How to Enable IPv6 on AWS EC2 and Troubleshoot

Enabling IPv6 on AWS EC2: Setup and Troubleshooting

Running dual-stack (IPv4+IPv6) sounds like the safe bet, but it often hides IPv4 dependencies you didn't know you had -- things like obscure Ubuntu PPAs that only resolve over IPv4, or third-party logging endpoints that don't support v6. You won't notice until something breaks.

There's also the operational overhead. With dual-stack, every security group, NACL, WAF rule, and S3 policy needs to account for both protocols. That's twice the surface area to audit. Going IPv6-only where possible cuts that complexity down and future-proofs the setup.

1. Why IPv6?

IPv4 addresses are running out. Getting new ones is expensive, and NAT adds complexity that nobody enjoys debugging. IPv6 gives you a massive address space, kills the need for NAT in most cases, and more services are starting to require it.

2. Prerequisites

• AWS account with EC2 and networking permissions.
• An existing VPC (or willingness to create one).
• An Ubuntu EC2 instance.

3. Enable IPv6 in AWS Console

3.1 VPC Configuration

• Open VPC Dashboard > select the VPC.
• Actions > Edit CIDRs > Add an IPv6 CIDR block (Amazon-provided or BYOIP).

3.2 Subnet Configuration

• Select the subnet > Edit IPv6 CIDRs.
• Assign a /64 block from the VPC's IPv6 range.
• Enable "Auto-assign IPv6 address" for the subnet.

3.3 Route Table

• Add a route: ::/0 pointing to the Internet Gateway (IGW).

4. Instance-Level Configuration

4.1 Assign IPv6 Address

• EC2 Console > Instance > Networking > Manage IP addresses > Assign new IPv6 address.

4.2 Verify Inside the Instance

SSH in and confirm the address is there:

ip -6 addr show

4.3 Check Kernel IPv6 Support

cat /proc/sys/net/ipv6/conf/all/disable_ipv6

You want 0 here. If it says 1, IPv6 is disabled at the kernel level -- which happens on some older AMIs or hardened images.

4.4 Enable Router Advertisements

sysctl -w net.ipv6.conf.all.accept_ra=1
sysctl -w net.ipv6.conf.default.accept_ra=1

5. Configure Security for IPv6

5.1 Security Groups

Don't forget to add IPv6 rules -- security groups don't automatically mirror your IPv4 rules for v6 traffic.

• Inbound: ICMPv6 (ping), TCP 80/443
• Outbound: Allow ::/0

5.2 Network ACLs

• Inbound and outbound rules: allow all IPv6 (::/0)

6. Troubleshooting IPv6 Issues

6.1 No IPv6 Address

Go back and check: does the subnet have an IPv6 CIDR assigned? Is auto-assignment turned on? These are the two things people miss most often.

6.2 Cannot Reach IPv6 Internet

ping6 2606:4700:4700::1111

If this times out, check three things: the route table needs ::/0 pointing at the IGW, security groups need to allow outbound v6 traffic, and NACLs need matching rules.

6.3 Kernel and RA Checks

cat /proc/sys/net/ipv6/conf/all/disable_ipv6
cat /proc/sys/net/ipv6/conf/eth0/accept_ra

You're looking for 0 and 1 respectively. Anything else and the instance isn't properly accepting IPv6 configuration from the VPC.

7. Testing IPv6 Functionality

7.1 Ping Test

ping6 -c 4 2606:4700:4700::1111

7.2 External IP Check

curl -6 https://ifconfig.co

This should return your instance's public IPv6 address. If it hangs or returns an IPv4 address, something's still misconfigured.

7.3 Online Tools

• test-ipv6.com
• tools.keycdn.com/ipv6-ping

8. Final Recommendations

Once IPv6 is working, keep an eye on it. Update your security policies to cover v6 traffic, and only run dual-stack if you actually need IPv4 for legacy services. For production environments, having someone who knows the networking side well makes a real difference -- IPv6 misconfigurations tend to cause subtle, hard-to-debug issues.