All Products
Search

This Product

    IPv6 Gateway:Allow an ECS instance in a VPC to communicate with external IPv6 clients over the Internet

    Document Center

    IPv6 Gateway:Allow an ECS instance in a VPC to communicate with external IPv6 clients over the Internet

    Last Updated:Apr 09, 2024

    This topic describes how to allow an Elastic Compute Service (ECS) instance in a virtual private cloud (VPC) to communicate with external IPv6 clients over the Internet. You can create an ECS instance configured with an IPv6 address in a VPC with an IPv6 CIDR block. Then, you can enable IPv6 Internet bandwidth for the IPv6 address on the details page of the IPv6 gateway. This allows the ECS instance in the VPC to communicate with external IPv6 clients over the Internet.

    Regions that support IPv6 gateways

    Area

    Region

    China

    China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Fuzhou - Local Region), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong)

    Asia Pacific

    Philippines (Manila), Singapore, Japan (Tokyo), South Korea (Seoul), Indonesia (Jakarta), Malaysia (Kuala Lumpur), and Thailand (Bangkok)

    Europe and Americas

    US (Virginia), US (Silicon Valley), and Germany (Frankfurt)

    Middle East

    SAU (Riyadh - Partner Region)

    Important

    The SAU (Riyadh) region is operated by a partner.

    Scenarios

    The following figure shows the sample scenario in this topic. Due to business growth, Company A needs to allow ECS 01 in the VPC and external IPv6 clients to access each other over the Internet.

    To implement this feature, Company A can create a VPC with an IPv6 CIDR block. After Company A configures an IPv6 CIDR block for the VPC, the system automatically creates an IPv6 gateway for the VPC. By default, the IPv6 address assigned to ECS 01 in the VPC can be used only for communications within private networks. To allow for Internet communication, you can enable IPv6 Internet bandwidth for the IPv6 address on the IPv6 Gateway page. This way, ECS 01 in the VPC and external IPv6 clients can access each other over the Internet.

    image

    Billing

    • You are charged for enabling Internet bandwidth for an IPv6 address. For more information, see Billing rules.

    • You are not charged for enabling IPv6 for a VPC or a vSwitch.

    • You are not charged for creating an IPv6 gateway.

    Prerequisites

    Before you use cloud resources in a VPC, you must plan your networks. For more information, see Plan networks.

    Procedure

    image

    The following section describes the general procedure.

    1. Step 1: Create a VPC and a vSwitch with IPv6 CIDR blocks

      Before you assign an IPv6 address to an ECS instance, you must create a VPC and a vSwitch with IPv6 CIDR blocks.

    2. Step 2: Create an ECS instance

      You need to assign an IPv6 address to the ECS instance that you create.

    3. Step 3: Enable IPv6 Internet bandwidth for the IPv6 address assigned to the ECS instance

      By default, the IPv6 address that you assign to the ECS instance only supports communications within VPCs. If you want to allow traffic to be routed to or from the IPv6 address over the Internet, you must enable Internet bandwidth for the IPv6 address.

    4. Step 4: Configure the IPv6 address for the ECS instance

      You must configure the IPv6 address for the network interface controller (NIC) of the ECS instance. This way, the IPv6 address can be identified and takes effect in the system of the instance.

    5. Step 5: Configure security group rules

      You can add security group rules to allow or deny access to or from the ECS instances within the security group over the Internet or private networks. For more information about common use cases, see Security groups for different use cases.

    6. Step 6: Test the network connectivity

      You can log on to the ECS instance to test the network connectivity to ensure that the configured IPv6 address can access the Internet.

    7. (Optional) Step 7: Delete IPv6 Internet bandwidth

      If you no longer need the IPv6 address assigned to the ECS instance to access the Internet, you can delete the corresponding IPv6 Internet bandwidth.

    Step 1: Create a VPC with an IPv6 CIDR block and create a vSwitch

    1. Log on to the VPC console.

    2. In the top navigation bar, select the region where you want to create the VPC. In this example, China (Hangzhou) is selected.

    3. On the VPC page, click Create VPC.

    4. On the Create VPC page, set the following parameters and click OK.

      Note

      In this example, Assign (Alibaba Cloud) is selected for the IPv6 CIDR Block parameter. After the VPC is created, the system automatically assigns a /56 IPv6 CIDR block to the VPC and creates an IPv6 gateway. You can use the IPv6 gateway to control IPv6 traffic. For more information, see What is an IPv6 gateway?

      Parameter

      Description

      VPC

      Region

      The region where you want to create the VPC is displayed. In this example, China (Hangzhou) is displayed.

      Name

      Enter a name for the VPC.

      IPv4 CIDR Block

      Enter a primary IPv4 CIDR block for the VPC. In this example, 192.168.0.0/16 is used.

      Note

      After you create the VPC, you cannot change its primary IPv4 CIDR block. However, you can add a secondary IPv4 CIDR block for the VPC. For more information, see the Add a secondary CIDR block section of the Create and manage a VPC topic.

      IPv6 CIDR Block

      Specify whether to assign an IPv6 CIDR block to the VPC. In this example, Assign (Alibaba Cloud) is selected.

      If you select Assign (Alibaba Cloud), the system automatically assigns a /56 IPv6 CIDR block, for example, 2xx1:db8::/56, to the VPC and creates an IPv6 gateway. By default, IPv6 addresses are used only for communication within private networks.

      Note

      After you create the VPC, you cannot change the IPv6 CIDR block.

      Description

      Enter a description for the VPC.

      Resource Group

      Select the resource group to which the VPC belongs.

      Tag Key

      Select or enter a tag key. You can use tags to group VPCs.

      Tag Value

      Select or enter a tag value.

      vSwitch

      Name

      Enter a name for the vSwitch.

      Zone

      Select a zone for the vSwitch from the drop-down list. In this example, Hangzhou Zone H is selected.

      IPv4 CIDR Block

      Enter an IPv4 CIDR block for the vSwitch. In this example, 192.168.24.0/24 is entered.

      When you specify an IPv4 CIDR block for the vSwitch, take note of the following limits:

      • The CIDR block of a vSwitch must be a subset of the CIDR block of the VPC to which the vSwitch belongs.

        For example, if the CIDR block of a VPC is 192.168.0.0/16, the CIDR block of a vSwitch in the VPC can range from 192.168.0.0/17 to 192.168.0.0/29.

      • The first IP address and the last three IP addresses of a vSwitch CIDR block are reserved.

        For example, if a vSwitch CIDR block is 192.168.1.0/24, the IP addresses 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved.

      • If a vSwitch is required to communicate with vSwitches in other VPCs or with data centers, make sure that the CIDR block of the vSwitch does not overlap with the destination CIDR blocks.

      Note

      After you create the vSwitch, you cannot change its CIDR block.

      IPv6 CIDR Block

      Enter an IPv6 CIDR block for the vSwitch.

      By default, the subnet mask of the IPv6 CIDR block for the vSwitch is /64. You can enter a decimal number from 0 to 255 to define the last 8 bits of the IPv6 CIDR block.

    5. (Optional): If you need to add more vSwitches for the VPC, click Add below the vSwitch list and set the parameters.

      You can create at most 10 vSwitches in each VPC.

    6. Click OK.

    Step 2: Create an ECS instance

    After you create a VPC and a vSwitch with IPv6 CIDR blocks, you need to create an ECS instance that is assigned an IPv6 address in the VPC. In this topic, a new ECS instance is created. You can also assign an IPv6 address to an existing ECS instance. For more information, see the Step 2: Assign an IPv6 address section of the Configure an IPv6 address for an ECS instance topic.

    1. Log on to the VPC console.

    2. In the left-side navigation pane, click vSwitch.

    3. Select the region where the vSwitch resides. In this example, China (Hangzhou) is selected.

    4. On the vSwitch page, find the vSwitch that you want to manage, and choose Add Cloud Service > ECS Instance in the Actions column.

    5. On the Custom Launch tab of the ECS instance buy page, specify the parameters and complete the payment.

      The following section describes the parameters that are related to this topic. For more information, see Create an instance on the Custom Launch tab.

      • Quantity: Enter 1.

      • IPv6: Select Assign IPv6 Address Free of Charge.

      Note

      For more information about ECS instance types that support IPv6, see Overview of instance families.

    6. Go to the Instance page in the ECS console. Click the instance ID, change the instance name to ECS 01, and view the assigned IPv6 address.

    Step 3: Enable IPv6 Internet bandwidth for the IPv6 address assigned to the ECS instance

    You cannot enable IPv6 Internet bandwidth for all IP addresses within the IPv6 CIDR block. You can enable IPv6 Internet bandwidth only for the IPv6 address assigned to the ECS instance.

    Note

    IPv6 Internet bandwidth is not supported in China (Wuhan - Local Region).

    1. Log on to the IPv6 Gateway console.

    2. Select the region where the IPv6 gateway resides. In this example, China (Hangzhou) is selected.

    3. On the IPv6 Gateway page, click the ID of the desired IPv6 gateway.

    4. On the details page of the IPv6 gateway, click the IPv6 Internet Bandwidth tab, find the IPv6 address for which you want to enable IPv6 Internet bandwidth, and then click Activate Internet Bandwidth in the Actions column.

    5. On the IPv6 Internet Bandwidth (PostPay) page, specify the parameters that are described in the following table, click Buy Now, and then complete the payment.

      Parameter

      Description

      Data Transfer

      Select a billing method for the Internet bandwidth. Valid values: Pay-By-Bandwidth and Pay-By-Data-Transfer.

      In this example, Pay-By-Data-Transfer is selected.

      Bandwidth

      Specify a maximum bandwidth value for the Internet bandwidth. In this example, the default value 5 Mbps is used.

      Billing Cycle

      Select a billing cycle for the Internet bandwidth. In this example, Hour (By Hour) is used by default.

    6. On the Confirm Order page, confirm the information about the Internet bandwidth, read and agree to Terms of Service, and then click Activate Now.

    Step 4: Configure the IPv6 address for the ECS instance

    You must configure the IPv6 address for the NIC of ECS 01. This way, ECS 01 can communicate by using the IPv6 address. Then, you must configure a static address for ECS 01 to ensure the stability of the IPv6 network connection.

    1. Configure the IPv6 address for the NIC of ECS 01.

      Note

      In this example, ECS 01 runs the Alibaba Cloud Linux operating system, and the IPv6 address is automatically configured for ECS 01. For more information about how to configure an IPv6 address for a Linux instance or a Windows instance, see Configure an IPv6 address for an ECS instance.

      1. Log on to ECS 01. For more information, see Connection method overview.

      2. Run the following command to download the ecs-util-ipv6 tool: 

        wget https://ecs-image-utils.oss-cn-hangzhou.aliyuncs.com/ipv6/rhel/ecs-utils-ipv6

      3. Run the following command as an administrator to run the ecs-util-ipv6 tool: 

        chmod +x ./ecs-utils-ipv6
./ecs-utils-ipv6

        The following output indicates that the IPv6 address is configured for the ECS instance.

        image.png

    2. Configure a static IPv6 address for ECS 01.

      1. Log on to ECS 01. For more information, see Connection method overview.

      2. Run the following command to edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file: 

        1. sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0

        2. Set BOOTPROTO to static and DHCPV6C to no.

          In this example, the IPV6ADDR and IPV6_DEFAULTGW parameters are automatically configured by the system. You can modify the values based on your business requirements. For more information, see How to set a static IP address for a Linux ECS instance.

          image.png

        3. Press the Esc key on your keyboard, enter :wq, and then press the Enter key to save and close the file.

      3. Run the following command to restart the network service: 

        systemctl restart network

    Step 5: Configure security group rules

    You need to check whether the current security group rules support your IPv6 services. If the current security group rules do not support your IPv6 services, configure IPv6 security group rules for ECS 01. We recommend that you configure the following security group rules:

    • An inbound rule that allows Internet Control Message Protocol (ICMP) version 6 (ICMPv6) traffic to support operations such as running the ping6 command on ECS instances.

    • An inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access ECS instances, and that allows traffic on HTTP port 80 and HTTPS port 443 to access the web services provided by ECS instances.

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Network & Security > Security Groups.

    3. In the top navigation bar, select a region from the drop-down list.

    4. Find the security group and click Add Rules in the Actions column.

    5. Configure security group rules.

      Enter the IPv6 CIDR block that you want to authorize in the Authorization Object field. For example, enter ::/0 to authorize all IPv6 addresses.

      For more information about the configurations and common use cases of security group rules, see Add a security group rule and Security groups for different use cases.

    Step 6: Test the network connectivity

    After you complete the preceding operations, ECS 01 in the VPC can communicate with external IPv6 clients over the Internet by using the IPv6 gateway. You can perform the following operations to test the network connectivity between ECS 01 and external IPv6 clients.

    Note

    • In this example, ECS 01 in the VPC runs the Alibaba Cloud Linux operating system. For more information about how to use the ping6 command in other operating systems, see the manual of the operating system that you use.

    • Before you access ECS 01 in the VPC from an external client over IPv6, make sure that the client supports IPv6. You can enter http://test-ipv6.com/ in the address bar of a browser on your client to check whether the client supports IPv6.

    1. Log on to ECS 01. For more information, see Connection method overview.

    2. Run the ping6 command on ECS 01 to send ICMP version 6 (ICMPv6) echo request packets to the address of the external IPv6 client over the Internet to test network connectivity.

      If ECS 01 can receive ICMPv6 echo reply packets, the connection is established. This indicates that ECS 01 can access an IPv6 address over the Internet.出流量

    Step 7: (Optional) Delete IPv6 Internet bandwidth

    If you no longer need the IPv6 address assigned to the ECS instance to access the Internet, you can delete the corresponding IPv6 Internet bandwidth. The billing stops after IPv6 Internet bandwidth is deleted.

    1. Log on to the IPv6 Gateway console.
    2. In the top navigation bar, select the region where the IPv6 gateway is deployed.

    3. On the IPv6 Gateway page, click the ID of the desired IPv6 gateway.

    4. On the details page of the IPv6 gateway, click the IPv6 Internet Bandwidth tab, find the IPv6 address for which you want to disable IPv6 Internet bandwidth, and then click Delete Internet Bandwidth in the Actions column.

    5. In the Delete IPv6 Internet Bandwidth message, click OK.

      Warning

      After the Internet bandwidth of the IPv6 address is deleted, the IPv6 gateway cannot be used for communication over the Internet. Exercise caution when you delete the Internet bandwidth.

    FAQ

    What do I do if the IPv6 connection is interrupted?

    When you restart your ECS instance or change your network device, the network connection may be interrupted or disconnected. We recommend that you configure a static IPv6 address for your ECS instance or network device. The static IPv6 address is manually configured and is not affected by system restarts or network changes. For more information, see the Configure a static IPv6 address for ECS 01 section of this topic.

    References

    • Operation references:

      • After you create an egress-only rule for an IPv6 address, an ECS instance in a VPC for which IPv6 is enabled can use the IPv6 address to access IPv6 clients over the Internet. The ECS instance denies access from IPv6 clients over the Internet. For more information, see Create and manage an egress-only rule.

      • If a VPC with IPv6 enabled no longer requires IPv6, you can disable IPv6 for the VPC. For more information, see the Disable IPv6 for a VPC section of the Create and manage a VPC topic.

    • API references: