EC2 Instances and IPv6
Start course

In this course, we will review some of the internet protocol version 4 features of Amazon VPCs. Then you will be presented with internet protocol version 6, its notation and how to enable it for use with Amazon Virtual Private Clouds and EC2 Instances.

Learning Objectives

Discuss IPv4, IPv6 and how to configure it to be supported by Amazon VPCs and EC2 Instances.

Intended Audience

This course is intended for architects and system operators looking to benefit by using IPv6 addressing with AWS resources. This course also covers some of the objectives for both the solutions architect professional and the AWS Networking Specialty certifications. 


To get the most out of this course you will need to meet the requirements for any of the AWS associate level certifications or the equivalent experience.  

This course expects that you are familiar with the fundamentals of networking using AWS including Amazon Virtual Private Clouds, Public Subnets, Private Subnets, and IPv4 as used in EC2 Instances.  


EC2 Instances and IPv6. Now that the VPC and subnets are set up for IPv6, let's go over how to configure EC2 instances for the same. IPv6 is supported on all current generation EC2 instance types and the C3, R3, and I2  previous generation instance types. When you create an EC2 instance, if you select a subnet that is enabled for IPv6, you will also get an option on the EC2 instance creation where you can have the subnet auto-assign an IPv6 address.

When this is done, the address is associated with the primary network interface (eth0) of the instance. If you choose, you can disassociate the IPv6 address from the primary network interface. In terms of life cycle, an IPv6 address stays the same when you stop and start the instance. The IPv6 address is released when the instance is terminated. In this example, we launched two t3.micro instances and specified the IPv4 VPC enabled option in the configuration. We also specified for an IPv6 address to be auto assigned to each instance. Notice how we assigned the EC2SSM role to each instance in order for us to be able to use Systems Manager session manager to connect to the instances in a secure way without having to provision access keys or configure SSH. For details on how to use AWS systems manager, please take a look at our course on AWS systems manager listed on your screen. At this point, we take note of the IP addresses for each of the instances.

The IPv6 Dual Stack EC2 instance IPs are defined as listed below. From the Actions menu after selecting an instance, we select 'Connect', and this will start a session manager window in which we can execute commands in this instance terminal. Once connected to an instance, we can use ping6 followed by the IPv6 address of the corresponding pair to observe the response to the command. This verifies that IPv6 connectivity has been enabled and it's functional for the VPC, the subnet, and the EC2 instances.

If you have an IPv6 system configured at home, the routing table will also permit you to test using ping6 or a similar tool. You can add an IPv6 address to an existing instance  configured with IPv4 by selecting the instance and from the actions menu, you can select the 'Actions', 'Networking', and select 'Manage IP addresses'. This will allow you to configure an IPv6 address on the primary network interface for the instance.

You can launch EC2 instances built using the AWS Nitro system in IPv6-only subnets and have them use IPv6-only addressing. Private IPv4 addresses are not required to be assigned. This is an exception, not the norm, because the AWS Nitro system includes a card, a security chip, and a hypervisor that provides the performance equivalent to bare metal for most applications. This is useful if your application requires access to low level host hardware details that are not fully available in virtualized environments.

Licensing and compliance are common use cases. IPv6-only instances are assigned an IPv6 address using DHCP version 6 from the IPv6 set of the subnet. They can access EC2 Instance Metadata, Amazon Time Sync Service, and Route 53 Resolver over IPv6. The local addresses for the instances services in IPv6  use a prefix of fd00:ec2: followed by the rest of the address.

For example, the Time Sync Service is at address fd00:ec2::123. The EC2 Instance Metadata is divided into categories. For IPv4, we are familiar with the URI as shown. Notice the suffix /latest/meta-data/. The last forward slash is meaning because it is a reminder that the metadata represents a directory structure. The IPv6 equivalent is http://[fd00:ec2::254]/test/meta-data/. In both cases, the IP addresses are link-local addresses and are valid only from the instance.

About the Author
Jorge Negrón
AWS Content Architect
Learning Paths

Experienced in architecture and delivery of cloud-based solutions, the development, and delivery of technical training, defining requirements, use cases, and validating architectures for results. Excellent leadership, communication, and presentation skills with attention to details. Hands-on administration/development experience with the ability to mentor and train current & emerging technologies, (Cloud, ML, IoT, Microservices, Big Data & Analytics).