Enabling and Using IPv6 in SDDC Networks

Beginning with SDDC Version 1.22, you can enable dual-stack (IPv4 and IPv6) networking in a new SDDC.

In a dual-stack SDDC network, IPv6 is supported for workload communications on segments connected to a custom T1 gateway. IPv6 is also supported for SDDC communication over AWS Direct Connect and VMware Transit Connect. IPv6 is not yet supported for Internet connections, or for use in the SDDC Management network or the Connected VPC. For more information and design guidelines, read the VMware Cloud Tech Zone Designlet Understanding IPv6 in VMware Cloud on AWS.

SDDC Subnet Selection and IPv6 Enablement

If you plan to enable IPv6 connectivity to the SDDC, you'll need to link it to an AWS dual-stack VPC. See Deploy an SDDC from the VMC Console in the VMware Cloud on AWS Operations Guide. After the SDDC has been created you can enable it for IPv6 by selecting Enable IPv6 from the SDDC ACTIONS menu. When an SDDC has been enabled for IPv6, the Global Configuration page shows an L3 Forwarding Mode of IPv4 and IPv6.

Note:

IPv6 enablement for an SDDC is irreversible. You can change the L3 Forwarding Mode to IPv4 if you want, but the underlying IPv6 networking support remains in place for the lifetime of the SDDC.

Segment Configuration

IPv6 is supported for workload communications only on segments connected to a custom T1 gateway. You cannot enable IPv6 on segments connected to the default Compute Gateway. Segments can be dual-stack or IPv6-only. For more information, see the VMware Tech Zone article Understanding Segments in VMC on AWS.

When creating a dual-stack or IPv6-only segment, you'll need to pay attention to a couple of the configuration parameters described in Create or Modify a Network Segment:

Connected Gateway: Must be a custom T1 Gateway.
Segment Profiles: IP Discovery must be set to vmc-adv-ipdiscovery-profile. This enables Neighbor Detection (ND) snooping, DHCP snooping, and VMware tools for IPv6.

IPv6 and Firewall Rules

Gateway firewall and Distributed Firewall inventory groups can include IPv6 addresses. IPv6 is also supported for Layer 7 APP-ID if the SDDC has enabled NSX Advanced Firewall. IPv6 addresses are supported for system-defined and custom services. Remember that some services have IPv6-specific variants (ICMPv6, for example), that you'll need to consider when writing firewall rules.

North-South Traffic Over AWS Direct Connect and VMware Managed Transit Gateway

IPv6 traffic into and out of the SDDC is supported over AWS Direct Connect and VMware Transit Connect. You must configure IPv6 route aggregations for Advertised Routes as described in Aggregate and Filter Routes to Uplinks if you want IPv6 networks to be advertised to external endpoints. Prefixes in an aggregation prefix list must all be in the same address family.

IPv6 over an IPv4 VPN

You can use the workflow documented in Create a Route-Based VPN to configure a VPN that supports both IPv4 and IPv6. Configure the BGP Local IP/Prefix Length as an IPv6 subnet (/126 or /127 are good options for size) and the BGP Remote IP as an IPv6 address on the same subnet. For example, if you specified a BGP Local IP/Prefix Length of cccc:dddd:100/126, usecccc:dddd::100/101 for BGP Remote IP. When configuring the on-premises end of this VPN, use the IP address you specify for BGP Remote IP as its local BGP IP or VTI address.

There's more information about this in the VMware Cloud Tech Zone Designlet Understanding IPv6 in VMware Cloud on AWS.

DNS Services

DNS services in SDDC version 1.24 do not support IPv6 connectivity. IPv6-only workloads must use a customer-managed IPv6-accessible DNS server either in the SDDC network or reachable over one of the IPv6-capable connectivity options. The SDDC IPv4 DNS service can resolve IPv6 addresses as long as the DNS requests are made over IPv4.