Configure IPv6 on AWS EC2 Instance - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Saturday, January 23, 2021

Configure IPv6 on AWS EC2 Instance

Since Dec 1, 2016, AWS announced "EC2 instances in Amazon Virtual Private Cloud (VPC) now offer native support for the IPv6 protocol. IPv6 can be enabled for existing and new VPCs through the AWS management console, API/SDK and CLI. Customers can use IPv6 on EC2 instances to access Internet resources as well as on-premise applications using Direct Connect. "

With this ability, VPCs can now operate in a dual-stack mode with the ability to assign both IPv4 and IPv6 addresses on EC2 instances. With IPv6 enabled in a VPC, applications can be secured in the same easy manner available today through security groups, network ACLs and route tables. Additionally, IPv6 is supported in other key VPC features such as Internet Gateway, VPC Peering and VPC Flow Logs. 




By default, every IPv6 address is public and internet-routable. For customers requiring a private subnet on their IPv6-enabled VPCs, AWS is having a new resource within the VPC called the Egress-only Internet Gateway, which can be setup to allow one-way access to Internet resources. 

Assign IPv6 CIDR block to your VPC

From VPC -> Choose Your VPC -> Actions -> Edit CIDRs

You will get a network mask /56 IPv6 CIDR block.




Specify a custom IPv6 CIDR sub-block to your VPC


VPC -> Subnets -> Choose a subnet -> Actions -> Edit IPv6 CIDRs


You will need to customize your /64 network mask 's IPv6 block. 


Create a Default IPv6 Route in Route Table

From VPC -> Route Tables -> Choose a route table -> Edit Route -> Add a new IPv6 Default route

Source will be ::/0.

Destination will be your Internet Gateway, default one, if you did not create others.


Create inbound IPv6 Firewall Rule in Security Group

VPC -> Security -> Security Groups -> Choose a security group -> Inbound Rules -> Edit Inbound rules -> add a new one

By default, outbound rule has allowed All IPv6 traffic to go out. 


Launch an Instance with Auto-Assign IPv6 for Network Interface

In the step3 from Launching Instances wizard, you can choose enable to auto-assign ipv6 ip for this instance , as long as you have chosen a subnet including a IPv6 block assignment. 


If you already launched the instance without chosen auto-assign IPv6, you are still able to manage IP address from action menu, where you can enable your IPv6 auto-assign. 



Testing


Ping6

[ec2-user@ip-172-31-23-111 ~]$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet 172.31.23.111  netmask 255.255.240.0  broadcast 172.31.31.255
        inet6 2a05:d016:e12:2602:b45a:c2c7:6a1a:fe12  prefixlen 128  scopeid 0x0<global>
        inet6 fe80::49a:48ff:fe70:9f4c  prefixlen 64  scopeid 0x20<link>
        ether 06:9a:48:70:9f:4c  txqueuelen 1000  (Ethernet)
        RX packets 44451  bytes 53870401 (51.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11147  bytes 1204820 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 8  bytes 648 (648.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 648 (648.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


[ec2-user@ip-172-31-23-111 ~]$ ping6  2a02:0180:0006:0001:0000:0000:0000:34d5
PING 2a02:0180:0006:0001:0000:0000:0000:34d5(2a02:180:6:1::34d5) 56 data bytes
64 bytes from 2a02:180:6:1::34d5: icmp_seq=1 ttl=39 time=28.3 ms
64 bytes from 2a02:180:6:1::34d5: icmp_seq=2 ttl=39 time=27.6 ms
64 bytes from 2a02:180:6:1::34d5: icmp_seq=3 ttl=39 time=27.4 ms
^C
--- 2a02:0180:0006:0001:0000:0000:0000:34d5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 27.413/27.810/28.371/0.429 ms
[ec2-user@ip-172-31-23-111 ~]$


[ec2-user@ip-172-31-23-111 ~]$ traceroute 2a02:0180:0006:0001:0000:0000:0000:34d5
traceroute to 2a02:0180:0006:0001:0000:0000:0000:34d5 (2a02:180:6:1::34d5), 30 hops max, 80 byte packets
 1  2a01:578:0:4500:8000:0:6441:300 (2a01:578:0:4500:8000:0:6441:300)  9.653 ms 2a01:578:0:4500:8000:0:6441:280 (2a01:578:0:4500:8000:0:6441:280)  5.299 ms 2a01:578:0:4500:8000:0:6441:300 (2a01:578:0:4500:8000:0:6441:300)  9.627 ms
 2  2a01:578:0:4500:8000:0:6442:d0 (2a01:578:0:4500:8000:0:6442:d0)  10.814 ms 2a01:578:0:4500:8000:0:6442:c6 (2a01:578:0:4500:8000:0:6442:c6)  10.073 ms 2a01:578:0:4500:8000:0:6442:ee (2a01:578:0:4500:8000:0:6442:ee)  0.853 ms
 3  2620:107:4000:cfff::f3ff:e01 (2620:107:4000:cfff::f3ff:e01)  0.473 ms 2620:107:4000:cfff::f3ff:1 (2620:107:4000:cfff::f3ff:1)  0.480 ms 2620:107:4000:cfff::f3ff:601 (2620:107:4000:cfff::f3ff:601)  0.480 ms
 4  2620:107:4000:a290::f000:c15 (2620:107:4000:a290::f000:c15)  0.494 ms 2620:107:4000:a290::f000:c17 (2620:107:4000:a290::f000:c17)  0.562 ms 2620:107:4000:a290::f000:c10 (2620:107:4000:a290::f000:c10)  0.477 ms
 5  2620:107:4000:cfff::f200:7561 (2620:107:4000:cfff::f200:7561)  3.724 ms 2620:107:4000:cfff::f200:75f9 (2620:107:4000:cfff::f200:75f9)  0.807 ms 2620:107:4000:cfff::f200:7479 (2620:107:4000:cfff::f200:7479)  0.807 ms
 6  2a01:578:0:15::14 (2a01:578:0:15::14)  5.802 ms 2a01:578:0:15::11 (2a01:578:0:15::11)  4.067 ms 2a01:578:0:15::14 (2a01:578:0:15::14)  5.352 ms
 7  2a01:578:0:15::37 (2a01:578:0:15::37)  4.116 ms 2a01:578:0:15::32 (2a01:578:0:15::32)  4.378 ms 2a01:578:0:15::36 (2a01:578:0:15::36)  4.364 ms
 8  2a01:578:0:15::2 (2a01:578:0:15::2)  4.117 ms  3.889 ms 2a01:578:0:15::3 (2a01:578:0:15::3)  4.042 ms
 9  2a01:578:0:9000::27 (2a01:578:0:9000::27)  29.965 ms 2a01:578:0:9000::31 (2a01:578:0:9000::31)  20.415 ms 2a01:578:0:9000::27 (2a01:578:0:9000::27)  26.286 ms
10  2a01:578:0:9014::1b (2a01:578:0:9014::1b)  20.737 ms  20.730 ms 2a01:578:0:9014::1d (2a01:578:0:9014::1d)  21.740 ms
11  2a01:578:0:9014::1e (2a01:578:0:9014::1e)  20.568 ms  20.560 ms 2a01:578:0:9014::1b (2a01:578:0:9014::1b)  20.329 ms
12  2a01:578:0:9014::1f (2a01:578:0:9014::1f)  21.124 ms 2a01:578:0:9014::23 (2a01:578:0:9014::23)  20.271 ms 2a01:578:0:9014::2b (2a01:578:0:9014::2b)  21.360 ms
13  2a01:578:0:9014::b (2a01:578:0:9014::b)  35.136 ms 2a01:578:0:9014::9 (2a01:578:0:9014::9)  21.702 ms 2a01:578:0:9014::a (2a01:578:0:9014::a)  21.003 ms
14  2a01:578:0:9014::6 (2a01:578:0:9014::6)  21.104 ms 2a01:578:0:9014::1 (2a01:578:0:9014::1)  25.852 ms 2a01:578:0:9014::6 (2a01:578:0:9014::6)  21.076 ms
15  2a01:578:0:ff::4a (2a01:578:0:ff::4a)  24.330 ms 2a01:578:0:9014::2 (2a01:578:0:9014::2)  20.725 ms 2a01:578:0:9014::5 (2a01:578:0:9014::5)  20.319 ms
16  2a01:578:0:ff::47 (2a01:578:0:ff::47)  20.208 ms 2a01:578:0:ff::48 (2a01:578:0:ff::48)  21.164 ms 2a01:578:0:ff::4a (2a01:578:0:ff::4a)  24.265 ms
17  2a01:578:0:ff::d7 (2a01:578:0:ff::d7)  20.697 ms  20.691 ms  20.684 ms
18  2620:107:4008:6d7::2 (2620:107:4008:6d7::2)  21.025 ms 2a01:578:0:ff::d7 (2a01:578:0:ff::d7)  20.347 ms 2620:107:4008:6d7::2 (2620:107:4008:6d7::2)  21.017 ms
19  2620:107:4008:6d7::2 (2620:107:4008:6d7::2)  20.488 ms 2a02:238:1:f075::2 (2a02:238:1:f075::2)  28.089 ms  28.070 ms
20  2a02:238:1:f075::2 (2a02:238:1:f075::2)  28.051 ms 2a02:238:1:f075::1 (2a02:238:1:f075::1)  28.215 ms  28.248 ms
21  po162.ipv6.dsw-c6ka.as35366.net (2a02:180:6:9::9)  29.228 ms  29.219 ms  29.392 ms
22  po162.ipv6.dsw-c6ka.as35366.net (2a02:180:6:9::9)  28.574 ms  28.830 ms  28.819 ms
23  srv15601.blue.kundencontroller.de (2a02:180:6:5::62)  27.373 ms srv18598.blue.kundencontroller.de (2a02:180:6:1::34d5)  28.458 ms  28.439 ms
[ec2-user@ip-172-31-23-111 ~]$

[ec2-user@ip-172-31-23-111 ~]$ ssh root@2a02:0180:0006:0001:0000:0000:0000:34d5
************************************************************
* CentOS7.6-64bit-minimal
************************************************************
* If you have questions about your server, you can use our *
* 24-hour Trouble-Ticket-System                            *
*                                                          *
* Do NOT shutdown your server with "halt", use "reboot"    *
* instead                                                  *
*                                                          *
* Have fun with your server                                *
* Customer-Support                                         *
************************************************************

************************************************************
* CentOS7.6-64bit-minimal
************************************************************
* Wenn Sie Fragen und/oder Probleme mit Ihrem Server haben,*
* steht Ihnen unser eMail-Support rund um die Uhr zur      *
* Verfuegung.                                              *
*                                                          *
* Fahren Sie Ihren Server NICHT per "halt" herunter,       *
* sondern nutzen Sie "reboot".                             *
*                                                          *
* Viel Spass wuenscht Ihnen                                *
* Ihr Kundensupport                                        *
************************************************************
[root@srv18598 ~]#

Ping IPv6 from Internet Page: https://tools.keycdn.com/ipv6-ping

YouTube:



No comments:

Post a Comment