In a previous blog, we discussed how to go about planning an IPv6 network in Google Cloud. In this blog, we’ll show you how to migrate your existing Google Cloud network to IPv6. For the scope of this blog, we’ll limit the discussion to migration of your existing Compute Engine VM instances used for external access ( to the internet) from IPv4 to dual-stack IPv6.
At a high level, the migration consists of the following steps:
Prerequisites:
Convert your existing VPC network to custom mode (if it’s currently an auto mode VPC network)
Ensure that there is no organization policy constraining the use of IPv6
Update the subnets in your VPC network to dual-stack
Update the Compute Engine VM instances to dual-stack
Create firewall rules to allow or deny IPv6 address ranges
Now, let’s take a look at each of these steps in more detail.
1. Prerequisites
Convert your existing VPC network to custom mode
Check the subnet mode of your VPC network as follows:
If the subnet mode of your network is auto mode, convert your VPC network to custom mode. Please be aware that the subnet mode cannot be switched back to auto mode after it has been updated to custom mode.
For more details on converting the subnet mode of your VPC, please refer to this link.
Note: You can configure a VPC network with dual-stack subnets only if the subnet mode is set to custom; IPv6 addressing is not available if the subnet mode is set to automatic.
Ensure that there is no organization policy constraining the use of IPv6
By default, both the organization policy constraints constraints/compute.disableAllIpv6 and constraints/compute.disableVpcExternalIpv6 are set to “false”. However, if these constraints are set to “true”, the use of external IPv6 is disabled.
If you have an Organization configured and have the (above) policyAdmin IAM role in the organization, then check the status of your organization policies with the following commands:
If any of the above constraints are set to “true”, then you can disable these constraints as follows:
2. Updating subnets in your VPC network to dual-stack
Each VPC network consists of one or more IP address ranges called subnets. Subnets are regional resources, and have IP address ranges associated with them. A dual-stack subnet has both IPv4 and IPv6 address ranges associated with it.
To migrate a subnet to dual-stack and use it for external access, external IPv6 address ranges use global unicast addresses (GUAs). You can use external IPv6 addresses both for VM-to-VM communication within VPC networks, as well as for access to the internet. IPv6 subnet ranges are automatically assigned /64 ranges.
You can modify your existing subnet to support IPv6 ranges for external access as follows:
Google Cloud automatically configures an IPv6 default route (::/0) for the VPC network when your subnet is updated to a dual-stack subnet. This IPv6 default route can be deleted if you want to block all IPv6 traffic from this VPC network to the internet. You can also recreate the route if required.
3. Updating Compute Engine VM instances to dual-stack
The next step is to update your Compute Engine VM instances to dual-stack. If you’re changing the stack type to dual-stack, the VM must be connected to a dual-stack subnet. If you need to change the subnet for a VM, you must first stop the VM and change the subnet. After the subnet is updated, you can change the VM’s IP stack type.
An IPv6 /96 address range is allocated to the VM when the stack type is updated to dual-stack.
By default, Google Cloud uses DHCPv6 to assign the first /128 address (e.g. 2600:1900:4000:4180::/128) to the VM interface and creates an Auto-DNS AAAA record for this first /128. For more information on how to utilize the /96 address allocation to each VM, please refer to our last IPv6 blog.
4. Creating firewall rules for IPv6 address ranges
When you enable IPv6, the following two rules are implied and automatically created for the VPC network:
An implied IPv6 allow egress rule to destination ::/0 to allow egress traffic to the internet
An implied IPv6 deny ingress rule with source ::/0 to deny ingress traffic to all VM instances in the VPC network, thus blocking incoming connections to them
You can also create custom firewall rules to allow or deny specific traffic in your VPC network. Here are a few examples:
Use the following command to allow incoming connections to VM instances from other VM instances within the same VPC network:
In the above example, the IPv6 address range 2600:1900:4000:4180::/64 represents an IPv6 subnet in your VPC.
Here’s how to allow incoming HTTP or HTTPS connections to your VM instances:
Or, you can connect to your VM instances with tools such as SSH, RDP and ping:
Moving to IPv6 can be overwhelming. In this blog, we’ve demonstrated that it can be easy to migrate your Google Cloud workloads to IPv6 and establish connectivity to the internet. To learn more about how to get started with IPv6 in Google Cloud, please refer to the documentation.
Cloud BlogRead More