After you enable Internet bandwidth for an IPv6 address, you can set the Internet bandwidth to 0 Mbit/s or create an egress-only rule for the IPv6 address. This ensures that cloud resources can access each other in a safe manner.
Configure a VPC for IPv6 communication
After you enable IPv6 for a virtual private cloud (VPC), an IPv6 address of a cloud service instance in the VPC can be used only for communication over IPv6 in the VPC by default.
If you have enabled Internet bandwidth for the IPv6 address, you can set the Internet bandwidth of the IPv6 address to 0 Mbit/s based on your business requirements. This way, the IPv6 address is used only for communication within VPCs.
The VPC can be accessed only by authorized users, which improves data security. For more information, see Enable IPv6 for a VPC and the Modify the maximum bandwidth value section of the Enable and manage IPv6 Internet bandwidth topic.
Create an egress-only rule to control traffic
You can create an egress-only rule for an IPv6 address of an IPv6 gateway in the VPC console. This way, the IPv6 address can be used to access the Internet, but the requests from IPv6 clients are dropped by the IPv6 gateway. For more information, see Create and manage an egress-only rule.
Mitigate DDoS attacks
DDoS attacks are cyberattacks against targeted systems and cause services to become unavailable to users. Alibaba Cloud provides Anti-DDoS Origin Basic for free for public IPv6 addresses, which can mitigate DDoS attacks at 5 Gbit/s or lower.
By default, Anti-DDoS Origin Basic is enabled for public IPv6 addresses. All traffic from the Internet must pass through Alibaba Cloud Security before the traffic reaches a public IPv6 address. Alibaba Cloud Security scrubs the traffic to mitigate common attacks. For more information, see What is an Anti-DDoS Origin paid edition?
If the amount of Internet traffic to a cluster exceeds the capacity of Anti-DDoS, the traffic is routed to a blackhole to protect the cluster. In this case, all traffic is blocked. For more information about the default thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic in each region, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic. The thresholds to trigger blackhole filtering for public IPv6 addresses are determined by the region and bandwidth. The data displayed on the Assets page of the Traffic Security console shall prevail.