Learn about IPv6 addresses to clusters, pods, and services - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Help improve this page

Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.

Learn about IPv6 addresses to clusters, pods, and services

Applies to: Pods with Amazon EC2 instances and Fargate Pods

By default, Kubernetes assigns IPv4 addresses to your Pods and services. Instead of assigning IPv4 addresses to your Pods and services, you can configure your cluster to assign IPv6 addresses to them. Amazon EKS doesn’t support dual-stacked Pods or services, even though Kubernetes does in version 1.23 and later. As a result, you can’t assign both IPv4 and IPv6 addresses to your Pods and services.

You select which IP family you want to use for your cluster when you create it. You can’t change the family after you create the cluster.

For a tutorial to deploy an Amazon EKS IPv6 cluster, see Deploying an Amazon EKS IPv6 cluster and managed Amazon Linux nodes.

The following are considerations for using the feature:

IPv6 Feature support

IP address assignments

  • Kubernetes services: Kubernetes services are only assigned an IPv6 addresses. They aren’t assigned IPv4 addresses.

  • Pods: Pods are assigned an IPv6 address and a host-local IPv4 address. The host-local IPv4 address is assigned by using a host-local CNI plugin chained with VPC CNI and the address is not reported to the Kubernetes control plane. It is only used when a pod needs to communicate with an external IPv4 resources in another Amazon VPC or the internet. The host-local IPv4 address gets SNATed (by VPC CNI) to the primary IPv4 address of the primary ENI of the worker node.

  • Pods and services: Pods and services are only assigned an IPv6 address. They aren’t assigned an IPv4 address. Because Pods are able to communicate to IPv4 endpoints through NAT on the instance itself, DNS64 and NAT64 aren’t needed. If the traffic needs a public IP address, the traffic is then source network address translated to a public IP.

  • Routing addresses: The source IPv6 address of a Pod isn’t source network address translated to the IPv6 address of the node when communicating outside of the VPC. It is routed using an internet gateway or egress-only internet gateway.

  • Nodes: All nodes are assigned an IPv4 and IPv6 address.

  • Fargate Pods : Each Fargate Pod receives an IPv6 address from the CIDR that’s specified for the subnet that it’s deployed in. The underlying hardware unit that runs Fargate Pods gets a unique IPv4 and IPv6 address from the CIDRs that are assigned to the subnet that the hardware unit is deployed in.

How to use IPv6 with EKS

  • Create new cluster: You must create a new cluster and specify that you want to use the IPv6 family for that cluster. You can’t enable the IPv6 family for a cluster that you updated from a previous version. For instructions on how to create a new cluster, see Considerations .

  • Use recent VPC CNI: Deploy Amazon VPC CNI version 1.10.1 or later. This version or later is deployed by default. After you deploy the add-on, you can’t downgrade your Amazon VPC CNI add-on to a version lower than 1.10.1 without first removing all nodes in all node groups in your cluster.

  • Configure VPC CNI for IPv6 : If you use Amazon EC2 nodes, you must configure the Amazon VPC CNI add-on with IP prefix delegation and IPv6. If you choose the IPv6 family when creating your cluster, the 1.10.1 version of the add-on defaults to this configuration. This is the case for both a self-managed or Amazon EKS add-on. For more information about IP prefix delegation, see Assign more IP addresses to Amazon EKS nodes with prefixes.

  • Configure IPv4 and IPv6 addresses: When you create a cluster, the VPC and subnets that you specify must have an IPv6 CIDR block that’s assigned to the VPC and subnets that you specify. They must also have an IPv4 CIDR block assigned to them. This is because, even if you only want to use IPv6, a VPC still requires an IPv4 CIDR block to function. For more information, see Associate an IPv6 CIDR block with your VPC in the Amazon VPC User Guide.

  • Auto-assign IPv6 addresses to nodes: When you create your nodes, you must specify subnets that are configured to auto-assign IPv6 addresses. Otherwise, you can’t deploy your nodes. By default, this configuration is disabled. For more information, see Modify the IPv6 addressing attribute for your subnet in the Amazon VPC User Guide.

  • Set route tables to use IPv6 : The route tables that are assigned to your subnets must have routes for IPv6 addresses. For more information, see Migrate to IPv6 in the Amazon VPC User Guide.

  • Set security groups for IPv6 : Your security groups must allow IPv6 addresses. For more information, see Migrate to IPv6 in the Amazon VPC User Guide.

  • Set up load balancer: Use version 2.3.1 or later of the Amazon Load Balancer Controller to load balance HTTP applications using the Route application and HTTP traffic with Application Load Balancers or network traffic using the Route TCP and UDP traffic with Network Load Balancers to IPv6 Pods with either load balancer in IP mode, but not instance mode. For more information, see Route internet traffic with Amazon Load Balancer Controller.

  • Add IPv6 IAM policy: You must attach an IPv6 IAM policy to your node IAM or CNI IAM role. Between the two, we recommend that you attach it to a CNI IAM role. For more information, see Create IAM policy for clusters that use the IPv6 family and Step 1: Create the Amazon VPC CNI plugin for Kubernetes IAM role.

  • Evaluate all components: Perform a thorough evaluation of your applications, Amazon EKS add-ons, and Amazon services that you integrate with before deploying IPv6 clusters. This is to ensure that everything works as expected with IPv6.

  • Add BootstrapArguments self-managed node groups: When creating a self-managed node group in a cluster that uses the IPv6 family, user-data must include the following BootstrapArguments for the bootstrap.sh file that runs at node start up. Replace your-cidr with the IPv6 CIDR range of your cluster’s VPC.

    --ip-family ipv6 --service-ipv6-cidr your-cidr

    If you don’t know the IPv6 CIDR range for your cluster, you can see it with the following command (requires the Amazon CLI version 2.4.9 or later).

    aws eks describe-cluster --name my-cluster --query cluster.kubernetesNetworkConfig.serviceIpv6Cidr --output text