Amazon Elastic Kubernetes Service Provides IPv6 Networking


Beginning right now, you’ll be able to deploy purposes that use IPv6 handle area on Amazon Elastic Kubernetes Service (EKS).

A lot of our clients are standardizing Kubernetes as their compute infrastructure platform for cloud and on-premises purposes. Amazon EKS makes it simple to deploy containerized workloads. It gives extremely out there clusters and automates duties comparable to patching, node provisioning, and updates.

Kubernetes makes use of a flat networking mannequin that requires every pod to obtain an IP handle. This simplified method permits low-friction porting of purposes from digital machines to containers however requires a big variety of IP addresses that many non-public VPC IPv4 networks aren’t geared up to deal with. Some cluster directors work round this IPv4 area limitation by putting in container community plugins (CNI) that virtualize IP addresses a layer above the VPC, however this structure limits an administrator’s skill to successfully observe and troubleshoot purposes and has a destructive influence on community efficiency at scale. Additional, to speak with web providers outdoors the VPC, site visitors from IPv4 pods is routed by way of a number of community hops earlier than reaching its vacation spot, which provides latency and places a pressure on community engineering groups who want to take care of complicated routing setups.

To keep away from IP handle exhaustion, reduce latency at scale, and simplify routing configuration, the answer is to make use of IPv6 handle area.

IPv6 just isn’t new. In 1996, I purchased my first guide on “IPng, Web Protocol Subsequent Era”, because it was referred to as 25 years in the past. It gives a 128-bit handle area, permitting 3.4 x 10^38 doable IP addresses for our gadgets, servers, or containers. We might assign an IPv6 handle to each atom on the floor of the planet and nonetheless have sufficient addresses left to do one other 100-plus Earths.

IPng Internet protocol Next Generation bookThere are a couple of benefits to utilizing Amazon EKS clusters with an IPv6 community. First, you’ll be able to run extra pods on one single host or subnet with out the chance of exhausting all out there IPv4 addresses out there in your VPC. Second, it permits for lower-latency communications with different IPv6 providers, working on-premises, on AWS, or on the web, by avoiding an additional NAT hop. Third, it relieves community engineers of the burden of sustaining complicated routing configurations.

Kubernetes cluster directors can concentrate on migrating and scaling purposes with out spending efforts working round IPv4 limits. Lastly, pod networking is configured in order that the pods can talk with IPv4-based purposes outdoors the cluster, permitting you to undertake the advantages of IPv6 on Amazon EKS with out requiring that every one dependent providers deployed throughout your group are first migrated to IPv6.

As common, I constructed a brief demo to point out you the way it works.

How It Works
Earlier than I get began, I create an IPv6 VPC. I take advantage of this CDK script to create an IPv6-enabled VPC in a couple of minutes (thanks Angus Lees for the code). Simply set up CDK v2 (npm set up -g aws-cdk@subsequent) and deploy the stack (cdk bootstrap && cdk deploy).

When the VPC with IPv6 is created, I take advantage of the console to configure auto-assignment of IPv6 addresses to sources deployed within the public subnets (I do that for every public subnet).

auto assign IPv6 addresses in subnet

I pay attention to the subnet IDs created by the CDK script above (they’re listed within the output of the script) and outline a few variables I’ll use all through the demo. I additionally create a cluster IAM position and a node IAM position, as described within the Amazon EKS documentation. When you have already got clusters deployed, these two roles exist already.

I open a Terminal and sort:


Subsequent, I create an Amazon EKS IPv6 cluster. In a terminal, I sort:

aws eks create-cluster --cli-input-json "{
"title": "${CLUSTER_NAME}",
"model": "1.21",
"roleArn": "${CLUSTER_ROLE_ARN}",
"resourcesVpcConfig": {
"subnetIds": [
    "${SUBNET1}", "${SUBNET2}"
"endpointPublicAccess": true,
"endpointPrivateAccess": true
"kubernetesNetworkConfig": {
    "ipFamily": "ipv6"

    "cluster": {
        "title": "AWSNewsBlog",
        "arn": "arn:aws:eks:us-west-2:486652066693:cluster/AWSNewsBlog",
        "createdAt": "2021-11-02T17:29:32.989000+01:00",
        "model": "1.21",

...redacted for brevity...

        "standing": "CREATING",
        "certificateAuthority": {},
        "platformVersion": "eks.4",
        "tags": {}

I take advantage of the describe-cluster whereas ready for the cluster to be created. When the cluster is prepared, it has "standing" : "ACTIVE"

aws eks describe-cluster --name "${CLUSTER_NAME}"

Then I create a node group:

aws eks create-nodegroup                       
        --cluster-name ${CLUSTER_NAME}         
        --nodegroup-name AWSNewsBlog-nodegroup 
        --node-role ${NODE_ROLE_ARN}           
        --subnets "${SUBNET1}" "${SUBNET2}"    
        --remote-access ec2SshKey=${KEYPAIR_NAME}
    "nodegroup": {
        "nodegroupName": "AWSNewsBlog-nodegroup",
        "nodegroupArn": "arn:aws:eks:us-west-2:0123456789:nodegroup/AWSNewsBlog/AWSNewsBlog-nodegroup/3ebe70c7-6c45-d498-6d42-4001f70e7833",
        "clusterName": "AWSNewsBlog",
        "model": "1.21",
        "releaseVersion": "1.21.4-20211101",

        "standing": "CREATING",
        "capacityType": "ON_DEMAND",

... redacted for brevity ...


As soon as the node group is created, I see two EC2 situations within the console. I take advantage of the AWS Command Line Interface (CLI) to confirm that the situations acquired an IPv6 handle:

aws ec2 describe-instances --query "Reservations[].Situations[? State.Name == 'running' ][].NetworkInterfaces[].Ipv6Addresses" --output textual content 


I take advantage of the kubectl command to confirm the cluster from a Kubernetes perspective.

kubectl get nodes -o vast

NAME                                       STATUS   ROLES    AGE     VERSION               INTERNAL-IP                              EXTERNAL-IP    OS-IMAGE         KERNEL-VERSION                CONTAINER-RUNTIME   Prepared    <none>   2d13h   v1.21.4-eks-033ce7e   2600:1f13:812:0000:0000:0000:0000:2263   Amazon Linux 2   5.4.149-73.259.amzn2.x86_64   docker://20.10.7   Prepared    <none>   2d13h   v1.21.4-eks-033ce7e   2600:1f13:812:0000:0000:0000:0000:7f3e   Amazon Linux 2   5.4.149-73.259.amzn2.x86_64   docker://20.10.7

Then I deploy a Pod. I observe these steps within the EKS documentation. It deploys a pattern nginx net server.

kubectl create namespace aws-news-blog
namespace/aws-news-blog created

# sample-service.yml is on the market at
kubectl apply -f  sample-service.yml 
service/my-service created
deployment.apps/my-deployment created

kubectl get pods -n aws-news-blog -o vast
NAME                             READY   STATUS    RESTARTS   AGE   IP                           NODE                                       NOMINATED NODE   READINESS GATES
my-deployment-5dd5dfd6b9-7rllg   1/1     Working   0          17m   2600:0000:0000:0000:405b::2   <none>           <none>
my-deployment-5dd5dfd6b9-h6mrt   1/1     Working   0          17m   2600:0000:0000:0000:46f9::   <none>           <none>
my-deployment-5dd5dfd6b9-mrkfv   1/1     Working   0          17m   2600:0000:0000:0000:46f9::1   <none>           <none>

I pay attention to the IPv6 handle of my pods, and attempt to join it from my laptop computer. As my superior service supplier doesn’t present me with an IPv6 at dwelling but, the connection fails. That is anticipated because the pods wouldn’t have an IPv4 handle in any respect. Discover the -g choice telling curl to not contemplate : within the IP handle because the separator for the port quantity and -6 to inform curl to attach by way of IPv6 solely (required while you present curl with a DNS hostname).

curl -g -6 http://[2600:0000:0000:35000000:46f9::1]
curl: (7) Could not hook up with server

To check IPv6 connectivity, I begin a twin stack (IPv4 and IPv6) EC2 occasion in the identical VPC because the cluster. I SSH hook up with the occasion and take a look at the curl command once more. I see I obtain the default HTML web page served by nginx. IPv6 connectivity to the pod works!

curl -g -6 http://[2600:0000:0000:35000000:46f9::1]
<!DOCTYPE html>
<title>Welcome to nginx!</title>

... redacted for brevity ...

<p><em>Thanks for utilizing nginx.</em></p>

If it doesn’t be just right for you, confirm the three parameters to allow web entry for a subnet : does your VPC has an Web Gateway? Does the routing desk connected to the subnet has a default path to the Web Gateway? Does the safety group for the cluster EC2 nodes has a rule permitting incoming connections on port TCP 80 from ::/0? The Web Gateway and the routing desk are robotically configured by the CDK script I offered as a part of this demo.

A Few Issues to Keep in mind
Earlier than I wrap up, I’d wish to reply some frequent questions acquired from clients who’ve already experimented with this new functionality:

Pricing and Availability
IPv6 assist in your Amazon Elastic Kubernetes Service (EKS) cluster is on the market right now in all AWS Areas the place Amazon EKS is on the market, at no further price.

Go attempt it out and construct your first IPv6 cluster right now.

— seb