Create a VPC with an IPv6 CIDR block - Virtual Private Cloud

This topic describes how to create a Virtual Private Cloud (VPC) with an IPv6 CIDR block and create Elastic Compute Service (ECS) instances with IPv6 addresses in the VPC. This way, the ECS instances can communicate with each other by using IPv6 addresses.

Regions that support IPv6 gateways

IPv6 gateways are supported in the following regions: China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Fuzhou - Local Region), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Philippines (Manila), Singapore, US (Virginia), Germany (Frankfurt), and Japan (Tokyo).

Sample scenario

Due to business development, a company wants to create a VPC with an IPv6 CIDR block in Hangzhou Zone H and assign IPv6 addresses to ECS instances in the VPC. This way, the ECS instances can communicate with each other over IPv6. The following figure shows a sample scenario. In this example, a VPC and a vSwitch with IPv6 CIDR blocks are created, two ECS instances named ECS01 and ECS02 are created and assigned IPv6 addresses, and the ECS instances can communicate with each other by using IPv6 addresses.

Prerequisites

Before you use cloud resources in a VPC, you must plan your networks. For more information, see Plan networks.

Procedure

The following section describes the general procedure.

Create a VPC and a vSwitch with IPv6 CIDR blocks. For more information, see the Step 1: Create a VPC and a vSwitch section of this topic.
Before you assign an IPv6 address to an ECS instance, you must create a VPC and a vSwitch.
Assign IPv6 addresses to ECS instances. For more information, see the Step 2: Create and configure ECS instances section of this topic.
Add security group rules. For more information, see the Step 3: Configure security group rules section of this topic.
You can add security group rules to allow or deny mutual access between the ECS instances over IPv6 within the security group.
Test network connectivity. For more information, see the Test network connectivity section in this topic.
You can log on to one of the ECS instances to test the network connectivity to ensure that the ECS instance assigned the IPv6 address can access the other ECS instance in the VPC.
Optional. Delete an IPv6 gateway. For more information, see the What to do next: Delete an IPv6 gateway section in this topic.

Procedure

Resource Orchestration Service (ROS) console

Log on to the ROS console. The Create Stack page appears.
Set the parameters based on the instructions and click Create.
On the Stacks page, if the status of the stack changes from Creating to Created, the VPC with IPv6 CIDR blocks is created.
You can click the Output tab to view the VPC, vSwitches, and ECS instances.

VPC console (manual creation)

Step 1: Create a VPC and vSwitches

Log on to the VPC console.
In the top navigation bar, select the region where you want to create the VPC. In this example, China (Hangzhou) is selected.
On the VPC page, click Create VPC.

On the Create VPC page, specify the parameters that are described in the following table and click OK.

Note

In this example, Assign (Default) is selected for the IPv6 CIDR Block parameter. After you create the VPC, the system automatically assigns an IPv6 CIDR block whose subnet mask is /56 to the VPC and creates a free IPv6 gateway. You can use the IPv6 gateway to manage IPv6 traffic.

Parameter	Description
VPC
Region	The region where you want to create the VPC is displayed. In this example, China (Hangzhou) is displayed.
Name	Enter a name for the VPC.
IPv4 CIDR Block	Enter a primary IPv4 CIDR block for the VPC. In this example, 192.168.0.0/16 is used. Note After you create the VPC, you cannot change its primary IPv4 CIDR block. However, you can add a secondary IPv4 CIDR block for the VPC. For more information, see Add a secondary CIDR block.
IPv6 CIDR Block	Specify whether to assign an IPv6 CIDR block to the VPC. In this example, Assign (Default) is selected. If you set this parameter to Assign, the system automatically creates an IPv6 gateway of Free Edition for this VPC, and assigns an IPv6 CIDR block with the subnet mask /56, such as 2xx1: db8::/56. By default, IPv6 addresses are used only for communication within private networks. If you want to use an IPv6 address to access the Internet or provide services for IPv6 clients over the Internet, you must purchase Internet bandwidth for the IPv6 address. For more information, see Enable and manage IPv6 Internet bandwidth. Note After you create the VPC, you cannot change the IPv6 CIDR block.
Description	Enter a description for the VPC.
Resource Group	Select the resource group to which the VPC belongs.
vSwitch
Name	Enter a name for the vSwitch.
Zone	Select a zone for the vSwitch from the drop-down list. In this example, Hangzhou Zone H is selected.
IPv4 CIDR Block	Enter an IPv4 CIDR block for the vSwitch. In this example, 192.168.24.0/24 is entered. When you specify an IPv4 CIDR block for the vSwitch, take note of the following limits: The CIDR block of a vSwitch must be a subset of the CIDR block of the VPC to which the vSwitch belongs. For example, if the CIDR block of a VPC is 192.168.0.0/16, the CIDR block of a vSwitch in the VPC can range from 192.168.0.0/17 to 192.168.0.0/29. The first IP address and the last three IP addresses of a vSwitch CIDR block are reserved. For example, if a vSwitch CIDR block is 192.168.1.0/24, the IP addresses 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved. If a vSwitch is required to communicate with vSwitches in other VPCs or with data centers, make sure that the CIDR block of the vSwitch does not overlap with the destination CIDR blocks. Note After you create the vSwitch, you cannot change its CIDR block.
IPv6 CIDR Block	Enter an IPv6 CIDR block for the vSwitch. By default, the subnet mask of the IPv6 CIDR block for the vSwitch is /64. You can enter a decimal number from 0 to 255 to define the last 8 bits of the IPv6 CIDR block.

(Optional): If you need to add more vSwitches for the VPC, click Add below the vSwitch list and set the parameters.
You can add at most 10 vSwitches in each VPC.
Click OK.

Step 2: Create ECS instances

After you create a VPC and a vSwitch with IPv6 CIDR blocks, create ECS instances with IPv6 IP addresses. In this example, the ECS instances are named ECS01 and ECS02. After you create the ECS instances, assign IPv6 IP addresses to the ECS instances.

Log on to the VPC console.
In the left-side navigation pane, click vSwitch.
Select the region where the vSwitch resides. In this example, China (Hangzhou) is selected.
On the vSwitch page, find the vSwitch that you want to manage, and choose Add Cloud Service > ECS Instance in the Actions column.
On the Custom Launch tab of the ECS instance buy page, set the parameters and complete the payment. For more information, see Create an instance by using the wizard.
Set the Quantity and IPv6 parameters based on the following information:
- Quantity: Specify 2 Units.
- IPv6: Select Assign IPv6 Address Free of Charge.
Go to the Instances page of the ECS console, click the instance IDs to view the assigned IPv6 addresses, and change the instance names to ECS01 and ECS02.
Configure static IPv6 addresses for ECS01 and ECS02.
For more information, see Configure an IPv6 address for an ECS instance that runs Windows and Configure an IPv6 address for an ECS instance that runs Linux.

Step 3: Configure security group rules

Services that are assigned IPv4 addresses cannot communicate with services that are assigned IPv6 addresses. If the current security group rules do not support IPv6 communication, you must configure IPv6 security group rules for ECS01 and ECS02.

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > Security Groups.
In the top navigation bar, select a region from the drop-down list.
Find the security group that you want to manage and click Manage Rule.
Configure security group rules.
Enter the IPv6 CIDR block that you want to authorize in the Authorization Object field. For example, enter ::/0 to authorize all IPv6 addresses.
For more information about the configurations and common use cases of security group rules, see Add a security group rule and Security groups for different use cases.

Test network connectivity

After you complete the preceding steps, ECS01 and ECS02 are expected to communicate with each other by using IPv6 addresses. You can perform the following operations to test the network connectivity between ECS01 and ECS02:

Note

In this example, ECS01 and ECS02 run the Alibaba Cloud Linux operating system. For more information about how to use the ping6 command in other operating systems, see the manual of the operating system that you use.

Test whether ECS01 and ECS02 can communicate with each other by using IPv6 addresses.

Log on to ECS01 and ECS02. For more information, see Connection method overview.
Run the ping6 command on ECS01 to send ICMP version 6 (ICMPv6) echo request packets to the IPv6 address of ECS02.
If ECS01 can receive ICMPv6 echo reply packets, the connection is established. The test result shows that ECS 1 can access ECS02 by using the IPv6 address.
Run the ping6 command on ECS02 to send ICMPv6 echo request packets to the IPv6 address of ECS01.
If ECS02 can receive ICMPv6 echo reply packets, the connection is established. The test result shows that ECS02 can access ECS01 by using the IPv6 address.

What to do next: Delete an IPv6 gateway

If you no longer need a VPC with an IPv6 CIDR block, you can delete the IPv6 gateway.

Log on to the VPC console.
In the left-side navigation pane, choose Access to Internet > IPv6 Gateway.
In the top navigation bar, select the region where the IPv6 gateway is deployed.
On the IPv6 Gateway page, find the IPv6 gateway that you want to delete and click Delete in the Actions column.
In the Delete IPv6 Gateway message, click OK.