Don't think about the difficulty Let's try to connect easy to IPv6 network with AWS

1. AWS AS A WEEKEND HOBBY Don't think about the difficulty Let's try to connect easy to IPv6 network with AWS

2. Kazuo Namba＠JAWS-UG Okayama RHIZOME CO.,LTD Twitter:@kazu_0  Occupation  System Administrator  In charge of cloud and On-Premises Infrastructure  Certification  Chief Telecommunications Engineer Transmissionand Switching and Line Engineer  On-The-Ground I-Category Special Radio Operator  Technical Engineer Network My favorite AWS Service ：Transit Gateway/VPC/DX ：Global Accelerator

3. IPV4/IPV6 DUAL STACK • Since it was released about Decade, have you ever used VPC function that IPv4 and IPv6 dual stack? • Let's consider about use case for IPv6 solution on the AWS environment.

4. IPV4/IPV6 DUAL STACK • Since it was released about Decade, have you ever used VPC function that IPv4 and IPv6 dual stack? Elastic Load Balancing – IPv6, Zone Apex Support, Additional Security | AWS News Blog (amazon.com)

5. IPV4/IPV6 DUAL STACK • World IPv6 Day IPv6が本格的に展開していくことに弾みをつけるための試みとして、Internet Society (ISOC)が2011年6月8日の1日だけ、サービス事業者が一斉にIPv6を有効化してみることを呼びかけたのがWorld IPv6 Dayです As an attempt to give momentum to the full-scale deployment of IPv6, the Internet Society (ISOC) held World IPv6 Day on June 8, 2011, to encourage service providers to enable IPv6 simultaneously for one day. https://www.worldipv6launch.org/ https://blog.nic.ad.jp/2021/6406/

6. IPV4/IPV6 DUAL STACK • Let's consider about use case to IPv6 solution on the AWS environment below 2 cases • Internet-facing Application Load Balancer • Site to Site VPN connectivity with AWS Transit Gateway

9. Elastic Beanstalk container deployment deployment EC2 compute container certificate manager EC2 compute container 5. Route 53 festa-ghost.us-west-2.elasticbeanstalk.com ↓ festa2017.std-adhocracy.net AWS ElasticBeanstalk ELB Health Cheack Type (slideshare.net) 1. VPC 172.22.218.0/24 2600:1f14:260:1d00::/56 2. Subnet 172.22.218.64/26 2600:1f14:260:1d10::/64 2. Subnet 172.22.218.128/26 2600:1f14:260:1d11::/64 1. Configure VPC for dual stack 2. Configure subnet for dual stack 3. Configure internet connectivity by adding the default routes for IPv4 and IPv6 in pubic subnet 4. Configure Application Load Balancer (ALB)for dual stack 5. Configure DNS resolution for application endpoints with route53. 4. Application Load Balancer INTERNET-FACING APPLICATION LOAD BALANCER 3. route table

14. • VPC IPv6 setting is very simple • Action - Edit CIDRｓ • Add new IPｖ６ CIDR • you can get /56 IPv6 prefix 1. CONFIGURE VPC FOR DUAL STACK

15. • VPC IPv6 setting is very simple • Action - Edit CIDRｓ • Add new IPｖ６ CIDR • you can get /56 IPv6 prefix 1. CONFIGURE VPC FOR DUAL STACK

16. • What’s /56 prefix address like? • can create 256 subnets what have 64 power of 2 = 1844,6744,0737,0955,1616 address • 1844京6744兆0737億0955万1616 1. CONFIGURE VPC FOR DUAL STACK

17. • Subnet IPv6 setting is very simple same as VPC • Action - Edit IPv6 CIDRｓ • Add IPｖ６ CIDR 2. CONFIGURE SUBNET FOR DUAL STACK

18. • Subnet ipv6 setting is very simple same as VPC • you can set up /64 IPv6 prefix subnet in to the /56 VPC IPv6 prefix network 2. CONFIGURE SUBNET FOR DUAL STACK

19. • Internet-facing VPC Route Tables Setting • set up the IPｖ６ default Route (::/0) to internet gateway 3. CONFIGURE ROUTE TABLE

20. • VPC Route Tables Setting When you want to permit only outbound traffic, recommendation is using Egress-only internet gateways 3. CONFIGURE ROUTE TABLE

21. • in the case of creating a new ELB • Edit IP address type • please choose dualstack 4. APPLICATION LOAD BALANCER (ALB) FOR DUAL STACK

22. • setting change existing ELB • Action - Edit IP address type • please choose dualstack 4. APPLICATION LOAD BALANCER (ALB) FOR DUAL STACK

23. • setting change existing ELB • Action - Edit IP address type • please choose dualstack 4. APPLICATION LOAD BALANCER (ALB) FOR DUAL STACK

24. > Resolve-DnsName -name Oreg-VPC218-alb-511053037.us-west- 2.elb.amazonaws.com Name Type TTL Section IPAddress ---- ---- --- ------- --------- Oreg-VPC218-alb-511053037.us-west-2.elb.amazon AAAA 60 Answer 2600:1f14:260:1d10:90c0:cae5:77ff:6cb3 aws.com Oreg-VPC218-alb-511053037.us-west-2.elb.amazon A 60 Answer 44.240.137.147 aws.com 4. APPLICATION LOAD BALANCER (ALB) FOR DUAL STACK

25. • ELB Security Group Setting • Plese set up port range what you want to permit e.g. HTTP（８０） ::/0 HTTPS（４４３） ::/0 4. APPLICATION LOAD BALANCER (ALB) FOR DUAL STACK

26. • Record type - AAAA • you can set up alias record to target that routing traffic to ELB 5. DNS RESOLUTION FOR APPLICATION ENDPOINTS WITH ROUTE53

29. VPN CONNECTIVITY WITH AWS TRANSIT GATEWAY AWS Cloud 1.Transit Gateway 2.Customer gateway VPC A Corporate data center VPN connection for ipv6 VPC B 1. Configure Transit gateway attachment for dual stack Site to Site VPN The outer IP addresses of the Site to Site VPN connections are public IPv4 addresses One of the VPN tunnels is configured with inner IPv6 addresses, and routes IPv6 traffic The other VPN tunnel is configured with inner IPv4 addresses, routes IPv4 traffic 2. Set up Customer gateway 3. Set up route table for transit gateway and each VPC attachments Site to Site VPN connections VPN connection for ipv4 3.VPC Route table 2600:1f14:aff:e000::/56 2001:db8:1::1/64 fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7c/126 3.TGW Route table 3.VPC Route table

30. • Route Table • Transit gateway route table and VPC route table • Transit gateway can has some route table like VRF. • (I won't explain this session.) • Attachments • Connection point to Transit Gateway from VPC/VPN/DX-GW • Associations • Propagations TRANSIT GATEWAY ATTACHMENT AND ROUTE TABLE

33. VPN CONNECTIVITY WITH AWS TRANSIT GATEWAY AWS Cloud 1.Transit Gateway 2.Customer gateway VPC A Corporate data center VPN connection for ipv6 VPC B Site to Site VPN connections VPN connection for ipv4 3.VPC Route table 2600:1f14:aff:e000::/56 2001:db8:1::1/64 fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7c/126 3.TGW Route table 3.VPC Route table 1. Configure Transit gateway attachment for dual stack Site to Site VPN The outer IP addresses of the Site to Site VPN connections are public IPv4 addresses One of the VPN tunnels is configured with inner IPv6 addresses, and routes IPv6 traffic The other VPN tunnel is configured with inner IPv4 addresses, routes IPv4 traffic 2. Set up Customer gateway 3. Set up route table for transit gateway and each VPC attachments

39. • you can't set up site to site VPN ipv6 support via Transit gateway attachment menu 1.CONFIGURE TRANSIT GATEWAY ATTACHMENT FOR DUAL STACK SITE TO SITE VPN

40. • you can't set up site to site VPN ipv6 support via Transit gateway attachment menu 1.CONFIGURE TRANSIT GATEWAY ATTACHMENT FOR DUAL STACK SITE TO SITE VPN

41. • for that reason please set up from Site-to-Site VPN Connections menu 1.CONFIGURE TRANSIT GATEWAY ATTACHMENT FOR DUAL STACK SITE TO SITE VPN

42. • for that reason please set up from Site-to-Site VPN Connections menu 1.CONFIGURE TRANSIT GATEWAY ATTACHMENT FOR DUAL STACK SITE TO SITE VPN

43. • RTX Static route sample ikev2/nat-t 2.CUSTUMER GATEWAY CONFIG ip route default gateway 10.1.0.254 ipv6 routing on ipv6 route default gateway tunnel 1 ipv6 prefix 1 2001:db8:1::/64 ip lan1 address 10.1.100.61/16 ipv6 lan1 address 2001:db8:1::1/64 • The outer address of the IPSec tunnel is IPv4, so set the default route to IPv4 internet gateway. • IPv6 default route is configured to the virtual tunnel interface.

44. • RTX Static route sample ikev2/nat-t 2.CUSTUMER GATEWAY CONFIG tunnel select 1 ipsec tunnel 201 ipsec sa policy 201 1 esp aes256-cbc sha256-hmac ipsec ike version 1 2 ipsec ike duration ipsec-sa 1 3600 ipsec ike duration isakmp-sa 1 28800 ipsec ike encryption 1 aes256-cbc ipsec ike group 1 modp1536 ipsec ike hash 1 sha256 ipsec ike keepalive log 1 on ipsec ike keepalive use 1 on rfc4306 10 3 ipsec ike local name 1 10.1.100.61 ipv4-addr ipsec ike nat-traversal 1 on type=2 ipsec ike pfs 1 on ipsec ike message-id-control 1 on ipsec ike pre-shared-key 1 text tunnel1-Pre-Shared Key ipsec ike remote address 1 52.33.151.55 ipsec ike remote name 1 52.33.151.55 ipv4-addr ipsec ike negotiation receive 1 off ipsec auto refresh 1 on ipsec tunnel outer df-bit clear tunnel backup tunnel 2 switch-interface=on ip tunnel tcp mss limit auto ipv6 tunnel address fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7e/126 tunnel enable 1 subnet fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7c/126 AWS side fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7d/126 CGW side fd86:84f6:c9a2:c471:de4d:507f:a5ec:3c7e/126

45. • Site-to-Site VPN Connection (Static route) 2.CUSTUMER GATEWAY CONFIG When the Customer Gateway configuration is complete, the connection status will be Up as shown in the figure.

46. • Transit gateway route table 3.SET UP ROUTE TABLE FOR TRANSIT GATEWAY AND EACH VPC ATTACHMENTS Configure the IPv6 route to the on-premises network via Transit Gateway VPN attachment.

47. 5.SET UP ROUTE TABLE FOR TRANSIT GATEWAY AND EACH VPC ATTACHMENTS • VPC route table need to set up static route to On-Pre to VPC route table because ,it does not registered automatic.

48. Transit Gateway Destination Target 2600:1f13:964:c100::/56 TGW 2001:db8:1:0:0:0:0:0/64 TGW 2600:1f14:aff:e000::/56 local VPC-A Route table Attachments A Attachments VPN Destination Target ::/0 TGW 2001:db8:1:0:0:0:0:0/64 local On-prem Route table TGW route table Associations Propagations Up_till_Down-tgw-rt VPC-A, VPC- B,VPN VPC-A, VPC-B,VPN Attachments B TRANSIT GATEWAY ATTACHMENT AND ROUTE TABLE VPC-B Route table Destination Target 2600:1f14:aff:e000::/56 TGW 2001:db8:1:0:0:0:0:0/64 TGW 2600:1f13:964:c100::/56 local

49. AWS AS A WEEKEND HOBBY • Summaｒｙ • Internet-facing Application Load Balancer • Site to Site VPN connectivity with AWS Transit Gateway • Reference • IPv6 Reference Architectures for AWS and Hybrid Networks (awsstatic.com)

50. AWS as a weekend hobby Don't think about the difficulty Let's try to connect easy to IPv6 network with AWS

Don't think about the difficulty Let's try to connect easy to IPv6 network with AWS

More Related Content

What's hot (7)

Similar to Don't think about the difficulty Let's try to connect easy to IPv6 network with AWS (20)

More from Namba Kazuo (7)

Recently uploaded (20)

Don't think about the difficulty Let's try to connect easy to IPv6 network with AWS