All Products
Search

This Product

    Server Load Balancer:Use NLB to Achieve IPv4 and IPv6 Traffic Affinity Forwarding

    Document Center

    Server Load Balancer:Use NLB to Achieve IPv4 and IPv6 Traffic Affinity Forwarding

    Last Updated:Mar 16, 2026

    NLB dual-stack instances support IP version affinity mode. When enabled, IPv4 requests are forwarded only to IPv4 backend servers, and IPv6 requests are forwarded only to IPv6 backend servers. This enables protocol-aware traffic scheduling and simplifies network architecture.

    Solution Architecture

    Problem Scenario

    During the migration from IPv4 to IPv6, both protocols often coexist. When a server group contains backend servers with both IPv4 and IPv6 addresses, NLB by default does not differentiate between IPv4 and IPv6 client requests. Instead, it forwards traffic based solely on scheduling algorithms, such as polling or least connections.

    This can result in cross-protocol forwarding. For example, an IPv6 client request might be forwarded to a backend server that supports only IPv4—or vice versa. Such mismatches cause the following issues:

    • Backend servers cannot retrieve the originating IP address, affecting region-based analysis and source IP–based permission control.

    • To retrieve the originating IP address, you must deploy an additional proxy layer—such as Nginx—and enable Proxy Protocol. This increases operational and maintenance costs.

    Solutions

    NLB server groups support IP version affinity mode. When enabled, they perform 4to4 and 6to6 affinity forwarding.

    Backends can directly retrieve the client’s originating IP address for the corresponding protocol without requiring an additional proxy layer. If all backends for a specific protocol fail health checks, requests for that protocol are delivered on a best-effort basis among healthy backends of the same protocol. Cross-protocol forwarding does not occur.

    image

    Scope

    Register a custom domain name. This topic deploys the NLB instance in the China (Shanghai) region. Therefore, the domain name requires an ICP filing.

    Procedure

    Before starting, ensure you have created a virtual private cloud (VPC) named VPC1 in the China (Shanghai) region. Also, create vSwitches VSW1 and VSW2 in Zone E and Zone G, respectively. Ensure IPv6 is enabled for the vSwitches.

    1. Create ECS Instances and Deploy Services

    1. Create two ECS instances according to the following table.

      Instance Name

      Region

      VPC

      vSwitch

      IP Version

      Runtime Image

      ecs-ipv4

      China (Shanghai)

      VPC1

      VSW1

      IPv4

      Alibaba Cloud Linux 3.2104 LTS 64-bit

      ecs-ipv6

      VSW2

      IPv6

      When purchasing an ECS instance, check Free IPv6 address allocation under the Networking and Security Group

    2. Remotely connect to ecs-ipv4 and ecs-ipv6. Run the following commands to deploy the Nginx service.

      ecs-ipv4

      sudo yum install -y nginx
sudo systemctl start nginx
echo "Hello from IPv4 backend" | sudo tee /usr/share/nginx/html/index.html

      ecs-ipv6

      sudo yum install -y nginx
sudo systemctl start nginx
echo "Hello from IPv6 backend" | sudo tee /usr/share/nginx/html/index.html

    3. Add inbound rules to the security groups of both ECS instances to allow request traffic. Ensure the rules have sufficiently high priority.

      Instance Name

      Authorization Policy

      Protocol

      Source

      Access Purpose (This Instance)

      ecs-ipv4

      Allow

      Custom TCP

      After selecting IPv4, select This VPC CIDR block.

      After selecting Port, select HTTP (80).

      ecs-ipv6

      After selecting IPv6, select This VPC CIDR block.

    For related operations, see Purchase a custom instance, ECS remote connection operation guide, and Configure security group rules.

    2. Create a Dual-Stack NLB Instance

    1. Log on to the NLB console. Select the China (Shanghai) region. Click Create NLB.

    2. Complete the following configurations. Keep other options at their defaults. Click Create Now:

      • Instance Network Type: Select Internet.

      • VPC: Select VPC1.

      • Zone: Select Zone E and Zone G, and their corresponding vSwitches VSW1 and VSW2. Then, select Automatically assign public IP.

      • Protocol Version: Select Dual-stack.

    3. After creation, click the instance ID to go to the Instance Details page. In the Basic Information section, locate Network Type. To the right of IPv6: Private Network, click Change Network Type. In the dialog box that appears, click OK, and verify that the change succeeds.

    3. Create a Dual-Stack Server Group and Enable Affinity Mode

    1. On the Server Groups console, click Create Server Group.

    2. Complete the following configurations. Click Create:

      • Server Group Type: Select Server Type.

      • Server Group Name: Enter sgp-dualstack.

      • VPC: Select VPC1.

      • Backend Server Protocol: Select TCP.

      • IP Protocol Version: Select IPv4/v6 Dual-stack. After selection, you can add both IPv4 and IPv6 backend servers.

      • IP Version Affinity Mode: Select Affinity Mode. When enabled, IPv4 requests are forwarded only to IPv4 backends, and IPv6 requests are forwarded only to IPv6 backends.

    3. In the The server group is created dialog box, click Add Backend Server. In the IP column, select the IPv4 address for ecs-ipv4 and the IPv6 address for ecs-ipv6. Select both instances. Click Next.

      When adding IPv6 backends in batches, click the settings icon next to the IP table header. Select Prefer IPv6. The system then prioritizes selecting the server’s IPv6 address.

    4. In the Ports/Weights step, set the Port for both servers to 80. Click OK to complete the addition.

    4. Create a Listener

    1. On the NLB console, click the target instance ID to go to the Instance Details page. On the Listener tab, click Create Listener.

    2. In the Configure Listener step, set Listener Protocol to TCP. Enter 80 for Listener Port. Click Next.

    3. In the Select Server Group step, select server group sgp-dualstack. Click Next.

    4. In the Review Configuration step, confirm the configuration. Click Submit.

    5. Set Up Domain Name Resolution

    Point your custom domain name to the NLB instance’s DNS name using a CNAME record. Clients access the NLB through your custom domain name.

    This topic uses Alibaba Cloud DNS as an example. For domain names not registered with Alibaba Cloud, first add the domain name to the Cloud DNS console.

    1. On the NLB console, copy the Domain Name of the target instance.

    2. Log on to the Domain Name Resolution console. In the Actions column for the target domain name, click Settings. On the Settings page, click Add Record.

    3. Add a CNAME record using the following information. Click OK:

      • Record Type: Select CNAME.

      • Hostname: Enter a domain name prefix, such as test. If your custom root domain is example.com, the domain name used to access the NLB is test.example.com.

      • Query Source and TTL: Keep the default values.

      • Record Value: Enter the DNS name of the NLB instance.

    4. In the Change Resource Record Confirmation dialog box, confirm the resolution information. Click OK.

    6. Verify Affinity Forwarding

    When clients access a dual-stack NLB instance with IPv6 Internet capability through a custom domain name, the DNS server returns either an A record (IPv4 address) or an AAAA record (IPv6 address), depending on the client’s query type.

    Test IPv4 Requests

    curl -4 http://test.example.com

    Make multiple requests. The returned result should always be Hello from IPv4 backend. This confirms that IPv4 requests are forwarded exclusively to the IPv4 backend ecs-ipv4.

    Test IPv6 Requests

    curl -6 http://test.example.com

    Make multiple requests. The returned result should always be Hello from IPv6 backend. This confirms that IPv6 requests are forwarded exclusively to the IPv6 backend ecs-ipv6.

    Verify Affinity Isolation

    1. Stop the Nginx service on ecs-ipv4: sudo systemctl stop nginx.

    2. Test IPv4 requests again. The requests will fail and will not be forwarded to the IPv6 backend ecs-ipv6.

    3. Restart the ecs-ipv4 service: sudo systemctl start nginx. IPv4 requests will resume normal operation.

    More information

    Billing details

    • NLB instance: Network Load Balancer (NLB) supports two billing methods: pay-as-you-go and resource plan (subscription). For more information, see NLB Billing overview.

    • ECS instance: For details, see ECS Billing overview. If you create an Elastic Compute Service (ECS) instance for testing, create a low-specification, pay-as-you-go instance and release it promptly.

    • Domain name and DNS resolution fees: In addition to the fees from your domain name provider, you must pay for public authoritative DNS resolution when you configure DNS resolution on Alibaba Cloud.

    • Internet fees: You must pay fees for both the EIPs attached to the NLB instance and the IPv6 Internet bandwidth of the VPC where the instance resides.

    Regions that support dual-stack NLB

    Area

    Region

    China

    China (Hangzhou), China (Beijing), China (Shenzhen), China (Shanghai), China (Qingdao), China (Zhangjiakou), China (Chengdu), China (Guangzhou), China (Hong Kong), China (Heyuan), China (Ulanqab)

    Asia-Pacific

    Thailand (Bangkok), Philippines (Manila), Singapore, Japan (Tokyo), South Korea (Seoul), Malaysia (Kuala Lumpur), Indonesia (Jakarta)

    Europe and Americas

    Germany (Frankfurt), UK (London), US (Virginia), US (Silicon Valley), Mexico

    Middle East

    SAU (Riyadh - Partner Region)

    Going live

    • High availability deployment: Deploy backend servers across multiple zones. Ensure redundancy for both IPv4 and IPv6 backends to avoid a single point of failure.

    • Health check configuration: Adjust the health check interval, timeout period, and threshold as needed. This ensures unhealthy servers are promptly removed.

    FAQ

    After I enable affinity mode, are IPv4 requests forwarded to IPv6 backends?

    No. When affinity mode is enabled, IPv4 requests are forwarded only to IPv4 backends, and IPv6 requests are forwarded only to IPv6 backends. Cross-protocol forwarding is not supported.

    If a server group contains only IPv4 backends, how are IPv6 requests handled?

    If affinity mode is disabled, NLB can transform IPv6 requests into IPv4 requests and forward them to the backends. If affinity mode is enabled, IPv6 requests cannot be forwarded. In this scenario, ensure your NLB instance has both healthy IPv4 and IPv6 backends.

    Can I change the IP protocol version of an existing server group?

    No. You cannot change the IP protocol version (IPv4 or IPv4/v6 dual-stack) of a server group after it is created. To make a change, delete the server group and create a new one.

    Can I change the IP version affinity mode of an existing server group?

    Yes. In the Server Group console, locate the dual-stack server group and click Actions in the Modify Basic Information column.

    Can I associate a dual-stack server group with an IPv4 NLB instance?

    No. A dual-stack server group can be associated only with listeners of a dual-stack NLB instance.