- Newest
- Most votes
- Most comments
Here are a few troubleshooting steps you can take:
Check Security Group Settings: Ensure that the security group attached to your EC2 instance allows inbound traffic on port 80 (HTTP) or the port your web server is listening on for IPv6 traffic. You can do this by adding an inbound rule allowing traffic from ::/0 (which represents all IPv6 addresses) to the appropriate port.
**Verify Route Table Configuration: **Double-check that the route table associated with your IPv6 subnet (PublicRouteTable) has a route for ::/0 (all IPv6 traffic) directing it to the internet gateway.
Confirm Network ACL Settings: Review the Network ACL (PublicNetworkAcl) associated with your IPv6 subnet to ensure that inbound and outbound traffic on port 80 (HTTP) or the port your web server is using is allowed.
Check EC2 Instance Configuration: Verify that your EC2 instance is running and has the correct security group and subnet assigned. Also, confirm that your web server is configured properly and running.
Verify IPv6 Address: Ensure that the IPv6 address assigned to your EC2 instance is correct and matches the one you are trying to access.
**Test Connectivity: **Try accessing your web server using its IPv6 address from a machine outside your AWS environment to see if the issue is specific to your setup or if there are any connectivity issues.
Hello.
Please modify the CloudFormation template as below.
A security group compatible with IPv6 is added with "AWS::EC2::SecurityGroup".
Added "SecurityGroupIds" to reference security groups in EC2.
If you do not specify a security group, EC2 will refer to the default security group created in the VPC.
As a result, the EC2 you created is referring to the default security group, and IPv6 port 80 is not allowed, making it impossible to connect.
AWSTemplateFormatVersion: 2010-09-09
Parameters:
# Cerco l'imageId dell'ultima release di Amazon Linux 2023 - Ciascun AMI Id ha vita breve
# Circa 3 mesi se non erro
# Vedi https://docs.aws.amazon.com/linux/al2023/ug/ec2.html#launch-from-cloudformation
LatestAmiId:
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Default: /aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64
Resources:
# Prerequisito per accessbilità da esterno
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: Internet-Gateway
# Rete interna che racchiuderà le varie sottoreti
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: VPC
# La rete interna deve essere collegata al gateway internet
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
# Assegno un blocco ipv6 (non predeterminato, scelto da Amazon) alla mia VPC
VPCIpv6CidrBlock:
Type: AWS::EC2::VPCCidrBlock
Properties:
VpcId: !Ref VPC
AmazonProvidedIpv6CidrBlock: true
# Sottorete IPV6-only, che sarà 'pubblica' grazie a rotte, e instradamenti,
# ancora da fare
PublicIpv6SubnetA:
Type: AWS::EC2::Subnet
Properties:
Ipv6Native: true
Ipv6CidrBlock: !Sub
- ${VpcPart}${SubnetPart}
- SubnetPart: 00::/64
VpcPart: !Select
- 0
- !Split
- 00::/56
- !Select
- 0
- !GetAtt VPC.Ipv6CidrBlocks
AvailabilityZone: !Select
- 0
- !GetAZs ""
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Public IPV6 Subnet A
# Ogni VPC deve avere almeno una tabella di routing
# si tenga conto che, nel caso non venga creata,
# aws la creerà di default
# inoltre, all'interno di questa tabella, vengono
# create di default le rotte per permettere il traffico
# ipv4 e ipv6 in locale sull'intera vpc
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Public Route Table
# Aws associa automaticmente una subnet ad una tabella di routing
# questa definizione però la rende esplicita giusto per preferenza
# personale
PublicIpv6SubnetAPublicRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicIpv6SubnetA
# Questa rotta consente al traffico
# direto verso internet di uscire passando dall'Internet Gateway
# Si noti che questa rotta è appesa ad una route table
RouteForOutboundIpv4:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
# Idem ma per l'ipv6
RouteForOutboundIpv6:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationIpv6CidrBlock: ::/0
GatewayId: !Ref InternetGateway
# Ogni sottorete deve avere una Network ACL
# sono regole firewall che stabiliscono
# quale traffico può entrare e uscire da ogni subnet
# Qui creo l'ACL - Viene creata di default con tutto il traffico negato
# in entrambe le direzioni
# se invece di creare una NACL a mano si fosse lasciata quella di default
# in quella di default veniva permesso tutto il traffico in entrambe le direzioni
PublicNetworkAcl:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Public Network ACL
# E qui l'associo alla subnet
PublicNACLAssociationToPublicIpv6SubnetA:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
NetworkAclId: !Ref PublicNetworkAcl
SubnetId: !Ref PublicIpv6SubnetA
# Allow ipv4 inbound trafic to subnet
NACLAllowInboundIpv4:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNetworkAcl
CidrBlock: 0.0.0.0/0
RuleNumber: 100
Protocol: -1
RuleAction: allow
Egress: false
# Allow ipv6 inbound trafic to subnet
NACLAllowInboundIpv6:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNetworkAcl
Ipv6CidrBlock: ::/0
RuleNumber: 101
Protocol: -1
RuleAction: allow
Egress: false
# Allow ipv4 egress trafic from subnet
NACLAllowOutboundIpv4:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNetworkAcl
CidrBlock: 0.0.0.0/0
RuleNumber: 100
Protocol: -1
RuleAction: allow
Egress: true
# Allow ipv6 egress trafic from subnet
NACLAllowOutboundIpv6:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNetworkAcl
Ipv6CidrBlock: ::/0
RuleNumber: 101
Protocol: -1
RuleAction: allow
Egress: true
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Security group for ec2 (http)
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIpv6: ::/0
# Ogni istanza ha questi prerequisiti
# - Una ImageId, cioè quale sistema operativo usare
# - Una SubnetId, cioè il segmento della rete interna a cui agganciarsi
Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3a.nano
ImageId: !Ref LatestAmiId
SubnetId: !Ref PublicIpv6SubnetA
SecurityGroupIds:
- !Ref SecurityGroup
Tags:
- Key: Name
Value: Istanza EC2
UserData:
Fn::Base64: |
#!/bin/bash
yum install httpd -y
service httpd start
echo "<html><body><h1>Hello from DCT!<h1></body></html>" > /var/www/html/index.html
Relevant content
- asked 6 months ago
- asked 3 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
Also, when connecting from a browser, please do the following. If you do not surround the IPv6 address with "[]", you will not be able to connect from the browser.