IPv6 Gateway route IPv6 traffic to and from VPC. By default, an IPv6 address is used only for communication within VPCs. You can enable IPv6 Internet bandwidth for an IPv6 address of an IPv6 gateway in the VPC console. In this way, the IPv6 address can be used for communication over the Internet. In addition, you can configure egress-only rules to allow the IPv6 address to only access the Internet.
Overview
Term | Description |
IPv6 address | IPv6 addresses are manually assigned or assigned by the system. The following is an example of an IPv6 address: 2001:db8:1:1:1:1:1:1 The system can also assign IPv6 prefixes, which are IPv6 CIDR blocks. The following is an example of an IPv6 prefix: fd02:XXXX:7:f900:6ce2::/80 |
IPv6 gateway | IPv6 gateways serve as key components that connect Elastic Compute Service (ECS) instances in VPCs to the Internet by using IPv6 addresses. You can use IPv6 gateways to manage IPv6 Internet bandwidth and configure egress-only rules. |
IPv6 Internet bandwidth | The enabling or disabling of IPv6 Internet bandwidth for an IPv6 address determines Internet access. You must enable IPv6 Internet bandwidth for an IPv6 address. In this way, the IPv6 address can be used for communication over the Internet. |
egress-only rule | An IPv6 gateway uses an egress-only rule to implement egress control for IPv6 traffic. After you configure an egress-only rule for an IPv6 address, the IPv6 gateway allows only outbound traffic to the Internet over the IPv6 address. |
IPv6 CIDR block of a VPC | An IPv6 CIDR block whose subnet mask is /56 is automatically allocated to a VPC by the system after IPv6 is enabled for the VPC. |
IPv6 CIDR block of a vSwitch | By default, the subnet mask of an IPv6 CIDR block allocated to a vSwitch is /64. When you enable IPv6 for a vSwitch, you can specify a custom value to define the last eight bits of the IPv6 CIDR block of the vSwitch. |
Features
An IPv6 gateway supports the following features:
Communication within VPCs
By default, the Internet bandwidth of an IPv6 address that you apply for a VPC is 0 Mbit/s. IPv6 addresses are used only for communication within VPCs. If you create an ECS instance that is assigned an IPv6 address in a VPC, the ECS instance can access another ECS instance that is assigned an IPv6 address in the same VPC. The ECS instance cannot use the IPv6 address to access the Internet or provide services for IPv6 clients over the Internet.
Communication over the Internet
You can purchase IPv6 Internet bandwidth for an IPv6 address of an ECS instance in a VPC. This way, the ECS instance can use the IPv6 address to access the Internet and provide services for IPv6 clients over the Internet.
You can set the IPv6 Internet bandwidth to 0 Mbit/s for an IPv6 address based on your business requirements. This way, the IPv6 address is used only for communication within VPCs.
You can configure egress-only rules for an IPv6 address of an ECS instance in a VPC. In this way, the ECS instance can access the Internet and deny access from the IPv6 clients.
You can delete an egress-only rule based on your business requirements. After the rule is deleted, the IPv6 address for which you enable IPv6 Internet bandwidth can be used for access to the Internet, and the ECS instance assigned the IPv6 address can be accessed by IPv6 clients over the Internet.
The communication capabilities of an IPv6 address are determined by the network type, Internet bandwidth, and egress-only rules of the IPv6 address. The following table describes the communication capabilities of an IPv6 address.
Network type | Whether IPv6 Internet bandwidth is enabled | Whether an egress-only rule is configured | Communication capability |
VPC | No | No | Communication within VPCs |
Internet | Yes | No | Communication within VPCs Communicate over the Internet |
Yes | Communication within VPCs Internet access only |
Scenarios
Scenario 1: Enable IPv6 for a virtual private cloud (VPC) and build an isolated IPv6 environment
If you enable IPv6 for an existing VPC, the VPC supports both IPv4 and IPv6. Assign IPv6 addresses to ECS instances on which services reside. All the ECS instances are assigned both IPv4 addresses and IPv6 addresses. By default, the IPv6 addresses of the ECS instances can be used only for communication within the VPC.
ECS instances for which IPv4 and IPv6 are enabled can use IPv4 addresses or IPv6 addresses to communicate with other resources in the VPC. Communication over IPv4 and IPv6 are independent of each other.
The ECS instances cannot use IPv6 addresses to access the Internet or provide services to IPv6 clients over the Internet.
Scenario 2: Enable ECS instances in a VPC to communicate with the Internet by using IPv6 addresses
After you enable IPv6 Internet bandwidth for the IPv6 addresses of the ECS instances in a VPC, the IPv6 addresses can be used for communication over the Internet. IPv6 traffic between the ECS instances in the VPC and the Internet passes through the IPv6 gateway. The IPv6 gateway processes inbound and outbound IPv6 traffic.
The ECS instances in the VPC can use IPv4 addresses to communicate with the IPv4 clients on the Internet over elastic IP addresses, Server Load Balancer (SLB) instances, and NAT gateways.
Scenario 3: Configure egress-only rules to manage IPv6 traffic
If you want an ECS instance to access IPv6 clients and deny access from IPv6 clients, you can configure an egress-only rule for the IPv6 address of the ECS instance.
This way, the ECS instance can access the Internet, but does not receive requests from the IPv6 clients.
Benefits
An IPv6 gateway provides the following benefits:
High availability
IPv6 gateways provide high availability across zones to help you develop stable IPv6 gateway services for communication over the Internet.
High performance
A single IPv6 gateway can provide 10-gigabit throughput to process a large number of requests from or to the Internet by using IPv6 addresses.
Flexible management of communication over the Internet
You can manage the Internet communication capabilities of IPv6 addresses by adjusting the Internet bandwidth and configuring egress-only rules.
Regions that support IPv6 gateways
Area | Region |
China | China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Fuzhou - Local Region), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong) |
Asia Pacific | Philippines (Manila), Singapore, Japan (Tokyo), South Korea (Seoul), Indonesia (Jakarta), Malaysia (Kuala Lumpur), and Thailand (Bangkok) |
Europe and Americas | US (Virginia), US (Silicon Valley), Germany (Frankfurt), and UK (London) |
Middle East | SAU (Riyadh - Partner Region) Important The SAU (Riyadh - Partner Region) region is operated by a partner. |
IPv6 access
You can use your Alibaba Cloud account to manage and access IPv6 gateways by using one of the following methods:
IPv6 Gateway console: an interactive web interface. You can log on to the console and create, use, and delete IPv6 gateways. For more information, see Create and manage IPv6 gateways.
Alibaba Cloud SDKs: SDKs for Java, Go, PHP, Python, and other programming languages.
OpenAPI Explorer: allows you to retrieve and call API operations and dynamically generate SDK sample code.
Terraform: helps you implement version control for cloud and on-premises resources. You can use Terraform configuration files to orchestrate resources on Alibaba Cloud and other cloud service platforms that support Terraform.