web analytics

Archive for the ‘IPv6’ Category

Is the Public Cloud Ready for IPv6?

When connecting machines over the public Internet (or over private networks), we use IPv4 addresses.

For many years we heard about IPv4 address exhaustion or the fact that sometime in the future we will not able to request new IPv4 addresses to connect over the public Internet.

We all heard that IPv6 address space will resolve our problem, but is it?

In this blog post, I will try to compare common use cases for using cloud services and see if they are ready for IPv6.

Before we begin, when working with IPv6, we need to clarify what “Dual Stack” means – A device with dual-stack implementation in the operating system has an IPv4 and IPv6 address, and can communicate with other nodes in the LAN or the Internet using either IPv4 or IPv6.

Source: https://en.wikipedia.org/wiki/IPv6

Step 1 – Cloud Network Infrastructure

The first step in building our cloud environment begins with the network services.

The goal is to be able to create a network environment with subnets, an access control list, be able to create peering between cloud accounts (for the same cloud provider), and get ingress access to our cloud environment (either from the public Internet or from our on-premise data center).

Vendor documentation:

  • AWS VPC that supports IPv6 addressing


  • What is IPv6 for Azure Virtual Network?


  • Google VPC networks


Step 2 – Private Network Connectivity – Managed VPN Services

Now that we have a network environment in the cloud, how do we connect to it from our on-premise data center using Site-to-Site VPN?

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • Hybrid connectivity design – Amazon-managed VPN


  • Google Cloud VPN overview – IPv6 support


Step 3 – Private Network Connectivity – Dedicated Network Connections

Assuming we managed to create a VPN tunnel between our on-premise data center and the cloud environment, what happens if we wish to set up a dedicated network connection (and have low latency and promised bandwidth)?

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • Hybrid connectivity design – AWS Direct Connect


  • Add IPv6 support for private peering using the Azure portal


  • Create and manage ExpressRoute public peering


  • Can I reach my instances using IPv6 over Cloud Interconnect?


Step 4 – Private Network Connectivity – Resources on the subnet level

We have managed to provision the network environment in the cloud using IPv6.

What happens if we wish to connect to managed services using private network connectivity (inside the cloud provider’s backbone and not over the public Internet)?

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • Expedite your IPv6 adoption with PrivateLink services and endpoints


  • Create a Private Link service by using the Azure portal


Step 5 – Name Resolution – Managed DNS Service

In the previous step we configured network infrastructure, now, before provisioning resources, let us make sure we can access resources, meaning having a managed DNS service.

By name resolution, I mean both external customers over the public Internet and name resolution from our on-premise data centers.

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • Designing DNS for IPv6


  • Azure DNS FAQ


  • General Google Cloud DNS overview


Step 6 – Resource Provisioning – Compute (Virtual Machines)

In the previous steps we have set up the network infrastructure and name resolution, and now it is time to provision resources.

The most common resource we can find in IaaS is compute or virtual machines.

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • Amazon EC2 IPv6 addresses


  • Create an Azure Virtual Machine with a dual-stack network using the Azure portal


  • Configuring IPv6 for instances and instance templates


Step 7 – Resource Provisioning – Compute (Managed Kubernetes)

Another common use case is to provision containers based on a managed Kubernetes service.

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • Running IPv6 EKS Clusters


  • Use dual-stack kubenet networking in Azure Kubernetes Service (AKS) (Preview)


  • GKE – IPv4/IPv6 dual-stack networking


Step 8 – Resource Provisioning – Compute (Serverless / Function as a Service)

If we have already managed to provision VMs and containers, what about provisioning serverless or Function as a Service?

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • AWS Lambda now supports Internet Protocol Version 6 (IPv6) endpoints for inbound connections


Step 9 – Resource Provisioning – Managed Load Balancers

If we are planning to expose services either to the public internet or allow connectivity from our on-premise, we will need to use a managed load-balancer service.

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • Application Load Balancer and Network Load Balancer end-to-end IPv6 support


  • Overview of IPv6 for Azure Load Balancer


  • GCP – IPv6 termination for External HTTP(S), SSL Proxy, and External TCP Proxy Load Balancing


Step 10 – Resource Provisioning – Managed Object Storage

The next step after provisioning compute services is to allow us to store data in an object storage service.

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • Making requests to Amazon S3 over IPv6


Step 11 – Resource Provisioning – Managed Database Services

Most of the application we provision requires a backend database to store and retrieve data.

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • IPv6 addressing with Amazon RDS


  • Connectivity architecture for Azure SQL Managed Instance – Networking constraints


Step 12 – Protecting Network Access – Managed Firewall Services

If we are planning to expose services to the public Internet using IPv6 or allow access from on-premise, we need to consider a managed network firewall service.

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • AWS Network Firewall announces IPv6 support


Step 13 – Protecting Network Access – Managed DDoS Protection Services

On the topic of exposing services to the public Internet, we need to take into consideration protection against DDoS attacks.

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • AWS Shield FAQs


  • About Azure DDoS Protection SKU Comparison


  • Google Cloud Armor – Security policy overview


Step 14 – Protecting Network Access – Managed Web Application Firewall

We know that protection against network-based attacks is possible using IPv6.

What about protection against application-level attacks?

Let us compare the cloud providers’ alternatives:

Vendor documentation:

  • IPv6 Support Update – CloudFront, WAF, and S3 Transfer Acceleration


  • What is Azure Front Door?



In this blog post we have compared various cloud services, intending to answer the question – Is the public cloud ready for IPv6?

As we have seen, many cloud services do support IPv6 today (mostly in dual-stack mode), and AWS does seem to be more mature than its competitors, however, at the time of writing this post, the public cloud is not ready to handle IPv6-only services.

The day we will be able to develop cloud-native applications while allowing end-to-end IPv6-only addresses, in all layers (from the network, compute, database, storage, event-driven / message queuing, etc.), is the day we know the public cloud is ready to support IPv6.

For the time being, dual stack (IPv4 and IPv6) is partially supported by many services in the cloud, but we cannot rely on end-to-end connectivity.

Additional References

  • AWS services that support IPv6


  • An Introduction to IPv6 on Google Cloud


Hardening guide for Windows 2008 R2 Domain Controller and DNS Server

This guide explains how to install and configure Domain Controller and DNS server based on Windows 2008 R2 platform, for a new forest in a new domain.

Installation phase

  1. Install Windows 2008 R2 server (either standard of enterprise edition).
  2. Important note: The first domain controller in the forest root domain must be installed on physical hardware and not as a virtual server.

  3. Login for the first time to the new server, using administrator account.
  4. Start -> Run -> dcpromo.exe
  5. Click Next twice -> select “Create a new domain in a new forest” -> click Next -> specify the FQDN of the new forest root domain -> click Next -> on the forest functional level, choose “Windows Server 2008 R2” -> click Next -> leave “DNS server” select and click Next -> click “Yes” on the warning message -> choose a location for the database, logs and sysvol folders -> click Next -> specify complex password for the Directory Services Restore Mode administrator password (and document the password) -> click Next twice -> select “Reboot on completion”.
  6. Allow the server to restart when the installation process completes.
  7. Login to the new domain controller for the first time using domain administrator account.
  8. Start -> Run -> cmd.exe
  9. Write the commands bellow to synchronize the PDC emulator with external reliable time source:
    w32tm /config /computer:<> /manualpeerlist:time.windows.com /syncfromflags:manual /update


  10. Start -> Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
  11. Write the commands bellow to protect all OUs in the domain from accidental deletion:
    import-module activedirectory

    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true


  12. Server Manager -> right click on Features -> Add Features -> select “Windows Server Backup Features” -> click Next -> click Install -> click Close.
  13. Start -> Administrative Tools -> Windows Server Backup -> from the Actions pane, click on “Backup Schedule” -> click Next -> choose “Full server” -> Specify a backup time -> click Next -> click the check box for your destination disk -> click Next -> click Yes to confirm that the destination disk will be reformatted -> verify the label for the destination disk -> click Next -> verify the information on the Summary page -> click Finish -> On the Confirmation page -> click Close.
  14. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary zone” -> leave “Store the zone in Active Directory” checked -> click Next -> select “To all DNS Servers running on domain controllers in this forest” -> click Next -> choose “IPv4 Reverse Lookup Zone” -> click Next -> on the “Network ID” field, put the first 3 octats of the network segment the Domain controller resides in -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
  15. Perform the above step for all other network segments reside in your organization.
  16. From the left pane, expand the server name -> expand “Forward Lookup Zones” -> right click on each zone name -> Properties -> Name Servers tab -> make sure all Windows 2008 R2 DNS servers appear on this list (assuming you have installed more Windows 2008 R2 domain controllers with DNS service) -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.
  17. Perform the above step for all other “Forward Lookup zones” and “Reverse Lookup zones” in your forest.

IPv6 DNS settings

  1. In-order to configure IPv6 address for the DNS server, start -> Control Panel -> under “Network and Internet”, click on “View network status and tasks” -> click “Change adapter settings” -> right click on the relevant “Local Area Connection” icon -> Properties -> click on “Internet Protocol Version 6 (TCP/IPv6) -> Properties -> select “Use the following IPv6 address” -> if you are not familiar with IP addressing, you can use 2001:0db8:29cd:1a0f:857b:455b:b4ec:7403 -> enter a Subnet prefix length of 64 -> click OK -> click close.
  2. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> expand “Reverse Lookup Zones” -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary Zone” -> click Next -> choose “To all DNS servers running on domain controllers in this forest” -> click Next -> choose “IPv6 Reverse Lookup Zone” -> click Next -> on the “IPv6 Address Prefix” field type the IPv6 subnet prefix (in this example: 2001:0db8:29cd:1a0f::/64) -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
  3. Right click on the new “Reverse Lookup Zone” -> properties -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.

IPv6 – Problem and some solutions

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:


I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:

Installing IPv6 on Windows XP

How IIS 6.0 Supports IPv6 (IIS 6.0)

Changes to IPv6 in Windows Vista and Windows Server 2008

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008

DNS Enhancements in Windows Server 2008

Support for IPv6 in Windows Server 2008 R2 and Windows 7

Using IPv6 with IIS7

IPv6 Support in Exchange 2007 SP1 and SP2

Red Hat / CentOS IPv6 Network Configuration

IPv6 on Fedora Core mini-HOWTO

Adding IPv6 to Ubuntu systems

Enabling IPv6 on a Network (Solaris 10)

Building a Linux IPv6 DNS Server

Networking IPv6 User Guide for J2SDK/JRE 1.4

Networking IPv6 User Guide for JDK/JRE 5.0

Apache Talking IPv6

How-to IPv6 in Globus Toolkit 3

Enabling IPv6 Support in Nginx

IPv6 Support in iOS 4

IPv6 – Cisco Systems

Cisco – IP version 6 Introduction

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites

EMC Product Support for IPv6

Nokia IPv6 How To