IP addresses allow machines to address each other across a network. IPv4 is still the most widely used version of the protocol, but the IPv4 address space is being consumed rapidly. IPv6 is the most recent version of the protocol, designed to solve the address space problem.

You can selectively enable IPv6 on new or existing instances. Once enabled, an IPv6 will be automatically configured on the first interface of your instance, along with its public IPv4 address.

Note

All IPv6 addresses for your organization are taken from the same /64 subnet (the beginning of the IPv6 address will always be the same). Currently, only one IPv6 address can be assigned for each instance. In the future, we will allow you to assign more IPv6 addresses.

Adding IPv6 to a new instance

During instance creation, you can enable IPv6 by checking the option “Enable IPv6”:

Enabling IPv6 during instance creation

In addition to an IPv4 address, the new instance will receive an IPv6 address.

With the API, you can pass ip6=true as an additional parameter to the deployVirtualMachine call.

Adding IPv6 to an existing instance

In the details of the instance, below the IPv4 address, you will find a button to enable IPv6:

Enabling IPv6 for an existing instance

There is no need to reboot your instance: an IPv6 address is configured to the public interface of your instance within a few seconds.

Alternatively, you can use the activateIp6 API call.

Security groups

Like for IPv4, by default, ingress traffic is filtered and egress traffic is open. To authorize ingress traffic, you need to add IPv6-specific rules. For example, if you want to authorize SSH access from anywhere, use ::/0 as the source. ::/0 means any IPv6 host, while 0.0.0.0/0 means any IPv4 host.

Ingress SSH security rule

If you already have IPv4 egress rules, outgoing IPv6 traffic is filtered and you need to specify additional rules to allow IPv6 outbound flows. The reverse is also true: if you add IPv6 egress rules without any IPv4 egress rule, IPv4 traffic is filtered.

Testing the connection

Linux

On Linux, log into your instance and execute the following command:

$ ping6 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=51 time=4.60 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=51 time=4.08 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=51 time=4.13 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=51 time=4.12 ms
^C
--- 2001:4860:4860::8888 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 4.085/4.237/4.607/0.214 ms

If you get an error, check if the IPv6 address is correctly assigned on the first interface:

$ ip -6 a l dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a04:c43:c00:12f:491:58ff:fe00:79/64 scope global mngtmpaddr dynamic
       valid_lft 86360sec preferred_lft 14360sec
    inet6 fe80::480:58ff:fe00:79/64 scope link
       valid_lft forever preferred_lft forever

In addition to the fe80::… address, you should get an address starting by 2a04::…. If you don’t have the fe80::… address, IPv6 is disabled on your system. You can enable it with sysctl -w net.ipv6.conf.all.disable_ipv6=0. If you don’t have the 2a04::… address, the autoconfiguration mechanism failed. This may be because of a locally configured firewall or because IPv6 autoconfiguration has been disabled. You can enable IPv6 autoconfiguration with sysctl net.ipv6.conf.eth0.autoconf=1.

If the addresses are present, check the following points:

  • you do not have a local firewall (check ip6tables-save),
  • you are not using egress rules in your security groups, and
  • you do not use privacy extensions (check sysctl net.ipv6.conf.eth0.use_tempaddr, it should be 0).

Windows

On Windows, you need to disable privacy extensions. You can do that by issuing the following commands in an administrative PowerShell session:

PS> Set-NetIPv6Protocol -RandomizeIdentifiers Disabled
PS> Set-NetIPv6Protocol -UseTemporaryAddresses Disabled

Then, you can test with ping6:

PS> ping6 2001:4860:4860::8888

Pinging 2001:4860:4860::8888 with 32 bytes of data:
Reply from 2001:4860:4860::8888: time<1ms
Reply from 2001:4860:4860::8888: time<1ms
Reply from 2001:4860:4860::8888: time=1ms
Reply from 2001:4860:4860::8888: time=1ms

Ping statistics for 2001:4860:4860::8888:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

If this doesn’t work, use ipconfig /all to check if you got an IPv6 address:

PS> ipconfig /all
[…]
Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
   Physical Address. . . . . . . . . : 06-6B-EA-00-00-36
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2a04:c46:c00:12f:46b:eaff:fe00:36(Preferred)
   Link-local IPv6 Address . . . . . : fe80::46b:eaff:fe00:36%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 89.145.160.49(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Lease Obtained. . . . . . . . . . : mardi, 17 avril 2018 14:10:14
   Lease Expires . . . . . . . . . . : vendredi, 24 mai 2154 20:45:03
   Default Gateway . . . . . . . . . : fe80::fc6b:eaff:fe00:36%5
                                       89.145.160.1
   DHCP Server . . . . . . . . . . . : 89.145.160.1
   DHCPv6 IAID . . . . . . . . . . . : 55727104
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-67-9C-42-06-6B-EA-00-00-36
   DNS Servers . . . . . . . . . . . : 89.145.160.136
                                       89.145.161.109
                                       185.150.8.225
   NetBIOS over Tcpip. . . . . . . . : Enabled

Also check if you got a default route:

PS> route print ::/0
[…]
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  5    271 ::/0                     fe80::fc6b:eaff:fe00:36
===========================================================================
Persistent Routes:
  None

OpenBSD

On OpenBSD, you need to disable Semantically Opaque Interface Identifiers and privacy extensions. Add the following lines in /etc/hostname.vio0:

-soii
-autoconfprivacy

Then, use sh /etc/netstart vio0 to reload the configuration. You can test if it works correctly with ping6:

# ping6 2001:4860:4860::8888
PING 2001:4860:4860::8888 (2001:4860:4860::8888): 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=0 hlim=61 time=1.296 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=1 hlim=61 time=1.294 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 hlim=61 time=1.218 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 hlim=61 time=1.171 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 hlim=61 time=1.345 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=5 hlim=61 time=1.117 ms
^C
--- 2001:4860:4860::8888 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.117/1.240/1.345/0.079 ms

If this doesn’t work, check you got an IPv6 with ifconfig:

# ifconfig vio0
vio0: flags=648843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,INET6_NOPRIVACY,AUTOCONF6,INET6_NOSOII> mtu 1500
        lladdr 06:6b:ea:00:00:36
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect
        status: active
        inet 89.145.160.49 netmask 0xfffffc00 broadcast 89.145.163.255
        inet6 fe80::46b:eaff:fe00:36%vio0 prefixlen 64 scopeid 0x1
        inet6 2a04:c46:c00:12f:46b:eaff:fe00:36 prefixlen 64 autoconf pltime 14350 vltime 86350

Also, check if you got the default gateway:

# route -n show | grep default | tail -1
default   fe80::fc6b:eaff:fe00:36%vio0   UGS        0        3     -    56 vio0