[prev in list] [next in list] [prev in thread] [next in thread]
List: nanog
Subject: Re: AWS and IPv6
From: William Herrin <bill () herrin ! us>
Date: 2021-11-29 2:23:03
Message-ID: CAP-guGUuiMDoW=9tH8+r5PAVbyPKAwdQZ7qn=0gvhuS-eZPTkQ () mail ! gmail ! com
[Download RAW message or body]
On Sun, Nov 28, 2021 at 4:13 PM William Herrin <bill@herrin.us> wrote:
> Yeah, they don't even have a practical way to implement a firewall
> instance for IPv6. Unless you want to mirror 1:many NAT for IPv6 like
> you do IPv4. You just can't route an IPv6 block to an instance. And
> with 1:many NAT you wouldn't want public IP addresses inside but AWS
> doesn't let you assign ULA addresses inside the subnet, only global
> addresses.
I stand corrected on this.
https://aws.amazon.com/blogs/aws/inspect-subnet-to-subnet-traffic-with-amazon-vpc-more-specific-routing/
https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/
This technique does in fact work for IPv6, allowing you to insert a
firewall at the edge. Interestingly though, it won't receive IPv6
packets for an address that isn't attached to a running instance in
the interior subnet.
Regards,
Bill Herrin
--
William Herrin
bill@herrin.us
https://bill.herrin.us/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic