Allow resources in an IPv6 VPC to access external IPv6 addresses - IPv6 Gateway

If you want resources in your Virtual Private Cloud (VPC) with an IPv6 CIDR block to communicate with external IPv6 addresses over the Internet, you can create a resource with an IPv6 address in the VPC and enable IPv6 Internet bandwidth for the IPv6 address on the IPv6 Gateway. This topic describes how to allow an Elastic Compute Service (ECS) instance in a VPC to communicate with external IPv6 addresses over the Internet.

Scenarios

Due to the business growth, Company A needs to allow ECS01 to communicate with external IPv6 addresses over the Internet.

To implement this feature, Company A can create a VPC with an IPv6 CIDR block. After Company A configures an IPv6 CIDR block for the VPC, the system automatically creates an IPv6 Gateway for the VPC. By default, the IPv6 address assigned to ECS01 in the VPC can be used only for communication within private networks. To allow for Internet communication, you can enable IPv6 Internet bandwidth for the IPv6 address on the IPv6 Gateway page. This way, ECS01 in the VPC can communicate with external IPv6 addresses over the Internet.

Note

If you want to use a VPC to deploy your business, you must plan networks.

Billing

You are charged for enabling Internet bandwidth for an IPv6 address.IPv6 Gateway For more information, see Billing rules.
You are not charged for enabling IPv6 for a VPC or a vSwitch.
You are not charged for creating an IPv6 Gateway.

Procedure

Step 1: Create a VPC and a vSwitch with IPv6 CIDR blocks

Create a VPC and a vSwitch with IPv6 CIDR blocks assigned by the system.

Log on to the VPC console.
In the top navigation bar, select the region where you want to create the VPC. In this example, China (Hangzhou) is selected.
On the VPCs page, click Create VPC.

On the Create VPC page, specify the parameters that are described in the following table and click OK. The following section describes the parameters that are related to this topic. For more information, see Enable IPv6 for a VPC.

Note

In this example, Assign BGP (Multi-ISP) is selected for the IPv6 CIDR Block parameter. After you create the VPC, the system automatically assigns an IPv6 CIDR block whose subnet mask is /56 to the VPC and creates an IPv6 gateway. You can use the IPv6 gateway to control IPv6 traffic over the Internet. For more information, see What is an IPv6 gateway?

Parameter	Description
VPC
IPv4 CIDR Block	Enter the primary IPv4 CIDR block of the VPC. In this example, 192.168.0.0/16 is entered.
IPv6 CIDR Block	Specify whether to assign an IPv6 CIDR block to the VPC. In this example, Assign BGP (Multi-ISP) is selected.
vSwitch
Zone	Select a zone for the vSwitch from the drop-down list. In this example, Hangzhou Zone H is selected.
IPv4 CIDR Block	Enter an IPv4 CIDR block for the vSwitch. In this example, 192.168.24.0/24 is entered.
IPv6 CIDR Block	Enter an IPv6 CIDR block for the vSwitch. By default, the subnet mask of the IPv6 CIDR block for the vSwitch is /64. You can enter a decimal number from 0 to 255 to define the last 8 bits of the IPv6 CIDR block.

(Optional): If you need to add more vSwitches for the VPC, click Add below the vSwitch section and set the parameters.
When you create a VPC, you can create up to 10 vSwitches.
Click OK.

Step 2: Create an ECS instance

After you create a VPC and a vSwitch with IPv6 CIDR blocks, you need to create an ECS instance that is assigned an IPv6 address in the VPC. In this topic, a new ECS instance is created. You can also assign an IPv6 address to an existing ECS instance. For more information, see the Step 2: Assign an IPv6 address section of the Configure an IPv6 address for an ECS instance topic.

In the left-side navigation pane, click vSwitch. The region where the instance resides. In this example, China (Hangzhou) is used.
On the vSwitch page, find the vSwitch that you want to manage and choose Add Cloud Service > ECS Instance in the Actions column.
On the Custom Launch tab of the ECS instance buy page, specify the parameters and complete the payment.ECS
The following section describes the parameters that are related to this topic. For more information, see Create an instance on the Custom Launch tab.
- Quantity: Enter 1.
- IPv6: Select Assign IPv6 Address Free of Charge.
Note
For more information about ECS instance types that support IPv6, see Overview of instance families.
Click Create Order and complete the payment. You can view the created ECS instance on the Instance page in the ECS console.
Click the instance ID, change the instance name to ECS01, and view the assigned IPv6 address.

Step 3: Enable IPv6 Internet bandwidth for the IPv6 address assigned to the ECS instance

You cannot enable IPv6 Internet bandwidth for all IP addresses within the IPv6 CIDR block. You can enable IPv6 Internet bandwidth only for the IPv6 address assigned to the ECS instance.

Log on to the IPv6 Gateway console.
Select the region where the IPv6 gateway resides. In this example, China (Hangzhou) is selected.
On the IPv6 Gateway page, click the ID of the desired IPv6 gateway.
On the details page of the IPv6 gateway, click the IPv6 Internet Bandwidth tab, find the IPv6 address for which you want to enable IPv6 Internet bandwidth, and then click Activate Internet Bandwidth in the Actions column.

On the IPv6 Internet Bandwidth (PostPay) page, specify the parameters that are described in the following table, click Buy Now, and then complete the payment.

Parameter	Description
Traffic	Select a billing method for the Internet bandwidth. Valid values: Pay-By-Bandwidth and Pay-By-Data-Transfer. In this example, By traffic is selected.
Bandwidth	Specify a maximum bandwidth value for the Internet bandwidth. In this example, the default value 5 Mbps is used.
Billing Cycle	Select a billing cycle for the Internet bandwidth. In this topic, the billing cycle is displayed as Hourly by default.

On the Confirm Order page, confirm the information about the Internet bandwidth, read and agree to Terms of Service, and then click Activate Now.

Step 4: Configure security group rules

You need to check whether the current security group rules support your IPv6 services. If the current security group rules do not support your IPv6 services, configure IPv6 security group rules for ECS01. For more information about how to configure security group rules and common cases, see Guidelines for using security groups and use cases. We recommend that you configure the following security group rules:

An inbound rule that allows ICMPv6 traffic to support operations such as running the ping6 command on ECS instances.
An inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access ECS instances, and that allows traffic on HTTP port 80 and HTTPS port 443 to access the web services provided by ECS instances.

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > Security Groups.
In the top navigation bar, select a region in the upper-left corner. In this example, China (Hangzhou) is selected.
Find the security group that you want to manage and click Manage Rules in the Operation column.
Enable ICMP for all IPv4 addresses and IPv6 addresses.

Step 5: Test network connectivity

After you complete the preceding operations, ECS 01 in the VPC can communicate with external IPv6 addresses over the Internet by using the IPv6 Gateway. You can perform the following operations to test the network connectivity between ECS01 and external IPv6 addresses.VPC

Note

In this example, ECS01 in the VPC runs the Alibaba Cloud Linux 3.2104 64-bit operating system. For more information about how to use the ping6 command in other operating systems, see the manual of the operating system that you use.
Before you access ECS01 in the VPC from an external client over IPv6, make sure that the client supports IPv6. You can enter http://test-ipv6.com/ in the address bar of a browser on your client to check whether the client supports IPv6.

Log on to ECS01 remotely. For more information, see Connection method overview.
Run the following command on ECS01 to check whether the ECS instance can access an IPv6 address over the Internet.
```
ping -6 aliyun.com
```
If ECS01 can receive ICMPv6 echo reply packets, the connection is established. The test result shows that ECS01 can access an IPv6 address over the Internet.

Step 6: (Optional) Delete IPv6 Internet bandwidth

If you no longer need the IPv6 address assigned to the ECS instance to access the Internet, you can delete the corresponding IPv6 Internet bandwidth. The billing stops after IPv6 Internet bandwidth is deleted.

On the IPv6 Gateway page, click the ID of the desired IPv6 gateway.
On the details page of the IPv6 gateway, click the IPv6 Internet Bandwidth tab, find the IPv6 address for which you want to disable IPv6 Internet bandwidth, and then click Delete Internet Bandwidth in the Actions column.
In the Delete IPv6 Internet Bandwidth message, click OK.
Warning
After the Internet bandwidth of the IPv6 address is deleted, the IPv6 gateway cannot be used for communication over the Internet. Exercise caution when you delete the Internet bandwidth.

FAQ

How do I restart an IPv6 gateway?

IPv6 gateways cannot be restarted. You can restart an ECS instance that has an IPv6 address without affecting your business. For more information, see Restart an ECS instance.

References

Operation references:
- After you create an egress-only rule for an IPv6 address, an ECS instance in a VPC for which IPv6 is enabled can use the IPv6 address to access IPv6 clients over the Internet. The ECS instance denies access from IPv6 clients over the Internet. For more information, see Create and manage an egress-only rule.
- If a VPC with IPv6 enabled no longer requires IPv6, you can disable IPv6 for the VPC. For more information, see Create and manage a VPC.
API references:
- CreateIpv6Gateway: creates an IPv6 gateway.
- DeleteIpv6InternetBandwidth: deletes Internet bandwidth from an IPv6 address.
- DeleteIpv6Gateway: deletes an IPv6 gateway.