IPv6 gateways route IPv6 traffic to and from virtual private clouds (VPC). By default, an IPv6 address is used only for communication within VPCs. You can enable IPv6 Internet bandwidth for an IPv6 address of an IPv6 gateway in the VPC console. In this way, the IPv6 address can be used for communication over the Internet. In addition, you can configure egress-only rules to allow the IPv6 address to only access the Internet.
Terms
Term | Description |
IPv6 address | An IPv6 address is allocated to an instance in a VPC by the system. An IPv6 address is made of 128 binary bits that are divided into eight 16-bit groups separated by colons (:). Each group is represented as a 4-digit hexadecimal number. Example: 2001:db8:1:1:1:1:1:1 |
IPv6 gateway | IPv6 gateways serve as key components that connect Elastic Compute Service (ECS) instances in VPCs to the Internet by using IPv6 addresses. You can use IPv6 gateways to manage IPv6 Internet bandwidth and configure egress-only rules. |
IPv6 Internet bandwidth | The enabling or disabling of IPv6 Internet bandwidth for an IPv6 address determines whether the IPv6 address can be used for communication over the Internet. You must enable IPv6 Internet bandwidth for an IPv6 address. In this way, the IPv6 address can be used for communication over the Internet. |
egress-only rule | An IPv6 gateway uses an egress-only rule to implement egress control for IPv6 traffic. After you configure an egress-only rule for an IPv6 address, the IPv6 gateway allows only outbound traffic to the Internet over the IPv6 address. |
IPv6 CIDR block of a VPC | An IPv6 CIDR block whose subnet mask is /56 is automatically allocated to a VPC by the system after IPv6 is enabled for the VPC. |
IPv6 CIDR block of a vSwitch | By default, the subnet mask of an IPv6 CIDR block allocated to a vSwitch is /64. When you enable IPv6 for a vSwitch, you can specify a custom value to define the last eight bits of the IPv6 CIDR block of the vSwitch. |
Features
An IPv6 gateway supports the following features:
Communication within VPCs
By default, the Internet bandwidth of an IPv6 address that you apply for a VPC is 0 Mbit/s. IPv6 addresses are used only for communication within VPCs. If you create an ECS instance that is assigned an IPv6 address in a VPC, the ECS instance can access another ECS instance that is assigned an IPv6 address in the same VPC. The ECS instance cannot use the IPv6 address to access the Internet or provide services for IPv6 clients over the Internet.
Communication over the Internet
You can purchase IPv6 Internet bandwidth for an IPv6 address of an ECS instance in a VPC. This way, the ECS instance can use the IPv6 address to access the Internet and provide services for IPv6 clients over the Internet.
You can set the IPv6 Internet bandwidth to 0 Mbit/s for an IPv6 address based on your business requirements. This way, the IPv6 address is used only for communication within VPCs.
You can configure egress-only rules for an IPv6 address of an ECS instance in a VPC. In this way, the ECS instance can access the Internet and deny access from the IPv6 clients.
You can delete an egress-only rule based on your business requirements. After the rule is deleted, the IPv6 address for which you enable IPv6 Internet bandwidth can be used for access to the Internet, and the ECS instance assigned the IPv6 address can be accessed by IPv6 clients over the Internet.
The communication capabilities of an IPv6 address are determined by the network type, Internet bandwidth, and egress-only rules of the IPv6 address. The following table describes the communication capabilities of an IPv6 address.
Network type | Whether IPv6 Internet bandwidth is enabled | Whether an egress-only rule is configured | Communication capability |
VPC | No | No | Communication within VPCs |
Internet | Yes | No | Communication within VPCs Communicate over the Internet |
Yes | Communication within VPCs Only access to the Internet is allowed. |
Scenarios
Scenario 1: Enable IPv6 for a VPC and build an isolated IPv6 environment
If you enable IPv6 for an existing VPC, the VPC supports both IPv4 and IPv6. Assign IPv6 addresses to ECS instances on which services reside. All the ECS instances are assigned both IPv4 addresses and IPv6 addresses. By default, the IPv6 addresses of the ECS instances can be used only for communication within the VPC.
ECS instances for which IPv4 and IPv6 are enabled can use IPv4 addresses or IPv6 addresses to communicate with other resources in the VPC. Communication over IPv4 and IPv6 are independent of each other. The ECS instances cannot use IPv6 addresses to access the Internet or provide services to IPv6 clients over the Internet.
Scenario 2: Enable ECS instances in a VPC to communicate with the Internet by using IPv6 addresses
After you enable IPv6 Internet bandwidth for the IPv6 addresses of the ECS instances in a VPC, the IPv6 addresses can be used for communication over the Internet. IPv6 traffic between the ECS instances in the VPC and the Internet passes through the IPv6 gateway. The IPv6 gateway processes inbound and outbound IPv6 traffic.
The ECS instances in the VPC can use IPv4 addresses to communicate with the IPv4 clients on the Internet over elastic IP addresses, Server Load Balancer (SLB) instances, and NAT gateways.
Scenario 3: Configure egress-only rules to manage IPv6 traffic
If you want an ECS instance to access IPv6 clients and deny access from IPv6 clients, you can configure an egress-only rule for the IPv6 address of the ECS instance.
This way, the ECS instance can access the Internet, but does not receive requests from the IPv6 clients.
Benefits
An IPv6 gateway provides the following benefits:
High availability
IPv6 gateways provide high availability across zones to help you develop stable IPv6 gateway services for communication over the Internet.
High performance
A single IPv6 gateway can provide 10-gigabit throughput to process a large number of requests from or to the Internet by using IPv6 addresses.
Flexible management of communication over the Internet
You can manage the Internet communication capabilities of IPv6 addresses by adjusting the Internet bandwidth and configuring egress-only rules.