both IPv4 and IPv6 traffic, allowing the function to resolve to either protocol depending on your network configuration.
When implementing IPv6 connectivity, make sure to:
- Configure your VPC with appropriate routing for IPv6 traffic
- Select private subnets that can access the internet through NAT gateway
- Choose security groups that allow outbound traffic
Reference - https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-internet.html
As of now, AWS Lambda does not support native outbound IPv6 traffic, even if the function is placed inside a dual-stack VPC subnet. IPv6 egress from Lambda is a known limitation, and unfortunately, there's no publicly announced timeline from AWS for supporting this natively.
Possible Workaround steps: You can try the following workaround using NAT64 + DNS64 pattern:
Set up an EC2 NAT instance or NAT Gateway in a dual-stack subnet.
Use DNS64 (like Amazon Route 53 Resolver with a custom DNS64 server) to synthesize AAAA records from A records.
Connect your Lambda function to the VPC and route IPv6 traffic to the NAT64 translator via IPv4.
This enables your Lambda to connect to IPv6-only endpoints via NAT64 translation, but it’s a bit of a heavy lift for small workloads.
Alternative waays: Move SSL monitoring to EC2 or container-based workloads (e.g., Fargate, ECS, or EKS), which do support outbound IPv6 in VPC.
Relevant content
- asked 2 years ago
- asked 3 years ago
- asked 3 months ago
- asked 5 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 8 months ago
