By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why does AWS not allow assigning private IPv6 addresses to EC2 instances in a VPC?

0

This is not allowed via any way, even not through IPAM, obviously not through Amazon-provided CIDR block.

I can't think of a technical hurdle to this. AWS could allow users to declare their own private IPv6 pool in IPAM. AWS could also randomly generate a private IPv6 address prefix to offer a private CIDR block.

Topics
Networking & Content Delivery
Tags
Amazon VPCNetworking & Content DeliveryIPv6
Language
English
AmanG
asked 4 months ago264 views
3 Answers
1

Hi AmanG

I guess with the availability of routable IPv6 AWS decided against the use of "private" IPs.
I put private in quotes because I believe you are referring to RFC 4193 private network addresses (fd00::/8) the same as RFC 1918 private networks (10.x/8, 172.16.x/12, and 192.168.x/16).

The question is why would you want to use RFC 4193 when as mentioned you can use AWS publicly routable addresses and make them private/non-routable by use of a egress only gateway.
In AWS any address can become non-routable, and thus private, so the need to the use of private network address space disapears.

Would be interested if there was another scenario you had in mind for the need to use private networks as apposed to AWS routable in a private subnet.

profile picture
Robin Ford
answered 4 months ago
  • AmanG
    4 months ago

    Robin, you are exactly right in your understanding on my question. I guess the use of private IPv6 addresses would provide another layer of protection from an EC2 instance accidentally becoming addressable from the internet, when that was not the intention. I know that it is possible to keep EC2 instances with public IPv6 addresses completely inaccessible from the internet.

0

In my experience, assigning IPv6 addresses under the prefix defined for the VPC subnet works, although some forms are quite confusing to use. Now technically those are public IPv6 addresses, not private, and not from a customer delegated IPv6 block. However the so-called "security policy" AWS feature allows setting up firewall rules to stop public access to the IPv6 addresses of network interfaces and virtual machines (so called "instances").

AWS-User-4644975
answered 4 months ago
0

Hello,

AWS Utilizes Public IPv6 Space for IPv6 Adoption which Aims to eliminate the need for NAT that why there is a dedicated Egress-Only Internet Gateway (EIGW), to maintain the same concept of the IPv4 private subnets.

  • Options for IPv6 Distribution:

    • Choose between AWS-provided IPv6 space or Bring Your Own IPv6 Addresses (BYOIP).

  • Assigning CIDR to VPC:

    • AWS-provided IPv6 space (VPC distribution bases):
      • CIDR assigned per VPC basis, with a randomly selected public IPv6 /56 from AWS-owned IP ranges.
      • Further division into /64 CIDR blocks for subnets.
    • AWS-provided IPv6 space (IPAM):
      • CIDR assigned using IPAM, ensuring contiguous ranges and enhancing route summarization.
      • Range is provided from AWS-owned IP ranges
    • BYOIP IPv6:
      • Allows bringing your own public IPv6 /48 range, managed and assigned by IPAM to your VPC.

  • IPAM for Contiguous Range:

    • IPAM tools facilitate systematic management and distribution of IPv6 addresses within AWS.
    • Enables the maintenance of contiguous IPv6 ranges, optimizing route summarization.

https://aws.amazon.com/about-aws/whats-new/2023/01/amazon-provided-contiguous-ipv6-cidr-blocks/ https://docs.aws.amazon.com/whitepapers/latest/ipv6-on-aws/planning-ipv6-adoption-in-the-aws-cloud-network.html

AWS
Shmosa
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content