GuardiCore ❤ IPv6

Earlier this month, Amazon announced a long awaited feature – IPv6 support for EC2 instances! Amazon is the first of the three big public cloud providers (together with Microsoft and Google) to offer direct, all-the-way-to-the-instance IPv6 connectivity.

IPv6 makes life easier for AWS deployments. Unlike IPv4 addresses, which are split to private and public ones with a NAT in between, each EC2 instance has only a single, internet routable IPv6 address. No NATs, no complex networking setups – One Address To Rule Them All. This greatly simplifies network deployments, while maintaining the ability to build more complex structures. Amazon also provides a simple way to turn IPv6 addresses to “private only” with an egress-only Internet gateway.

Needless to say, GuardiCore Reveal supports IPv6 out of the box.


Several of GuardiCore’s customers are already running thousands of IPv6 instances in AWS and other private and public clouds, and use GuardiCore Reveal to better secure their workloads. Reveal builds a process level map of all data center communications, enabling users to ensure security best practices, compliance requirements, and automatically get alerts when a breach is detected. Reveal’s micro-segmentation capabilities, highlighted in an earlier blog post, also support IPv6 workloads.

 


Visualizing IPv6 traffic

Deploying IPv6 machines

I’ve deployed a couple of IPv6 enabled instances in AWS and DigitalOcean, installed some apps, and deployed GuardiCore agents on top of it.

ipv62

Enabling IPv6 in AWS

ipv61

Enabling IPv6 in DigitalOcean

Connecting to an external service

First, let’s try connecting to some remote IPv6 addresses. Naturally, I wanted to try the IPv6 enhanced version of ASCII Star Wars, after years of getting this message:

ipv63

So I went ahead and did telnet -6 towel.blinkenlights.nl (try it yourself, it’s truly worth it ;).
Here’s how our Reveal map showed this traffic. Note the incoming IPv4 SSH connections to sshd (from my home machine), and the outgoing IPv6 telnet connection from telnet to towel.blinkenlights.nl (2a02:898:17:8000::42).

telnet

Traffic to an IPv6 telnet server

Cloud-to-cloud IPv6 traffic

Moving on to cloud-to-cloud traffic, I wanted to visualize flows between my AWS and DigitalOcean deployments. This type of traffic is common in hybrid clouds, when users run instances in multiple data centers and cloud providers. After running an EC2 client which connected to our DigitalOcean Elasticsearch cluster, here’s how the map looked:

In DC level overview - note AWS and DigitalOcean

In DC level overview – note AWS and DigitalOcean

 

In VM level – You can see that the highlighted flow shows the source and destination addresses (IPv6!) of our assets.

 

And as always, Reveal allows you to dive to process details on machines:

process-level

Process level visibility shows the java process running Elasticsearch

 


That’s it, friends – Amazon is awesome for finally adding support for true IPv6 connectivity and we’re eagerly waiting to see more users embracing this. GuardiCore will continue to lead the competition with our comprehensive support for workload types, connectivity protocols and data center technologies.

0 comments

Leave a Comment

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *