Getting started with IPv6 in Amazon EC2

IPv6 has been around for many years, but until recently, support was lacking from a lot of providers, including the major public cloud players. Amazon launched it in one of their US regions at the back end of 2016, and have now rolled it out across all their regions.

I assume they may have enabled it by default in new accounts, but if you already have infrastructure, you'll need to turn it on in a few places:

1. On your VPC itself, use Edit CIDRs to allocate a /56 IPv6 subnet to the VPC as a whole.
2. On each of your subnets, Edit IPv6 CIDRs to allocate a /64 to the subnet.
3. On your route table, add a global route (::/0) via your internet gateway. If you currently use the default route table, you'll need to create a new one and associate your subnets with it.
4. For each of your security groups, define the behaviour you want for IPv6 connections. For IPv4 access control entries previously specified as 0.0.0.0/0, you'll want to append , ::/0 to allow equivalent connections over IPv6.
5. You may want to change the subnets to automatically assign an IPv6 address to newly-created interfaces. This is under Modify auto-assign IP settings.

You can assign an IPv6 address to an existing instance by using Networking -> Manage IP Addresses.

I found that when creating a new Ubuntu 16.04 LTS instance from the current template (as of 2017-02-01), the network interface doesn't acquire an IPv6 address even if the EC2 console shows it having one. I fixed this by creating /etc/network/interfaces.d/60-ip6.cfg with a single line, iface eth0 inet6 dhcp to enable DHCPv6. The current Amazon Linux AMI works straight out of the box.

With that, you should be able to start using IPv6:

It's worth noting (thanks @jen20 for the reminder) that anything with an IPv6 address is publicly addressible - you can no longer hide behind NAT as a security feature. If you want an instance to be internally-routable only, then check out Egress-only internet gateways.