By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ipv6 Ec2 with webserver, how to reach it?

1

I'm trying to create a public webserver, without using ipv4.

Ec2 instance receive it ipv6c, for example in this exact instant is;

2a05:d01a:4ec:f500:6f34:2595:8063:ec02

I supposed I can access it using it as ip

http://2a05:d01a:4ec:f500:6f34:2595:8063:ec02

I created a ipv6 only network on my vpc, and so it's ha not an ipv4 Also, I avoided to create and associate an Elastic IP, due to ipv4 cost I think all routing was ok, so I cannot understand what actually is wrong. Why cannot reach the ipv6 address of my ec2 instance? I read that every ipv6 is public by default !

this is my full stack

Parameters:
  # Cerco l'imageId dell'ultima release di Amazon Linux 2023 - Ciascun AMI Id ha vita breve
  # Circa 3 mesi se non erro
  # Vedi https://docs.aws.amazon.com/linux/al2023/ug/ec2.html#launch-from-cloudformation
  LatestAmiId:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64

Resources:
  # Prerequisito per accessbilità da esterno
  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: Internet-Gateway

  # Rete interna che racchiuderà le varie sottoreti
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: VPC

  # La rete interna deve essere collegata al gateway internet
  InternetGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref VPC

  # Assegno un blocco ipv6 (non predeterminato, scelto da Amazon) alla mia VPC
  VPCIpv6CidrBlock:
    Type: AWS::EC2::VPCCidrBlock
    Properties:
      VpcId: !Ref VPC
      AmazonProvidedIpv6CidrBlock: true

  # Sottorete IPV6-only, che sarà 'pubblica' grazie a rotte, e instradamenti,
  # ancora da fare
  PublicIpv6SubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      Ipv6Native: true
      Ipv6CidrBlock: !Sub
        - ${VpcPart}${SubnetPart}
        - SubnetPart: 00::/64
          VpcPart: !Select
            - 0
            - !Split
              - 00::/56
              - !Select
                - 0
                - !GetAtt VPC.Ipv6CidrBlocks
      AvailabilityZone: !Select
        - 0
        - !GetAZs ""
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: Public IPV6 Subnet A

  # Ogni VPC deve avere almeno una tabella di routing
  # si tenga conto che, nel caso non venga creata,
  # aws la creerà di default
  # inoltre, all'interno di questa tabella, vengono
  # create di default le rotte per permettere il traffico
  # ipv4 e ipv6 in locale sull'intera vpc
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: Public Route Table

  # Aws associa automaticmente una subnet ad una tabella di routing
  # questa definizione però la rende esplicita giusto per preferenza
  # personale
  PublicIpv6SubnetAPublicRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PublicIpv6SubnetA

  # Questa rotta consente al traffico
  # direto verso internet di uscire passando dall'Internet Gateway
  # Si noti che questa rotta è appesa ad una route table
  RouteForOutboundIpv4:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  # Idem ma per l'ipv6
  RouteForOutboundIpv6:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationIpv6CidrBlock: ::/0
      GatewayId: !Ref InternetGateway

  # Ogni sottorete deve avere una Network ACL
  # sono regole firewall che stabiliscono
  # quale traffico può entrare e uscire da ogni subnet
  # Qui creo l'ACL - Viene creata di default con tutto il traffico negato
  # in entrambe le direzioni
  # se invece di creare una NACL a mano si fosse lasciata quella di default
  # in quella di default veniva permesso tutto il traffico in entrambe le direzioni
  PublicNetworkAcl:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: Public Network ACL

  # E qui l'associo alla subnet
  PublicNACLAssociationToPublicIpv6SubnetA:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      SubnetId: !Ref PublicIpv6SubnetA

  # Allow ipv4 inbound trafic to subnet
  NACLAllowInboundIpv4:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      CidrBlock: 0.0.0.0/0
      RuleNumber: 100
      Protocol: -1
      RuleAction: allow
      Egress: false

  # Allow ipv6 inbound trafic to subnet
  NACLAllowInboundIpv6:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      Ipv6CidrBlock: ::/0
      RuleNumber: 101
      Protocol: -1
      RuleAction: allow
      Egress: false

  # Allow ipv4 egress trafic from subnet
  NACLAllowOutboundIpv4:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      CidrBlock: 0.0.0.0/0
      RuleNumber: 100
      Protocol: -1
      RuleAction: allow
      Egress: true

  # Allow ipv6 egress trafic from subnet
  NACLAllowOutboundIpv6:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      Ipv6CidrBlock: ::/0
      RuleNumber: 101
      Protocol: -1
      RuleAction: allow
      Egress: true

  # Ogni istanza ha questi prerequisiti
  # - Una ImageId, cioè quale sistema operativo usare
  # - Una SubnetId, cioè il segmento della rete interna a cui agganciarsi
  Instance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3a.nano
      ImageId: !Ref LatestAmiId
      SubnetId: !Ref PublicIpv6SubnetA
      Tags:
        - Key: Name
          Value: Istanza EC2
      UserData:
        Fn::Base64: |
          #!/bin/bash
          yum install httpd -y
          service httpd start
          echo "<html><body><h1>Hello from DCT!<h1></body></html>" > /var/www/html/index.html

I used the reachability analyzer

i got this result

Explanations
Component i-07c0f7cbf99e09be3 is not associated with any VPC in your account (for example, a recently terminated instance), or none of its network interfaces has an IPv4 address (IPv6 is not supported). See documentation.
Details
{
  "addresses": [],
  "availabilityZones": [],
  "cidrs": [],
  "component": {
    "id": "i-07c0f7cbf99e09be3",
    "arn": "arn:aws:ec2:eu-south-1:888429370380:instance/i-07c0f7cbf99e09be3"
  },
  "explanationCode": "UNASSOCIATED_COMPONENT",
  "loadBalancerTargetGroups": [],
  "portRanges": [],
  "protocols": [],
  "securityGroups": []
}

I cannot understand

Topics
Networking & Content DeliveryManagement & GovernanceCompute
Tags
Amazon VPCAWS CloudFormationAmazon EC2IPv6
Language
English
realtebo
asked a month ago143 views
2 Answers
1

Here are a few troubleshooting steps you can take:

Check Security Group Settings: Ensure that the security group attached to your EC2 instance allows inbound traffic on port 80 (HTTP) or the port your web server is listening on for IPv6 traffic. You can do this by adding an inbound rule allowing traffic from ::/0 (which represents all IPv6 addresses) to the appropriate port.

**Verify Route Table Configuration: **Double-check that the route table associated with your IPv6 subnet (PublicRouteTable) has a route for ::/0 (all IPv6 traffic) directing it to the internet gateway.

Confirm Network ACL Settings: Review the Network ACL (PublicNetworkAcl) associated with your IPv6 subnet to ensure that inbound and outbound traffic on port 80 (HTTP) or the port your web server is using is allowed.

Check EC2 Instance Configuration: Verify that your EC2 instance is running and has the correct security group and subnet assigned. Also, confirm that your web server is configured properly and running.

Verify IPv6 Address: Ensure that the IPv6 address assigned to your EC2 instance is correct and matches the one you are trying to access.

**Test Connectivity: **Try accessing your web server using its IPv6 address from a machine outside your AWS environment to see if the issue is specific to your setup or if there are any connectivity issues.

Thanniru Anil Kumar
answered a month ago
0
Accepted Answer

Hello.

Please modify the CloudFormation template as below.
A security group compatible with IPv6 is added with "AWS::EC2::SecurityGroup".
Added "SecurityGroupIds" to reference security groups in EC2.

If you do not specify a security group, EC2 will refer to the default security group created in the VPC.
As a result, the EC2 you created is referring to the default security group, and IPv6 port 80 is not allowed, making it impossible to connect.

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  # Cerco l'imageId dell'ultima release di Amazon Linux 2023 - Ciascun AMI Id ha vita breve
  # Circa 3 mesi se non erro
  # Vedi https://docs.aws.amazon.com/linux/al2023/ug/ec2.html#launch-from-cloudformation
  LatestAmiId:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64

Resources:
  # Prerequisito per accessbilità da esterno
  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: Internet-Gateway

  # Rete interna che racchiuderà le varie sottoreti
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: VPC

  # La rete interna deve essere collegata al gateway internet
  InternetGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref VPC

  # Assegno un blocco ipv6 (non predeterminato, scelto da Amazon) alla mia VPC
  VPCIpv6CidrBlock:
    Type: AWS::EC2::VPCCidrBlock
    Properties:
      VpcId: !Ref VPC
      AmazonProvidedIpv6CidrBlock: true

  # Sottorete IPV6-only, che sarà 'pubblica' grazie a rotte, e instradamenti,
  # ancora da fare
  PublicIpv6SubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      Ipv6Native: true
      Ipv6CidrBlock: !Sub
        - ${VpcPart}${SubnetPart}
        - SubnetPart: 00::/64
          VpcPart: !Select
            - 0
            - !Split
              - 00::/56
              - !Select
                - 0
                - !GetAtt VPC.Ipv6CidrBlocks
      AvailabilityZone: !Select
        - 0
        - !GetAZs ""
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: Public IPV6 Subnet A

  # Ogni VPC deve avere almeno una tabella di routing
  # si tenga conto che, nel caso non venga creata,
  # aws la creerà di default
  # inoltre, all'interno di questa tabella, vengono
  # create di default le rotte per permettere il traffico
  # ipv4 e ipv6 in locale sull'intera vpc
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: Public Route Table

  # Aws associa automaticmente una subnet ad una tabella di routing
  # questa definizione però la rende esplicita giusto per preferenza
  # personale
  PublicIpv6SubnetAPublicRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PublicIpv6SubnetA

  # Questa rotta consente al traffico
  # direto verso internet di uscire passando dall'Internet Gateway
  # Si noti che questa rotta è appesa ad una route table
  RouteForOutboundIpv4:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  # Idem ma per l'ipv6
  RouteForOutboundIpv6:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationIpv6CidrBlock: ::/0
      GatewayId: !Ref InternetGateway

  # Ogni sottorete deve avere una Network ACL
  # sono regole firewall che stabiliscono
  # quale traffico può entrare e uscire da ogni subnet
  # Qui creo l'ACL - Viene creata di default con tutto il traffico negato
  # in entrambe le direzioni
  # se invece di creare una NACL a mano si fosse lasciata quella di default
  # in quella di default veniva permesso tutto il traffico in entrambe le direzioni
  PublicNetworkAcl:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: Public Network ACL

  # E qui l'associo alla subnet
  PublicNACLAssociationToPublicIpv6SubnetA:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      SubnetId: !Ref PublicIpv6SubnetA

  # Allow ipv4 inbound trafic to subnet
  NACLAllowInboundIpv4:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      CidrBlock: 0.0.0.0/0
      RuleNumber: 100
      Protocol: -1
      RuleAction: allow
      Egress: false

  # Allow ipv6 inbound trafic to subnet
  NACLAllowInboundIpv6:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      Ipv6CidrBlock: ::/0
      RuleNumber: 101
      Protocol: -1
      RuleAction: allow
      Egress: false

  # Allow ipv4 egress trafic from subnet
  NACLAllowOutboundIpv4:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      CidrBlock: 0.0.0.0/0
      RuleNumber: 100
      Protocol: -1
      RuleAction: allow
      Egress: true

  # Allow ipv6 egress trafic from subnet
  NACLAllowOutboundIpv6:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      Ipv6CidrBlock: ::/0
      RuleNumber: 101
      Protocol: -1
      RuleAction: allow
      Egress: true

  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC
      GroupDescription: Security group for ec2 (http)
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIpv6: ::/0

  # Ogni istanza ha questi prerequisiti
  # - Una ImageId, cioè quale sistema operativo usare
  # - Una SubnetId, cioè il segmento della rete interna a cui agganciarsi
  Instance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3a.nano
      ImageId: !Ref LatestAmiId
      SubnetId: !Ref PublicIpv6SubnetA
      SecurityGroupIds: 
        - !Ref SecurityGroup
      Tags:
        - Key: Name
          Value: Istanza EC2
      UserData:
        Fn::Base64: |
          #!/bin/bash
          yum install httpd -y
          service httpd start
          echo "<html><body><h1>Hello from DCT!<h1></body></html>" > /var/www/html/index.html
profile picture
EXPERT
Riku_Kobayashi
answered a month ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed a month ago
  • Riku_Kobayashi EXPERT
    a month ago

    Also, when connecting from a browser, please do the following. If you do not surround the IPv6 address with "[]", you will not be able to connect from the browser.

    http://[ec2-ipv6-address]

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content