Earlier this month, Amazon announced a long awaited feature – IPv6 support for EC2 instances! Amazon is the first of the three big public cloud providers (together with Microsoft and Google) to offer direct, all-the-way-to-the-instance IPv6 connectivity.
IPv6 makes life easier for AWS deployments. Unlike IPv4 addresses, which are split to private and public ones with a NAT in between, each EC2 instance has only a single, internet routable IPv6 address. No NATs, no complex networking setups – One Address To Rule Them All. This greatly simplifies network deployments, while maintaining the ability to build more complex structures. Amazon also provides a simple way to turn IPv6 addresses to “private only” with an egress-only Internet gateway.
Needless to say, GuardiCore Reveal supports IPv6 out of the box.
Several of GuardiCore’s customers are already running thousands of IPv6 instances in AWS and other private and public clouds, and use GuardiCore Reveal to better secure their workloads. Reveal builds a process level map of all data center communications, enabling users to ensure security best practices, compliance requirements, and automatically get alerts when a breach is detected. Reveal’s micro-segmentation capabilities, highlighted in an earlier blog post, also support IPv6 workloads.
Visualizing IPv6 traffic
Deploying IPv6 machines
I’ve deployed a couple of IPv6 enabled instances in AWS and DigitalOcean, installed some apps, and deployed GuardiCore agents on top of it.
Connecting to an external service
First, let’s try connecting to some remote IPv6 addresses. Naturally, I wanted to try the IPv6 enhanced version of ASCII Star Wars, after years of getting this message:
So I went ahead and did telnet -6 towel.blinkenlights.nl (try it yourself, it’s truly worth it ;).
Here’s how our Reveal map showed this traffic. Note the incoming IPv4 SSH connections to sshd (from my home machine), and the outgoing IPv6 telnet connection from telnet to towel.blinkenlights.nl (2a02:898:17:8000::42).
Cloud-to-cloud IPv6 traffic
Moving on to cloud-to-cloud traffic, I wanted to visualize flows between my AWS and DigitalOcean deployments. This type of traffic is common in hybrid clouds, when users run instances in multiple data centers and cloud providers. After running an EC2 client which connected to our DigitalOcean Elasticsearch cluster, here’s how the map looked:
And as always, Reveal allows you to dive to process details on machines:
That’s it, friends – Amazon is awesome for finally adding support for true IPv6 connectivity and we’re eagerly waiting to see more users embracing this. GuardiCore will continue to lead the competition with our comprehensive support for workload types, connectivity protocols and data center technologies.