Help improve this page
Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.
Learn about IPv6 addresses to clusters, pods, and services
Applies to: Pods with Amazon EC2 instances and Fargate Pods
By default, Kubernetes assigns IPv4
addresses to your Pods and services. Instead of assigning IPv4
addresses to your Pods and services, you can configure your cluster to assign IPv6
addresses to them. Amazon EKS doesn’t support dual-stacked Pods or services, even though Kubernetes does in version 1.23
and later. As a result, you can’t assign both IPv4
and IPv6
addresses to your Pods and services.
You select which IP family you want to use for your cluster when you create it. You can’t change the family after you create the cluster.
For a tutorial to deploy an Amazon EKS IPv6
cluster, see Deploying an Amazon EKS IPv6 cluster and managed Amazon Linux nodes.
The following are considerations for using the feature:
IPv6
Feature support
-
No Windows support: Windows Pods and services aren’t supported.
-
Nitro-based EC2 nodes required: You can only use
IPv6
with Amazon Nitro-based Amazon EC2 or Fargate nodes. -
EC2 and Fargate nodes supported: You can use
IPv6
with Assign security groups to individual pods with Amazon EC2 nodes and Fargate nodes. -
Outposts not supported: You can’t use
IPv6
with Deploy Amazon EKS on-premises with Amazon Outposts. -
FSx for Lustre is not supported: The Store high-performance apps with FSx for Lustre is not supported.
-
Instance Metadata Service not supported: Use of the Amazon EC2 Instance Metadata Service
IPv6
endpoint is not supported with Amazon EKS. -
Custom networking not supported: If you previously used Deploy pods in alternate subnets with custom networking to help alleviate IP address exhaustion, you can use
IPv6
instead. You can’t use custom networking withIPv6
. If you use custom networking for network isolation, then you might need to continue to use custom networking and theIPv4
family for your clusters.
IP address assignments
-
Kubernetes services: Kubernetes services are only assigned an
IPv6
addresses. They aren’t assigned IPv4 addresses. -
Pods: Pods are assigned an IPv6 address and a host-local IPv4 address. The host-local IPv4 address is assigned by using a host-local CNI plugin chained with VPC CNI and the address is not reported to the Kubernetes control plane. It is only used when a pod needs to communicate with an external IPv4 resources in another Amazon VPC or the internet. The host-local IPv4 address gets SNATed (by VPC CNI) to the primary IPv4 address of the primary ENI of the worker node.
-
Pods and services: Pods and services are only assigned an
IPv6
address. They aren’t assigned anIPv4
address. Because Pods are able to communicate toIPv4
endpoints through NAT on the instance itself, DNS64 and NAT64 aren’t needed. If the traffic needs a public IP address, the traffic is then source network address translated to a public IP. -
Routing addresses: The source
IPv6
address of a Pod isn’t source network address translated to theIPv6
address of the node when communicating outside of the VPC. It is routed using an internet gateway or egress-only internet gateway. -
Nodes: All nodes are assigned an
IPv4
andIPv6
address. -
Fargate Pods : Each Fargate Pod receives an
IPv6
address from the CIDR that’s specified for the subnet that it’s deployed in. The underlying hardware unit that runs Fargate Pods gets a uniqueIPv4
andIPv6
address from the CIDRs that are assigned to the subnet that the hardware unit is deployed in.
How to use IPv6
with EKS
-
Create new cluster: You must create a new cluster and specify that you want to use the
IPv6
family for that cluster. You can’t enable theIPv6
family for a cluster that you updated from a previous version. For instructions on how to create a new cluster, see Considerations . -
Use recent VPC CNI: Deploy Amazon VPC CNI version
1.10.1
or later. This version or later is deployed by default. After you deploy the add-on, you can’t downgrade your Amazon VPC CNI add-on to a version lower than1.10.1
without first removing all nodes in all node groups in your cluster. -
Configure VPC CNI for
IPv6
: If you use Amazon EC2 nodes, you must configure the Amazon VPC CNI add-on with IP prefix delegation andIPv6
. If you choose theIPv6
family when creating your cluster, the1.10.1
version of the add-on defaults to this configuration. This is the case for both a self-managed or Amazon EKS add-on. For more information about IP prefix delegation, see Assign more IP addresses to Amazon EKS nodes with prefixes. -
Configure
IPv4
andIPv6
addresses: When you create a cluster, the VPC and subnets that you specify must have anIPv6
CIDR block that’s assigned to the VPC and subnets that you specify. They must also have anIPv4
CIDR block assigned to them. This is because, even if you only want to useIPv6
, a VPC still requires anIPv4
CIDR block to function. For more information, see Associate an IPv6 CIDR block with your VPC in the Amazon VPC User Guide. -
Auto-assign IPv6 addresses to nodes: When you create your nodes, you must specify subnets that are configured to auto-assign
IPv6
addresses. Otherwise, you can’t deploy your nodes. By default, this configuration is disabled. For more information, see Modify the IPv6 addressing attribute for your subnet in the Amazon VPC User Guide. -
Set route tables to use
IPv6
: The route tables that are assigned to your subnets must have routes forIPv6
addresses. For more information, see Migrate to IPv6 in the Amazon VPC User Guide. -
Set security groups for
IPv6
: Your security groups must allowIPv6
addresses. For more information, see Migrate to IPv6 in the Amazon VPC User Guide. -
Set up load balancer: Use version
2.3.1
or later of the Amazon Load Balancer Controller to load balance HTTP applications using the Route application and HTTP traffic with Application Load Balancers or network traffic using the Route TCP and UDP traffic with Network Load Balancers toIPv6
Pods with either load balancer in IP mode, but not instance mode. For more information, see Route internet traffic with Amazon Load Balancer Controller. -
Add
IPv6
IAM policy: You must attach anIPv6
IAM policy to your node IAM or CNI IAM role. Between the two, we recommend that you attach it to a CNI IAM role. For more information, see Create IAM policy for clusters that use the IPv6 family and Step 1: Create the Amazon VPC CNI plugin for Kubernetes IAM role. -
Evaluate all components: Perform a thorough evaluation of your applications, Amazon EKS add-ons, and Amazon services that you integrate with before deploying
IPv6
clusters. This is to ensure that everything works as expected withIPv6
. -
Add
BootstrapArguments
self-managed node groups: When creating a self-managed node group in a cluster that uses theIPv6
family, user-data must include the followingBootstrapArguments
for the bootstrap.shfile that runs at node start up. Replace your-cidr
with theIPv6
CIDR range of your cluster’s VPC.--ip-family ipv6 --service-ipv6-cidr your-cidr
If you don’t know the
IPv6
CIDR
range for your cluster, you can see it with the following command (requires the Amazon CLI version2.4.9
or later).aws eks describe-cluster --name my-cluster --query cluster.kubernetesNetworkConfig.serviceIpv6Cidr --output text