Update on IPv6 Support – CloudFront, WAF, and S3 Transfer Acceleration

Update October 1, 2021

More Info

This article has been revised to remove obsolete S3 buckets.

Following our recent announcement regarding IPv6 support for Amazon S3, I am pleased to share that IPv6 functionality is now available for Amazon CloudFront, Amazon S3 Transfer Acceleration, and AWS WAF. All of our 60+ CloudFront edge locations are now IPv6 compatible. We are implementing IPv6 in a phased rollout starting today, which will gradually cover all networks over the next few weeks.

IPv6 Support for CloudFront

You can now activate IPv6 support for specific Amazon CloudFront distributions. Viewers and networks connecting to a CloudFront edge location via IPv6 will automatically receive content through this protocol. Those using IPv4 will continue to operate as before, with connections to your origin servers still utilizing IPv4.

Newly created distributions will have IPv6 support enabled by default; you can modify an existing distribution by selecting the “Enable IPv6” option in the console or through the CloudFront API.

Here are some important points to consider regarding this new feature:

• Alias Records – Once you enable IPv6 for a distribution, the DNS entry will be updated to include an AAAA record. If you’re using Amazon Route 53 with an alias record to map part or all of your domain to the distribution, you will need to add an AAAA alias to the domain.
• Log Files – If you have enabled CloudFront Access Logs, IPv6 addresses will begin appearing in the c-ip field; ensure that your log processing system is equipped to handle them.
• Trusted Signers – For those using Trusted Signers alongside an IP address whitelist, we strongly advise maintaining a separate IPv4-only distribution for URLs with an IP whitelist while using a combined IPv4/IPv6 distribution for the content. This helps avoid complications that could arise if the signing request is sent over an IPv4 address but the content request is made via an IPv6 address not included in the whitelist.
• CloudFormation – Support for CloudFormation is forthcoming. With the current launch, distributions created from a CloudFormation template will not be IPv6 enabled. Existing stacks will maintain their current settings for any referenced distributions.
• AWS WAF – If you’re using AWS WAF in conjunction with CloudFront, be sure to update your WebACLs and IP rulesets accordingly to whitelist or blacklist IPv6 addresses.
• Forwarded Headers – When you enable IPv6 for a distribution, the X-Forwarded-For header sent to the origin will contain an IPv6 address. Ensure that the origin can process headers in this format.

For further details, check out this blog post on IPv6 support for Amazon CloudFront.

AWS WAF IPv6 Support

AWS WAF now protects your applications from application-layer attacks. It can inspect requests arriving via both IPv4 and IPv6 addresses. You can create web ACLs that specifically match IPv6 addresses, as detailed in the section on Working with IP Match Conditions.

All existing WAF features will remain functional with IPv6, and there will be no noticeable performance differences. IPv6 addresses will appear in the Sampled Requests collected by WAF.

S3 Transfer Acceleration IPv6 Support

This significant new feature in S3 now supports IPv6. To utilize it, simply switch to the new dual-stack endpoint for uploads. Just change:

https://<Your-Bucket>.s3-accelerate.amazonaws.com

to

https://<Your-Bucket>.s3-accelerate.dualstack.amazonaws.com

Here’s a code snippet using the AWS SDK for Java to create a client object and enable dual-stack transfer:

AmazonS3Client s3 = new AmazonS3Client();
s3.setS3ClientOptions(S3ClientOptions.builder().enableDualstack().setAccelerateModeEnabled(true).build());

Most applications and network stacks should favor IPv6 automatically without additional configuration. However, it’s advisable to review the IAM policies for your buckets to ensure compatibility with IPv6 addresses. For more information, you can read about Making Requests to Amazon S3 over IPv6.

Testing is Key

Remember, if IPv6 connectivity is limited or unavailable in any AWS region, IPv4 will be used instead. Also, while client systems can be configured for IPv6, they may be connected to networks that do not route IPv6 packets to the Internet. Therefore, we recommend conducting thorough application-level testing of end-to-end connectivity before fully transitioning to IPv6.

— Alex

For additional insights, you may find this resource excellent.