Azure supports IPv6 addressing, which is a fundamental aspect of modern networking. This allows for a virtually unlimited number of unique IP addresses.
Azure provides a native IPv6 stack, enabling seamless communication between IPv6 and IPv4 networks. This allows for a smoother transition to IPv6.
You can assign IPv6 addresses to virtual networks, subnets, and individual resources in Azure. This gives you granular control over your network configuration.
Azure supports both stateful and stateless IPv6 address configuration, depending on your specific needs.
Configuring IPv6
Configuring IPv6 involves creating a network interface and adding IPv6 configuration to it. You can do this in the Azure portal by selecting your virtual machine, then going to Networking in Settings.
To create a network interface, you can use the az network nic ip-config create command, which is equivalent to the New-AzVMNetworkInterface cmdlet in PowerShell. This will create the IPv6 configuration for the NIC.
In the Azure portal, you can also configure an IPv6 network by creating a custom IP prefix. This involves selecting Custom IP Prefixes, then creating a new prefix with the desired settings, including the IP version, prefix range, and signed message. You can also use the az network public-ip show command to display the IP addresses of the virtual machine.
Here are the steps to create a custom IPv6 prefix:
This will create the custom IPv6 prefix and allow you to configure IPv6 for your virtual machine.
IP Configuration
To configure IPv6, you need to set up an IP configuration for your network interface. You can do this by adding an IPv6 configuration to the existing network interface using the Azure portal.
In the Azure portal, you can add a new IP configuration by selecting the "IP configurations" option in the settings of your network interface. From there, you can select the "+" button to add a new configuration.
To create an IPv6 configuration, you can use the `az network nic ip-config create` command in Azure CLI. This command creates a new IPv6 configuration for the NIC.
You can also use the `az network public-ip show` command to display the IP addresses of your virtual machine.
If you're setting up a network in Azure, you may need to configure a DMZ subnet with full IPv6 support. You can do this using PowerShell and the Azure CLI.
You can also use NAT64 solutions in your on-premises networks if you're not able to dual-stack your servers in Azure. This involves deploying a NAT64 service in your network, which translates IPv6 addresses to IPv4 addresses.
To provision a regional custom IPv6 address prefix, you can select the "Regional" option in the "IP prefix range" section. You'll need to enter a regional IPv6 prefix (CIDR) and select a custom IP prefix parent from the dropdown menu.
Here's a summary of the steps to configure IPv6:
- Add an IPv6 configuration to the existing network interface using the Azure portal
- Create a new IPv6 configuration using the `az network nic ip-config create` command
- Configure a DMZ subnet with full IPv6 support using PowerShell and the Azure CLI
- Use NAT64 solutions in your on-premises networks if necessary
- Provision a regional custom IPv6 address prefix using the Azure portal
By following these steps, you can set up IPv6 for your network and ensure that it's configured correctly.
Custom Address Prefixes
Configuring custom address prefixes is a crucial step in setting up an IPv6 network in Azure. You can create a custom IP prefix in the specified region and resource group using PowerShell or the Azure CLI.
To create a custom IP prefix, you'll need to specify the exact prefix in CIDR notation as a string. This ensures there's no syntax error. The -authorization-message and -signed-message parameters are constructed in the same manner as they are for IPv4.
A custom IP prefix can be either global or regional. A global custom IP prefix is advertised by the Microsoft WAN globally, while a regional custom IP prefix is only advertised from the specific region.
To create a global custom IP prefix, you'll need to enter or select the following information: project details, subscription, resource group, instance details, name, region, IP version, IP prefix range, global IPv6 prefix (CIDR), ROA expiration date, and signed message.
Here's a summary of the required information for creating a global custom IP prefix:
A regional custom IP prefix, on the other hand, must always be of size /64 to be considered valid. The ranges can be created in any region, keeping in mind any geolocation restrictions associated with the original global range.
To create a regional custom IP prefix, you'll need to enter or select the following information: project details, subscription, resource group, instance details, name, region, IP version, IP prefix range, custom IP prefix parent, regional IPv6 prefix (CIDR), ROA expiration date, and signed message.
Here's a summary of the required information for creating a regional custom IP prefix:
Understanding IPv6
IPv6 is the latest version of the Internet Protocol, designed to provide a new identification and location system for computers on networks and route traffic across the Internet.
It was developed by the Internet Engineering Task Force (IETF) to address the problem of IPv4 address exhaustion, which was a long-anticipated issue.
IPv6 is intended to replace IPv4 and provide a larger address space to support the growing number of devices and networks on the Internet.
Understanding IPv
IPv is a fundamental part of the internet, and it's essential to understand how it works. IPv6 is the latest version of Internet Protocol, developed by the Internet Engineering Task Force (IETF).
The main purpose of IPv6 is to provide an identification and location system for computers on networks and routes traffic across the Internet. This is crucial for the internet to function properly, allowing devices to communicate with each other.
IPv6 was created to replace IPv4, which was facing a problem of address exhaustion. This means that IPv4 was running out of unique addresses, causing issues with internet connectivity.
IPv6 has been designed to provide a much larger address space, allowing for a vast number of devices to be connected to the internet simultaneously. This is a significant improvement over IPv4, which was struggling to keep up with the growing demand for internet connectivity.
Differences Between BYOIPv4
Custom IPv6 prefixes use a parent/child model, where the global range is advertised by the Microsoft Wide Area Network and regional ranges are advertised by Azure regions.
Global ranges must be /48 in size, while regional ranges must always be /64 size.
You can have multiple /64 ranges per region.
The global range needs to be validated, but regional ranges are derived from the global range.
Public IPv6 prefixes must be derived from regional ranges.
Only the first 2048 IPv6 addresses of each regional /64 custom IP prefix can be utilized as valid IPv6 space.
Attempting to create public IPv6 prefixes that span beyond this range results in an error.
Specify Prefix and Authorization Messages
To create a custom IP prefix, you need to specify the exact prefix in CIDR notation as a string.
The prefix will be advertised by Microsoft WAN globally, even though the resource is associated with a region.
Specify the prefix in the desired region and resource group, making sure to avoid any syntax errors.
No zonal properties are provided because the global range isn't associated with any particular region.
The -authorization-message and -signed-message parameters are constructed in the same manner as they are for IPv4.
You can create a custom IP prefix in the specified region and resource group using the following command sequence.
The command creates a custom IP prefix in the specified region and resource group, specifying the exact prefix in CIDR notation as a string to ensure there's no syntax error.
No zonal properties are provided because the global range isn't associated with any particular region, and therefore no regional availability zones.
Custom IPv6 prefixes are treated separately, with commissioning a regional custom IPv6 prefix not connected to commissioning the global custom IPv6 prefix.
IPv6 Provisioning
Provisioning for IPv6 involves creating a global (parent) IPv6 range and regional (child) IPv6 ranges. The process starts with provisioning a sample global IPv6 range, such as 2a05:f500:2::/48.
To create a custom IPv6 address prefix, you'll need to follow these steps: select the "Custom IP Prefixes" option, then click on the "+" button to create a new prefix. In the "Create a custom IP prefix" page, enter the required information, including the project details, subscription, resource group, and instance details. You'll also need to specify the IP version, IP prefix range, and global IPv6 prefix (CIDR).
Here's a summary of the required information for creating a custom IPv6 address prefix:
After creating the custom IPv6 address prefix, you'll need to commission it to make it available for use. Commissioning a custom IPv6 prefix involves verifying that the prefix is in a Provisioned state, then selecting the Commission button. The commissioning process can take anywhere from 30 minutes to 4 hours, depending on the type of prefix.
Provisioning
Provisioning for IPv6 involves specifying a global or parent IPv6 range, such as 2a05:f500:2::/48. This range is the foundation for creating regional or child IPv6 ranges.
To provision a global IPv6 range, you need to start with a parent range like 2a05:f500:2::/48. This range is a key component of IPv6 provisioning.
When provisioning a global IPv6 range, the steps are similar to those for IPv4, but with some key differences. The specific steps may be abbreviated or condensed to focus on the unique aspects of IPv6.
The provisioning process for IPv6 requires specifying a regional or child IPv6 range, which is derived from the global or parent IPv6 range. This child range is a subset of the parent range.
In the case of a sample global IPv6 range, 2a05:f500:2::/48, the provisioning steps will be modified to accommodate the differences between IPv4 and IPv6. This may involve adapting the steps to reflect the unique characteristics of IPv6.
Global Custom Address Prefix
To provision a global custom IPv6 address prefix, you'll need to follow a specific set of steps.
First, you'll need to create a custom IP prefix in the Azure portal. This involves selecting your subscription, resource group, and instance details, including the name, region, IP version, and IP prefix range. You'll also need to enter a global IPv6 prefix in CIDR notation, such as 2a05:f500:2::/48.
The ROA (Route Origin Authorization) expiration date is also required, which should be entered in the yyyymmdd format. Additionally, you'll need to paste the output of $byoipauthsigned from the pre-provisioning section into the signed message field.
Once you've completed these steps, select the Review + create tab or the blue Review + create button at the bottom of the page, and then select Create. The range is then pushed to the Azure IP Deployment Pipeline, and the deployment process is asynchronous.
Here's a summary of the required information for creating a global custom IPv6 address prefix:
The deployment process may take a few hours to complete, and you can check the status by reviewing the Commissioned state field for the custom IP prefix.
Server Configuration
To support IPv6 traffic in Azure, you'll need to configure your server correctly.
You can update the Azure server to be dual-stack, allowing it to receive traffic from both IPv4 and IPv6 networks. This can be done by assigning an IPv6 address range to the virtual network and subnet, and then creating a new network interface to the Azure virtual machine.
ExpressRoute is required to connect Network C to Azure networks, as it supports IPv6 traffic through ExpressRoute Circuits and ExpressRoute gateways.
However, if you're using a VPN provider to connect Azure to Network C, you should check their documentation to see what kinds of traffic are supported.
Troubleshooting and Support
Azure IPv6 support is not available for all services, with some PaaS services like Azure Application Gateway and AKS not supporting native IPv6.
If your customer scenario involves a mix of 3rd-party applications and PaaS services that don't support native IPv6, you'll need to consider using a NAT/NAT64 gateway or IPv6 proxy solution.
This proxy layer can translate IPv6 traffic into IPv4-only traffic in the backend, allowing you to leverage IPv4-only infrastructure without re-architecting your application workloads.
Support
Azure supports IPv6 for most of its foundational network and compute services, but some Platform-as-a-Service (PaaS) services like AKS and Azure Application Gateway don't support native IPv6.
Some Azure services like Azure Database for PostgreSQL don't support native IPv6, which means you can't implement native IPv6 everywhere.
Azure's IPv6 support is limited by the fact that some services don't support it, forcing you to think of alternative solutions like NAT/NAT64 gateways or IPv6 proxy solutions.
To test if a webservice is IPv6 ready, you can use a tool like IPv6 test — web site reachability (ipv6-test.com).
Azure's IPv6 proxy layer can translate IPv4 and IPv6 traffic into IPv4-only traffic, allowing you to leverage IPv4-only infrastructure without re-architecting your applications.
You can refer to a Simple dual stack (IPv4/IPv6) deployment in Azure diagram for a better understanding of how Azure supports IPv6.
Rescue Entrance
Azure Front Door is a global entry-point that creates fast, secure, and scalable web applications.
It uses the Microsoft global edge network to improve global connectivity.
Accelerated application performance is achieved using split TCP-based anycast protocol.
Azure Front Door has native support of end-to-end IPv6 connectivity, making it easier to proxy IPv6 client requests and route traffic to an IPv4-only backend.
Azure Front Door works at Layer 7 (HTTP/HTTPS layer) using anycast protocol with split TCP and Microsoft’s global network.
Here are some key benefits of using Azure Front Door:
- Accelerated application performance by using split TCP-based anycast protocol.
- Intelligent health probe monitoring for backend resources.
- URL-path based routing for requests.
- Enables hosting of multiple websites for efficient application infrastructure.
- Cookie-based session affinity.
- SSL offloading and certificate management.
- Define your own custom domain.
- Application security with integrated Web Application Firewall (WAF).
- Redirect HTTP traffic to HTTPS with URL redirect.
- Custom forwarding path with URL rewrite.
- HTTP/2 protocol support
Sources
- https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/create-vm-dual-stack-ipv6-portal
- https://techcommunity.microsoft.com/t5/fasttrack-for-azure/ipv6-to-ipv4-workload-communication/ba-p/4132643
- https://rkniyer999.medium.com/how-to-achieve-ipv4-ipv6-dual-stack-webservices-in-azure-390a3d3e5e13
- https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/create-custom-ip-address-prefix-ipv6-portal
- https://purple.telstra.com/blog/deploying-a-secure-mqtt-test-server-on-azure-with-ipv6
Featured Images: pexels.com