IPv6 Migration Engineering
Plan and execute IPv6 migration for modern infrastructure. Covers dual-stack architecture, IPv6 addressing, DNS considerations, cloud provider IPv6 support, security implications, and the patterns that make IPv6 adoption smooth and reversible.
IPv4 addresses are exhausted. NAT has been the band-aid for 30 years, but it adds complexity, breaks end-to-end connectivity, and creates operational overhead. IPv6 provides 340 undecillion addresses, eliminates NAT, simplifies routing, and is increasingly required by cloud providers, mobile networks, and compliance standards.
Why Migrate Now
IPv4 Exhaustion:
ARIN (North America): Exhausted April 2015
RIPE (Europe): Exhausted November 2019
APNIC (Asia): Exhausted April 2011
Getting new IPv4 addresses:
- Buy from broker: $40-60 per address
- AWS charges $0.005/hr per public IPv4 ($43.80/year)
IPv6 Incentives:
- AWS: IPv6 addresses are free (IPv4 now charged)
- GCP: IPv6-only VMs cheaper
- Mobile carriers: 60%+ traffic is IPv6
- CDNs: Better performance on IPv6
Apple App Store requirement:
Must support IPv6-only networks since 2016Dual-Stack Architecture
Dual-stack: Run IPv4 AND IPv6 simultaneously
Most common migration strategy
No "big bang" cutover
Internet
│
┌──────┴──────┐
│ Load Balancer│ ← Dual-stack (A + AAAA records)
│ IPv4 + IPv6 │
└──────┬──────┘
│
┌──────┴──────┐
│ Application │ ← Internal: IPv6-only or dual-stack
│ Servers │
└──────┬──────┘
│
┌──────┴──────┐
│ Database │ ← Internal: IPv6-only
└─────────────┘
DNS Configuration:
app.example.com A 93.184.216.34 (IPv4)
app.example.com AAAA 2606:2800:220:1:: (IPv6)
Happy Eyeballs: Clients try both simultaneously
Prefer IPv6 if both respond within 25msIPv6 Addressing
IPv6 Address Structure:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
└─Prefix─┘└──────Subnet──────┘└─Interface─┘
/48: Organization allocation (65,536 subnets)
/64: Standard subnet (18 quintillion hosts per subnet)
/128: Single host
VPC Design:
Organization: 2001:db8::/48 (from provider)
Subnets:
Production: 2001:db8:0001::/64
Staging: 2001:db8:0002::/64
Dev: 2001:db8:0003::/64
Management: 2001:db8:00ff::/64
No NAT needed! Every host gets a globally unique address.
Security: Use security groups/NACLs instead of NAT for isolation.Cloud Provider IPv6
# AWS VPC with dual-stack
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
assign_generated_ipv6_cidr_block = true # AWS assigns /56
enable_dns_support = true
enable_dns_hostnames = true
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
ipv6_cidr_block = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 1)
assign_ipv6_address_on_creation = true
}
# Security group allowing IPv6
resource "aws_security_group_rule" "allow_https_ipv6" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.web.id
}Anti-Patterns
| Anti-Pattern | Consequence | Fix |
|---|---|---|
| IPv6 as afterthought | Security gaps, missing firewall rules | Dual-stack from day one |
| Assuming IPv4-only clients | Mobile users blocked | Dual-stack or NAT64 for transition |
| No IPv6 monitoring | Blind to IPv6 traffic issues | Monitor both stacks equally |
| Hardcoded IPv4 addresses | Breaks on IPv6 networks | Use hostnames, DNS resolution |
| Ignoring IPv6 security | Missing firewall rules for IPv6 | Apply same policies to both stacks |
IPv6 is not optional anymore. AWS charges for IPv4, mobile is mostly IPv6, and the pool of available IPv4 addresses shrinks every year. Start with dual-stack, migrate incrementally, and stop paying the IPv4 tax.
