IPv6 Addresses

This topic describes support for IPv6 addressing in your VCN.

Highlights

  • IPv6 addressing is currently supported only in the US Government Cloud. See For All US Government Cloud Customers.
  • During VCN creation, you choose whether the VCN is enabled for IPv6. You also choose whether each subnet in an IPv6-enabled VCN is enabled for IPv6. You cannot change whether a VCN or subnet is IPv6-enabled after creation.
  • IPv6-enabled VCNs use a /48 IPv6 CIDR block. Oracle assigns a /48 public IPv6 CIDR block to the VCN for internet communication. You can either let the private IPv6 CIDR block be the same as the public CIDR, or provide your own value (in which case it's referred to as a custom IPv6 CIDR). All subnets are /64.
  • You also choose whether a given VNIC in an IPv6-enabled subnet has IPv6 addresses (up to 32 maximum per VNIC), and whether each address can be used for internet communication.
  • You can choose which particular IPv6 address in the subnet is assigned to a VNIC. This means you can plan how the VCN's private and public address space is allocated within your organization.
  • Only these Networking gateways support IPv6 traffic: dynamic routing gateway (DRG)  and internet gateway .
  • Both inbound- and outbound-initiated IPv6 connections are supported between your VCN and the internet, and between your VCN and your on-premises network.
  • Private IPv6 traffic between resources within a region (intra- and inter-VCN) is not yet supported. See other important details in Routing for IPv6 Traffic.
  • Both FastConnect and IPSec VPN support IPv6 traffic between your VCN and on-premises network. You must configure the FastConnect or IPSec VPN for IPv6.

Overview of IPv6 Addresses

Oracle supports dual-stack IPv4/IPv6 addressing for VCNs. Every VCN always supports IPv4, and you can optionally enable IPv6 during VCN creation. Enabling IPv6 for the VCN means that when you create a subnet, you can optionally enable it to also have IPv6 addresses. Therefore a VCN can have a mix of IPv4-only subnets and IPv6-enabled subnets.

After you create a Compute instance, you may optionally add an IPv6 to the VNIC. You can add up to 32 IPv6s to a given VNIC. You can remove an IPv6 from a VNIC at any time.

CIDRs Assigned to an IPv6-Enabled VCN

An IPv6-enabled VCN has 3 CIDR blocks assigned to it. The following table summarizes them.

IPv4 or IPv6 Use and Size Who Assigns the CIDR Block Allowed Values
Private IPv4 CIDR

Private communication

/16 to /30

You Typically RFC 1918 range

Private IPv6 CIDR *

On-premises communication

Only /48

Optionally, you can assign it. If you do, it's referred to in this documentation as a custom IPv6 CIDR.

Or, you can let Oracle assign it.

Important: You must assign this value if you want instances in the same VCN to communicate with each other using public IPv6 addresses. For more information, see Routing for IPv6 Traffic.

If you assign it, see Overview of IPv6 Addresses.

Public IPv6 CIDR

Internet communication

Only /48

Oracle

If you assign the VCN's private IPv6 CIDR, it will be different from the public IPv6 CIDR that Oracle assigns.

But if you let Oracle assign the VCN's private IPv6 CIDR, Oracle uses the same CIDR for both the private and public IPv6 CIDRs. That means the private address and public address for a given IPv6 are the same.

* Oracle assigns IPv6 CIDR blocks that are NOT in the IPv6 unique local address (ULA) range. This range is analogous to the IPv4 RFC 1918 private ranges. Therefore, all Oracle-assigned IPv6 CIDRs can be considered public ranges by this definition.

Allowed Custom IPv6 CIDR Ranges

Your custom IPv6 CIDR block can be in these general ranges:

  • Global unicast: 2000::/3
  • ULA: fc00::/7

But it cannot be in these IANA special registry ranges:

  • IETF protocol assignments: 2001::/23
  • Documentation: 2001:db8::/32
  • 6to4: 2002::/16
  • Direct Delegation AS112 Service: 2620:4f:8000::/48

Internet Communication

Regardless of whether you or Oracle assigns the VCN's private IPv6 CIDR, Oracle also assigns the VCN an IPv6 CIDR block for the public IP address space (the public IPv6 CIDR). These addresses are used for internet communication. If you do not assign a custom CIDR, Oracle uses the same Oracle-assigned public IPv6 CIDR for the private address space. This means that a given VNIC might use the same IPv6 IP address for both private and internet communication.

You control whether a given IPv6 address can be used for internet communication. If the IPv6 is in a private subnet, it can never be used for internet communication. If it's in a public subnet, you can enable or disable internet access for that IPv6 at any time. If internet access is enabled, the IPv6 uses its public IPv6 address for communication.

Assignment of IPv6 Addresses to a VNIC

To enable IPv6 for a given VNIC, you assign an IPv6 to the VNIC. You can assign up to 32 IPv6s to a VNIC.

As with IPv4, when assigning an IPv6, you can specify the particular address you want to use, or let Oracle choose one for you. By choosing the IPv6 addresses yourself, you can plan how the VCN's private and public address space is allocated within your organization.

You also choose whether the IPv6 has internet access enabled (it is enabled by default if the VNIC is in a public subnet). A VNIC with an internet-enabled IPv6 is not required to have a public IPv4 address.

You can move an IPv6 address from one VNIC to another in the same subnet.

After adding an IPv6 to a VNIC, you must configure the instance's OS to use the IPv6.

Format of IPv6 Addresses

IPv6 addresses have 128 bits.

An IPv6 CIDR block for a VCN must be /48 in size. The left 48 bits identify the VCN portion of the address. For example:

2001:0db8:0123::/48

An IPv6 CIDR block for a subnet must be /64 in size. The right 16 bits in a subnet's CIDR identify the subnet portion of the address. In the following example, the 1111 is the unique portion for the subnet:

2001:0db8:0123:1111::/64

The right-most 64 bits of an IPv6 address identify the unique portion specific to the particular IPv6 address. For example:

2001:0db8:0123:1111:abcd:ef01:2345:6789

For a given IPv6, those right-most 64 bits are identical for both the private and public address for an IPv6. When you assign an IPv6 to a VNIC, you can specify which specific IPv6 address to use (those 64 bits). Therefore you can control how the private and public address space is allocated within your organization.

Example 1: You assign a custom CIDR
Important

Oracle recommends this option if you want instances within the same IPv6-enabled VCN to communicate with each other using public IPv6 addresses. For more information, see Routing for IPv6 Traffic.

Let's say you provide this custom IPv6 CIDR: fd00:aaaa:0123::/48.

Oracle assigns a separate CIDR block for the VCN's public CIDR: 2001:0db8:9999::/48.

The following diagram illustrates the VCN and includes two subnets: public subnet 1111 and private subnet 1112.

This image shows an example of IPv4 and IPv6 addresses used in a VCN with a custom IPv6 CIDR.

The VNIC in the public subnet has a primary private IPv4 (10.0.1.4) with an optional public IP address assigned. The VNIC has a secondary private IPv4 (10.0.1.5), also with an optional public IP address assigned.

The VNIC also has two IPv6s. The first one has internet access enabled and therefore has both private and public IPv6 addresses, which are the following:

  • Private IPv6 address: fd00:aaaa:0123:1111:abcd:ef01:2345:0006
  • Public IPv6 address: 2001:0db8:9999:1111:abcd:ef01:2345:0006

Notice that the right-most 64 bits are the same for both the private and public IP address, as are the subnet's 16 bits. Only the left 48-most bits differ.

The second IPv6 in the public subnet does not have internet access enabled and therefore has only a private IP address, which is fd00:aaaa:0123:1111:abcd:ef01:2345:0007.

The second subnet is private, which means the VNICs can never have public IPv4 or IPv6 addresses. In this case, there's one VNIC that has a primary and secondary IPv4 with addresses 10.0.2.4 and 10.0.2.5, respectively.

The VNIC also has two IPv6s. The first has private address fd00:aaaa:0123:1112:abcd:ef01:2345:0006, and the second IPv6 has private address fd00:aaaa:0123:1112:abcd:ef01:2345:0007.

Example 2: You let Oracle assign the VCN's CIDR

You do not assign a custom CIDR, and Oracle assigns this CIDR: 2001:0db8:0123::/48. Oracle uses this same CIDR for both the private and public IP addresses.

The following diagram illustrates the VCN and includes two subnets: public subnet 1111 and private subnet 1112.

This image shows an example of IPv4 and IPv6 addresses used in a VCN with an Oracle-provided IPv6 CIDR.

The VNIC in the public subnet has a primary private IPv4 (10.0.1.4) with an optional public IP address assigned. The VNIC has a secondary private IPv4 (10.0.1.5), also with an optional public IP address assigned.

The VNIC also has two IPv6s. The first one has internet access enabled and therefore has both private and public IPv6 addresses, which are the following:

  • Private IPv6 address: 2001:0db8:0123:1111:abcd:ef01:2345:0006
  • Public IPv6 address: 2001:0db8:0123:1111:abcd:ef01:2345:0006

Notice that the two addresses are the same.

The second IPv6 does not have internet access enabled and therefore has only a private IP address, which is 2001:0db8:0123:1111:abcd:ef01:2345:0007.

The second subnet is private, which means the VNICs can never have public addresses, IPv4 or IPv6. In this case, there's one VNIC that has a primary and secondary IPv4 with addresses 10.0.2.4 and 10.0.2.5, respectively.

The VNIC also has two IPv6s. The first has private address 2001:0db8:0123:1112:abcd:ef01:2345:0006, and the second IPv6 has private address 2001:0db8:0123:1112:abcd:ef01:2345:0007.

Routing for IPv6 Traffic

Both inbound- and outbound-initiated IPv6 connections are supported between your VCN and the internet, and between your VCN and your on-premises network.

Here are other important details about routing of IPv6 traffic:

  • Currently IPv6 traffic is supported only through these gateways:

  • Traffic between instances on their public IPv6 addresses is supported and must traverse the VCN's internet gateway. Exception: if the given IPv6 uses the same address for both private and public communication, traffic between instances on their public IPv6 address is not supported. Therefore, if you want instances in the same VCN to communicate with each other using public IPv6 addresses, specify your own private IPv6 CIDR when creating the VCN. This means the private address for an IPv6 in the VCN will be different than its public address. For more information, see Overview of IPv6 Addresses.
  • Private IPv6 traffic between resources within a region (intra- and inter-VCN) is not yet supported.

VCN Route Tables and IPv6

The VCN's route tables support both IPv4 rules and IPv6 rules that use a DRG or internet gateway as the target. For example, the route table for a given subnet could have these rules:

  • Rule to route traffic that matches a certain IPv4 CIDR to the VCN's attached DRG
  • Rule to route traffic that matches a certain IPv4 CIDR to the VCN's service gateway
  • Rule to route traffic that matches a certain IPv4 CIDR to the VCN's NAT gateway
  • Rule to route traffic that matches a certain IPv6 CIDR to the VCN's attached DRG
  • Rule to route traffic that matches a certain IPv6 CIDR to the VCN's attached internet gateway

Security Rules for IPv6 Traffic

Like route tables, the VCN's network security groups and security listsSecurity Rulessupport both IPv4 and IPv6 rules. For example, a network security group or security list could have these security rules:

  • Rule to allow SSH traffic from the on-premises network's IPv4 CIDR
  • Rule to allow ping traffic from the on-premises network's IPv4 CIDR
  • Rule to allow SSH traffic from the on-premises network's IPv6 CIDR
  • Rule to allow ping traffic from the on-premises network's IPv6 CIDR

The default security list in an IPv6-enabled VCN includes default IPv4 rules and the following default IPv6 rules:

  • Stateful ingress: Allow IPv6 TCP traffic on destination port 22 (SSH) from source ::/0 and any source port. This rule makes it easy for you to create a new VCN with a public subnet and internet gateway, create a Linux instance, add an internet-access-enabled IPv6, and then immediately connect with SSH to that instance without needing to write any security rules yourself.

    Important

    The default security list does not include a rule to allow Remote Desktop Protocol (RDP) access. If you're using Windows images, add a stateful ingress rule for TCP traffic on destination port 3389 from source ::/0 and any source port.

    See To enable RDP access for more information.

  • Stateful ingress: Allow ICMPv6 traffic type 2 code 0 (Packet Too Big) from source ::/0 and any source port. This rule enables your instances to receive Path MTU Discovery fragmentation messages.
  • Stateful egress: Allow all IPv6 traffic. This allows instances to initiate IPv6 traffic of any kind to any destination. Notice that this means the instances with an internet-access-enabled IPv6 can talk to any internet IPv6 address if the VCN has a configured internet gateway. And because stateful security rules use connection tracking, the response traffic is automatically allowed regardless of any ingress rules. For more information, see Stateful Versus Stateless Rules.

FastConnect and IPv6

If you use FastConnect , you can configure it so that on-premises hosts with IPv6 addresses can communicate with an IPv6-enabled VCN. In general, you must ensure that the FastConnect virtual circuit has IPv6 BGP addresses, and update the VCN's routing and security rules for IPv6 traffic.

About the IPv6 BGP Addresses

A FastConnect virtual circuit always requires IPv4 BGP addresses, but IPv6 BGP addresses are optional and only required for IPv6 traffic. Depending on how you're using FastConnect, you might be asked to provide all of the virtual circuit's BGP addresses yourself (both IPv4 and IPv6).

The addresses consist of a pair: one for your end of the BGP session, and another for the Oracle end of the BGP session.

When you specify a BGP address pair, you must include a subnet mask that contains both of the addresses. Specifically for IPv6, the allowed subnet masks are:

  • /64
  • /96
  • /126
  • /127

For example, you could specify 2001:db8::6/127 for the address at your end of the BGP session, and 2001:db8::7/127 for the Oracle end.

Process to Enable IPv6

In general, here's how to enable IPv6 for a FastConnect virtual circuit:

  • Virtual circuit BGP: Ensure the FastConnect virtual circuit has IPv6 BGP addresses. If you're responsible for providing the BGP IP addresses, when you set up a new virtual circuit or edit an existing one, there's a place for the two IPv4 BGP addresses. There's a separate check box for Enable IPv6 Address Assignment and a place to provide the two IPv6 addresses. Be aware that if you're editing an existing virtual circuit to add support for IPv6, it will go down while it's being reprovisioned to use the new BGP information.
  • VCN route tables: For each IPv6-enabled subnet in the VCN, update its route table to include rules that route the IPv6 traffic from the VCN to the IPv6 subnets in your on-premises network. For example, the Destination CIDR Block for a route rule would be an IPv6 subnet in your on-premises network, and the Target would be the dynamic routing gateway (DRG)  attached to the IPv6-enabled VCN.
  • VCN security rules: For each IPv6-enabled subnet in the VCN, update its security lists or relevant network security groups to allow IPv6 traffic between the VCN and your on-premises network. See Security Rules for IPv6 Traffic.

If you do not yet have a FastConnect connection, see these topics to get started:

VPN Connect and IPv6

If you use VPN Connect, you can configure it so that on-premises hosts with IPv6 addresses can communicate with an IPv6-enabled VCN. Here's how to enable IPv6 for the connection:

  • IPSec connection static routes: Configure the IPSec connection with the IPv6 static routes of your on-premises network. Currently the Oracle IPSec VPN does not support BGP dynamic routing.
  • VCN route tables: For each IPv6-enabled subnet in the VCN, update its route table to include rules that route the IPv6 traffic from the VCN to the IPv6 subnets in your on-premises network. For example, the Destination CIDR Block for a route rule would be an IPv6 static route for your on-premises network, and the Target would be the dynamic routing gateway (DRG)  attached to the IPv6-enabled VCN.
  • VCN security rules: For each IPv6-enabled subnet in the VCN, update its security lists or relevant network security groups to allow the wanted IPv6 traffic between the VCN and your on-premises network. See Security Rules for IPv6 Traffic.

If you have an existing IPSec VPN that uses static routing, you can update the list of static routes to include ones for IPv6. Be aware that changing the list of static routes causes the IPSec VPN to go down while it's being reprovisioned. See Changing the Static Routes.

If you do not yet have an IPSec VPN, see these topics to get started:

DHCP

Currently DHCPv6 auto-configuration of IP addresses is not supported.

DNS

The VCN's Internet Resolver supports IPv6, which means resources in your VCN can resolve IPv6 addresses of hosts outside the VCN. IPv6 traffic between resources within the VCN is not yet supported, and assignment of a hostname to an IPv6 address is not supported.

Load Balancers

When you create a load balancer, you can optionally choose to have an IPv4/IPv6 dual-stack configuration. When you choose the IPv6 option, the Load Balancing service assigns both an IPv4 and an IPv6 address to the load balancer. The load balancer receives client traffic sent to the assigned IPv6 address. The load balancer uses only IPv4 addresses to communicate with backend servers. There is no IPv6 communication between the load balancer and the backend servers.

IPv6 address assignment occurs only at load balancer creation. You cannot assign an IPv6 address to an existing load balancer.

Comparison of IPv4 and IPv6 for Your VCN

The following table summarizes the differences between IPv4 and IPv6 addressing in a VCN.

Characteristic IPv4 IPv6
Addressing type supported IPv4 addressing is always required, regardless of whether IPv6 is enabled. IPv6 addressing is optional per VCN, optional per subnet in an IPv6-enabled VCN, and optional per VNIC in an IPv6-enabled subnet.
Supported traffic types IPv4 traffic is supported for all gateways. IPv4 traffic between instances within the VCN is supported (east/west traffic). IPv6 traffic is supported only with these gateways: internet gateway and DRG. Both inbound- and outbound-initiated IPv6 connections are supported between your VCN and the internet, and between your VCN and your on-premises network. Private IPv6 traffic between resources within a region (intra- and inter-VCN) is not yet supported (east/west traffic). Also see the caveats in Routing for IPv6 Traffic.
VCN size /16 to /30 /48 only
Subnet size /16 to /30, with 3 addresses reserved in each subnet by Oracle (first 2 and last 1). /64 only, with 8 addresses in the subnet reserved by Oracle (first 4 and last 4).
Private and public IP address space

Private: A VCN's private IPv4 CIDR can be from an RFC 1918 range or a publicly routable range (in which case, it's treated as private). You must specify the range, unless you use the Console's VCN creation wizard, which always uses 10.0.0.0/16.

Public: The VCN does not have a dedicated public IPv4 address space. Any public addresses in your VCN are always chosen by Oracle.

You can specify a /48 from the list of supported ranges for the private IPv6 CIDR (see Overview of IPv6 Addresses). If you don't specify a range, Oracle assigns a /48 CIDR that is used for both the private and public IP address space. Important: You must assign this value if you want instances in the same VCN to communicate with each other using public IPv6 addresses. For more information, see Routing for IPv6 Traffic.

Unlike with IPv4, your VCN has a dedicated public IPv6 address space, which is always /48 in size. When you assign an IPv6 to a VNIC, you can choose the address, or you can let Oracle chose it.

IP address assignment

Private: Each VNIC gets a private IPv4 address. You can choose the address or let Oracle choose it.

Public: You determine whether the private IPv4 address has a public IP address associated with it (assuming the VNIC is in a public subnet). Oracle chooses the public IP address.

From an API standpoint: the PrivateIp object is separate from the PublicIp object. You can remove the public IP address from the private IPv4 address at any time.

You decide whether a VNIC in an IPv6-enabled subnet gets an IPv6. You can choose the private IPv6 address or let Oracle choose it.

You also decide whether that IPv6 has internet access enabled (assuming the VNIC is in a public subnet). You can remove the internet access for that IPv6 at any time. When an IPv6 is internet enabled, it has a public IPv6 address. The public IPv6 address always has the same right-most 64 bits as the private IPv6 address.

Recall that if Oracle assigns the VCN's private IPv6 CIDR, then the private and public CIDRs for the VCN are the same. In that case, each IPv6 uses the same address (all 128 bits) for both its private IP address and public IP address.

From an API standpoint: both the private and public IP addresses are included in the Ipv6 object and always exist together.

Internet access You control whether a subnet is public or private. You add or remove a public IP address from a private IPv4 address on a VNIC (assuming the VNIC is in a public subnet). You control whether a subnet is public or private. You do not add or remove a public IP address to or from the VNIC as you do with IPv4. Instead you enable or disable the internet access for a given IPv6 that you've added to a VNIC (assuming the VNIC is in a public subnet).
Primary and secondary labels Each VNIC automatically has a primary private IP address, and you can assign up to 31 secondary private IPs per VNIC. You choose to add an IPv6 to a VNIC. There is no primary or secondary label for it. You can assign up to 32 IPv6s per VNIC.
Hostnames You can assign hostnames to IPv4 addresses. You cannot assign hostnames to IPv6 addresses.
Route rule limits See Service Limits. IPv4 and IPv6 route rules can reside together in the same route table. IPv6 route rules can target only an internet gateway or DRG. Limit on number of IPv6 route rules in a route table: 8.
Security rule limits See Service Limits. IPv4 and IPv6 security rules can reside together in same network security group or security list. IPv6 security rules can use only IPv6 CIDR ranges for source or destination, and not a service CIDR label used for a service gateway. Limit on number of IPv6 security rules in a security list: 8 ingress and 8 egress. Limit on number of IPv6 security rules in a network security group: 16 total.
Reserved public IP addresses Supported. Not supported.
Regional or AD-specific Primary private IPv4 addresses are AD -specific. Secondary private IPv4 addresses are AD-specific unless assigned to a VNIC in a regional subnet. Public IP addresses can be AD-specific or regional depending on the type (ephemeral or reserved). See Public IP Addresses. IPv6 addresses are regional.

Setting Up an IPv6-Enabled VCN with Internet AccessSetting Up an IPv6-Enabled VCN with Internet Access

Use the following process if you want to set up an IPv6-enabled VCN with internet access so you can easily launch an instance and connect to it by using its public IPv6 address.

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.
Task 1: Create the IPv6-enabled VCN
  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Choose a compartment you have permission to work in (on the left side of the page). The page updates to display only the resources in that compartment. If you're not sure which compartment to use, contact an administrator. For more information, see Access Control.
  3. Click Create Virtual Cloud Network.
  4. Enter the following:

    • Name: A descriptive name for the VCN. It doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
    • Create in Compartment: Leave as is.
    • CIDR Block: A single, contiguous IPv4 CIDR block for the VCN. For example: 172.16.0.0/16. You cannot change this value later. See Allowed VCN Size and Address Ranges. For reference, here's a CIDR calculator.
    • Enable IPv6 Address Assignment: Select the check box and optionally provide the private IPv6 CIDR in the field labeled Private IPv6 CIDR Block. You must provide the value if you want the instances in this IPv6-enabled VCN to communicate with each other using their public IP addresses. Leave the field blank if you want Oracle to assign the private IPv6 CIDR for you. You cannot later disable IPv6 for the VCN or change the CIDR. All IPv6-enabled VCNs are always /48 in size.
    • Use DNS Hostnames in this VCN (supported for IPv4 only): Required for assignment of DNS hostnames to hosts in the VCN, and required if you plan to use the VCN's default DNS feature (called the Internet and VCN Resolver). If the check box is selected, you can specify a DNS label for the VCN, or the Console will generate one for you. The dialog box automatically displays the corresponding DNS Domain Name for the VCN (<VCN DNS label>.oraclevcn.com). For more information, see DNS in Your Virtual Cloud Network.
    • Tags: Leave as is. You can add tags later if you want. For more information, see Resource Tags.
  5. Click Create Virtual Cloud Network.

    The VCN is then created and displayed on the Virtual Cloud Networks page in the compartment you chose.

Task 2: Create a regional IPv6-enabled public subnet
  1. While still viewing the VCN, click Create Subnet.
  2. Enter the following:

    • Name: A descriptive name for the subnet (for example, Regional Public Subnet). It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
    • Regional or Availability Domain-specific subnet: Oracle recommends creating only regional subnets, which means that the subnet can contain resources in any of the region's availability domains. If you instead choose Availability Domain-Specific (the only kind of subnet that Oracle originally offered), you must also specify an availability domain. This choice means that any instances or other resources later created in this subnet must also be in that availability domain.
    • CIDR Block: A single, contiguous IPv4 CIDR block for the subnet (for example, 172.16.0.0/24). The address block must be within the VCN's IPv4 CIDR block and not overlap any other subnets. You cannot change this value later. See Allowed VCN Size and Address Ranges. For reference, here's a CIDR calculator.
    • Enable IPv6 Address Assignment: Select the check box and provide your choice of 16 bits for the subnet (example: 1111). You cannot later disable IPv6 for the subnet or change the CIDR. All IPv6-enabled subnets are always /64 in size. For more information about IPv6 address format, see Overview of IPv6 Addresses.
    • Route Table: Select the default route table.
    • Private or public subnet: Select Public Subnet, which means instances in the subnet can optionally have public IP addresses. For more information, see Access to the Internet.
    • Use DNS Hostnames in this Subnet (supported for IPv4 only): This option is available only if you provided a DNS label for the VCN during creation. The option is required for assignment of DNS hostnames to hosts in the subnet, and required if you plan to use the VCN's default DNS feature (called the Internet and VCN Resolver). If the check box is selected, you can specify a DNS label for the subnet, or the Console will generate one for you. The dialog box automatically displays the corresponding DNS Domain Name for the subnet (<subnet_DNS_label>.<VCN_DNS_label>.oraclevcn.com). For more information, see DNS in Your Virtual Cloud Network.
    • DHCP Options: Select the default set of DHCP options.
    • Security Lists: Select the default security list.
    • Tags: Leave as is. You can add tags later if you want. For more information, see Resource Tags.
  3. Click Create Subnet.

    The subnet is then created and displayed on the Subnets page.

Task 3: Create the internet gateway
  1. Under Resources, click Internet Gateways.
  2. Click Create Internet Gateway.
  3. Enter the following:

    • Name: A descriptive name for the internet gateway. It doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
    • Create in Compartment: Leave as is.
    • Tags: Leave as is. You can add tags later if you want. For more information, see Resource Tags.
  4. Click Create Internet Gateway.

    Your internet gateway is created and displayed on the Internet Gateways page. It's already enabled, but you must add route rules that allow IPv4 and IPv6 traffic to flow to the gateway.

Task 4: Update the default route table to use the internet gateway

The default route table starts out with no rules. Here you add rules that route all IPv4 and IPv6 traffic destined for addresses outside the VCN to the internet gateway. The existence of these rules also enables inbound connections to come from the internet to the subnet, through the internet gateway. You use security rules to control the types of traffic that are allowed in and out of the instances in the subnet (see the next task).

No route rule is required in order to route traffic within the VCN itself.

  1. Under Resources, click Route Tables.
  2. Click the default route table to view its details.
  3. Click Add Route Rules.
  4. Enter the following:

    • Target Type: Internet Gateway
    • Destination CIDR block: 0.0.0.0/0 (which means that all IPv4 non-intra-VCN traffic that is not already covered by other rules in the route table goes to the target specified in this rule).
    • Compartment: The compartment where the internet gateway is located.
    • Target: The internet gateway you created.
    • Description: An optional description of the rule.
  5. Click + Additional Route Rule.
  6. Enter the following:

    • Target Type: Internet Gateway
    • Destination CIDR block: ::/0 (for the IPv6 traffic).
    • Compartment: The compartment where the internet gateway is located.
    • Target: The internet gateway you created.
    • Description: An optional description of the rule.
  7. Click Add Route Rules.

The default route table now has two rules for the internet gateway, one for IPv4 traffic and one for IPv6 traffic. Because the subnet was set up to use the default route table, the resources in the subnet can now use the internet gateway. The next step is to specify the types of traffic you want to allow in and out of the instances you later create in the subnet.

Task 5: Update the default security list (optional)
Note

This task is about configuring security rules to allow traffic to and from your instances. Although this task uses a security list to implement those rules, you can also use network security groups to implement security rules.

Earlier you set up the subnet to use the VCN's default security list. This list already includes basic rules that allow essential IPv4 and IPv6 traffic. In this task, you add any additional security rules that allow the types of connections that the instances in the VCN will need.

For example: This is a public subnet with an internet gateway, so the instances you create might need to receive inbound HTTPS connections from the internet (if they're web servers). Here's how to add another rule to the default security list to enable that traffic:

  1. Under Resources, click Security Lists.
  2. Click the default security list to view its details. By default, you land on the Ingress Rules page.
  3. Click Add Ingress Rule.
  4. To enable inbound connections for HTTPS (TCP port 443), enter the following:

    • Stateless: Unselected (this is a stateful rule)
    • Source Type: CIDR
    • Source CIDR: 0.0.0.0/0 (or ::/0 if you want to enable IPv6 traffic with this rule)
    • IP Protocol: TCP
    • Source Port Range: All
    • Destination Port Range: 443
    • Description: An optional description of the rule.
  5. Click Add Ingress Rule.
Important

Security List Rule for Windows Instances

If you're going to create Windows instances, you need to add a security rule to enable Remote Desktop Protocol (RDP) access. Specifically, you need a stateful ingress rule for TCP traffic on destination port 3389 from source 0.0.0.0/0 (and a separate rule with ::/0 for IPv6 traffic) and any source port. For more information, see Security Rules.

For a production VCN, you typically set up one or more custom security lists for each subnet. If you like, you can edit the subnet to use different security lists. If you choose not to use the default security list, do so only after carefully assessing which of its default rules you want to duplicate in your custom security list. For example: the default ICMP rules in the default security list are important for receiving connectivity messages for IPv4.

Task 6: Create an instance

Your next step is to create an instance in the subnet. When you create the instance, you choose the availability domain , which VCN and subnet to use, and several other characteristics.

Each instance automatically gets a private IPv4 address. When you create an instance in a public subnet, you choose whether the instance gets a public IP address. A public IPv4 address is NOT required for public IPv6 traffic. But if you want to connect to the instance from an IPv4 host, you must give the instance a public IP address, or else you can't access them through the internet gateway. The default (for a public subnet) is for the instance to get a public IP address.

For more information and instructions, see Launching an Instance.

Task 7: Add an internet-enabled IPv6 to the instance
  1. While viewing the instance you just created, click Attached VNICs.
  2. Click the VNIC.
  3. Under Resources, click IPv6 Addresses.
  4. Click Assign Private IPv6 Address.
  5. Enter the following:

    • Private IPv6 Address: Optional. An available private IPv6 address of your choice from the subnet's private IPv6 CIDR (otherwise the private IP address is automatically assigned).
    • Unassign if already assigned to another VNIC: Leave this check box as is (cleared). Use this only to force reassignment of an IPv6 address if it's already assigned to another VNIC in the subnet. Relevant only if you specify a private IP address in the preceding field.
    • Enable Internet Access: Select this check box. This enables internet access and assigns the IPv6 a public address (if it's in a public subnet, which is the case here). See Overview of IPv6 Addresses.
    • Tags: Leave as is. You can add tags later if you want. For more information, see Resource Tags.
  6. Click Assign.

    The IPv6 is created and then displayed on the IPv6 Addresses page for the VNIC. Notice that it has both a private and public IPv6 address.

Task 8: Configure the instance's OS to use the IPv6

You must configure the instance's OS to use the IPv6. For more information, see Configuring the OS to Use an IPv6.

After performing this task, you can connect to the instance over the internet with SSH or RDP from your on-premises network or a location on the internet. The host connecting to the instance must be using a public IPv6 address.

Managing IPv6s in the Console

This section includes basic tasks for working with IPv6-related resources.

To create an IPv6-enabled VCN
Important

You can't enable IPv6 for an existing VCN. You can only enable IPv6 when creating a VCN. After enabling IPv6 for a VCN, you cannot disable it.

See the instructions in Task 1: Create the IPv6-enabled VCN.

To create an IPv6-enabled subnet
Important

After enabling IPv6 for a subnet, you cannot disable it.

Summary: Creating an IPv6-enabled subnet is similar to creating an IPv4 subnet. The only difference is that you must select the check box for Enable IPv6 Address Assignment and provide 16 bits for the subnet's portion of the IPv6 CIDR. See Overview of IPv6 Addresses.

For general instructions, see Task 2: Create a regional IPv6-enabled public subnet. If you want a private subnet, select the radio button for Private Subnet when creating the subnet.

To assign an IPv6 to a VNIC

The process for adding an IPv6 to a VNIC is similar to adding a secondary private IPv4 address. You can specify the particular IPv6 address to use or let Oracle choose it from the subnet. You can enable internet access if you like. The resulting public IPv6 address uses the same right-most 64 bits as the private IPv6 address. In certain situations, the entire IPv6 address is the same. For more information, see Overview of IPv6 Addresses. After assigning the IPv6 to the VNIC, you must configure the OS to use the IPv6.

  1. Assign the IPv6. For general instructions, see Task 7: Add an internet-enabled IPv6 to the instance. If you want an IPv6 without internet access, do not select the check box for Enable Internet Access when assigning the IPv6.
  2. Configure the OS to use the IPv6 address. For more information, see Configuring the OS to Use an IPv6.
To move an IPv6 to another VNIC in the subnet

The process is similar to moving a secondary private IPv4 address from one VNIC to another (let's call them the original VNIC and the new VNIC). You assign the IPv6 to the new VNIC, specify the private IPv6 address, and select the check box for Unassign if already assigned to another VNIC. Oracle automatically unassigns it from original VNIC and assigns it to the new VNIC. The public address for the IPv6 stays the same regardless of which VNIC the IPv6 is assigned to.

  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click the VNIC you're interested in.
  6. Under Resources, click IPv6 Addresses.
  7. Click Assign Private IP Address.
  8. Enter the following:

    • Private IPv6 Address: The private IPv6 address that you want to move.
    • Unassign if already assigned to another VNIC: Select this check box to move the IPv6 address from the VNIC it's currently assigned to.
    • Enable Internet Access: Whether to assign a public IPv6 address. Available only if the VNIC is in a public subnet. See Overview of IPv6 Addresses.
    • Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  9. Click Assign.

The private IP address is moved from the original VNIC to the new VNIC.

To delete an IPv6 from a VNIC
  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click the VNIC you're interested in.
  6. Under Resources, click IPv6 Addresses.
  7. For the IPv6 you want to delete, click the Actions icon (three dots), and then click Delete IPv6.
  8. Confirm when prompted.

The IPv6 address is returned to the pool of available addresses in the subnet.

To enable or disable internet access for an IPv6

Internet access for an IPv6 is controlled by the IPv6's Enable Internet Access check box. When you enable internet access, the IPv6 is assigned a public IPv6 address. That address's right-most 64 bits are the same as the private IPv6 address. In certain situations, the entire IPv6 address is the same. For more information, see Overview of IPv6 Addresses.

  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click the VNIC you're interested in.
  6. Under Resources, click IPv6 Addresses.
  7. For the IPv6 you're interested in, click the Actions icon (three dots), and then click Edit.
  8. Either select or clear the check box for Enable Internet Access.
  9. Click Update.

When you disable internet access, the public IPv6 address becomes null. If you re-enable internet access, the public IPv6 address is again assigned to the IPv6.

Configuring the OS to Use an IPv6

After assigning an IPv6 to a VNIC, you must configure the OS to use the IPv6.

Getting the IPv6 Virtual Router IP (Default Gateway)

You need the IPv6 virtual router IP (called the default gateway in Windows), which is included in the instance metadata available at the following URL:

http://169.254.169.254/opc/v1/vnics/

Here's an example response:


[ {
  "vnicId" : "ocid1.vnic.oc1.phx.examplevq7kncmdtfr23dznohdkd2cywjcem33eg3dxa",
  "privateIp" : "10.0.3.7",
  "vlanTag" : 3396,
  "macAddr" : "00:00:17:01:14:0C",
  "virtualRouterIp" : "10.0.3.1",
  "subnetCidrBlock" : "10.0.3.0/24",
  "ipv6SubnetCidrBlock" : "2001:0db8:95f4::/64",
  "ipv6VirtualRouterIp" : "2001:0db8::200:17ff:fee3:c491"
} ]

Oracle Linux 7 Configuration

The following commands are for Oracle Linux 7. They are NOT persistent through a reboot. You need the IPv6 virtual router IP from the instance metadata (see the previous section).

sysctl net.ipv6.conf.all.disable_ipv6=0

ip -6 addr add <private_IPv6_address>/64 dev <interface_name>

ip -6 route add default via <IPv6_virtual_router_IP> dev <interface_name>

For example:

sysctl net.ipv6.conf.all.disable_ipv6=0

ip -6 addr add 2001:0db8:95f4::abcd:1234/64 dev ens3

ip -6 route add default via 2001:0db8::200:17ff:fee3:c491 dev ens3

If you haven't yet, ensure that the VCN's route table and security rules are configured for the wanted IPv6 traffic. See Routing for IPv6 Traffic and Security Rules for IPv6 Traffic.

Windows Configuration

You can use a command line or the Network Connections UI.

Command Line

If you use PowerShell, you must run it as an administrator. The following configuration persists through a reboot of the instance.

  1. In your browser, go to the Console, and note the private IPv6 address that you want to configure on the instance.
  2. Connect to the instance, and run the following command at a command prompt:

    http://169.254.169.254/opc/v1/vnics/
  3. Note the value for the ipv6VirtualRouterIp, which is the <default_gateway> to use in the next step.
  4. Run the following 2 commands:

    netsh interface ipv6 add address interface="Ethernet" address=<private_IPv6_address>/64
    netsh interface ipv6 add route prefix=::/0 interface="Ethernet" nexthop=<default_gateway> publish=Yes
    

    For example:

    netsh interface ipv6 add address interface="Ethernet" address=2001:0db8:95f4::abcd:1234/64
    netsh interface ipv6 add route prefix=::/0 interface="Ethernet" nexthop=2001:0db8::200:17ff:fee3:c491 publish=Yes
    

If you haven't yet, ensure that the VCN's route table and security rules are configured for the wanted IPv6 traffic. See Routing for IPv6 Traffic and Security Rules for IPv6 Traffic.

You can run the following command to see that the IPv6 address has been configured for the interface:

netsh interface ipv6 show addresses

Later if you want to delete the address, you can use this command:

netsh interface ipv6 delete address interface="Ethernet" address=<private_IPv6_address>

For example:

netsh interface ipv6 delete address interface="Ethernet" address=2001:0db8:95f4::abcd:1234

Also delete the IPv6 from the VNIC. You can do that before or after executing the earlier command to delete the address from the OS configuration.

Network Connections UI

The following configuration persists through a reboot of the instance.

  1. In your browser, go to the Console, and note the private IPv6 address that you want to configure on the instance.
  2. Connect to the instance, and run the following command at a command prompt:

    http://169.254.169.254/opc/v1/vnics/
  3. Note the value for the ipv6VirtualRouterIp, which is the default gateway to use in a later step.
  4. In the instance's Control Panel, go to Network and Internet, and view your network connections (see the image that follows for the set of dialog boxes you see in these steps).
  5. For the active networks, click the connection (Ethernet).
  6. Click Properties.
  7. Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

    This image shows the series of dialog boxes you'll encounter.

  8. Select the radio button for Use the following IP address, and then enter the values you noted earlier for the private IPv6 address and default gateway. Use 64 for the subnet prefix length.

    This image shows the series of dialog boxes you'll encounter.

  9. Click OK until the dialog boxes are closed.

If you haven't yet, ensure that the VCN's route table and security rules are configured for the wanted IPv6 traffic. See Routing for IPv6 Traffic and Security Rules for IPv6 Traffic.