Updated 2025-02-22

IPv6 Addresses

This topic describes support for IPv6 addressing in a VCN.

Highlights

  • IPv6 addressing is supported for all commercial and government regions.
  • During VCN creation, you select whether the VCN is enabled for IPv6, or you can enable IPv6 on existing IPv4-only VCNs. You also select whether each subnet in an IPv6-enabled VCN is enabled for IPv6.
  • IPv6-enabled VCNs can use a /56 IPv6 global unicast address (GUA) prefix allocated by Oracle, specify a /64 or larger Unique Local Address (ULA) prefix, or import a /48 or larger BYOIPv6 prefix.
  • An Oracle-assigned /56 prefix can be globally routable to the VCN for internet communication, depending on whether the subnet using a /64 part of the prefix is public or private. A ULA prefix is not globally routable for internet communication.
  • All IPv6 enabled subnets are /64. You can either allow or prohibit internet communication to a subnet by specifying the "public/private" subnet-level flag.
  • If you use BYOIP, you can import a /48 or larger IPv6 GUA prefix and must assign a /64 prefix or larger to a VCN.
  • You select whether a specific VNIC in an IPv6-enabled subnet has IPv6 addresses (up to 32 maximum per VNIC).
  • Only these Networking gateways support IPv6 traffic: Dynamic Routing Gateway (DRG) , local peering gateway (LPG) , and internet gateway .
  • Both inbound- and outbound-initiated IPv6 connections are supported between a VCN and the internet, and between a VCN and an on-premises network. Communication between resources within a VCN or between VCNs is also supported.
  • IPv6 traffic between resources within a region (within and between VCNs) is supported. See other important details in Routing for IPv6 Traffic and Internet Communication.
  • Both FastConnect and Site-to-Site VPN support IPv6 traffic between a VCN and on-premises network. You must configure FastConnect or Site-to-Site VPN for IPv6.

Overview of IPv6 Addresses

Oracle VCNs support IPv4-only addressing and dual-stack IPv4 and IPv6 addressing. Every VCN always has at least one private IPv4 CIDR, and you can enable IPv6 during VCN creation. You can also add an IPv6 prefix to an IPv4-only VCN while enabling IPv6. When IPv6 is enabled for a VCN, while creating a subnet of that VCN you can enable it to also have IPv4 addresses only or both IPv4 and IPv6 addresses. Therefore a VCN can have a mix of IPv4-only subnets and subnets that have both IPv4 and IPv6.

When you create a Compute instance, you can add one or more IPv6 addresses to the VNIC. These IP addresses can be assigned from several IPv6 prefixes if they're assigned to the subnet. You can remove an IPv6 address from a VNIC at any time.

IPv6 Prefixes Assigned to an IPv6-Enabled VCN

An IPv6-enabled VCN is dual-stack, meaning it has both an IPv4 CIDR and an IPv6 prefix assigned. A VCN can have up to five IPv4 CIDRs and up to five IPv6 prefixes. An IPv6-enabled VCN can use an Oracle-allocated /56 Global Unicast Address (GUA), let you import and assign a BYOIPv6 prefix, or specify a Unique Local Address (ULA) prefix. Oracle can allocate a GUA IPv6 prefix, also referred to here as a globally routable IPv6 prefix. You can also use Bring Your Own IP (BYOIP) to use a /48 prefix. Both ULA and BYOIPv6 prefixes must be at minimum /64 in size when assigned to a VCN. The following table summarizes the options.

IPv4 or IPv6 Use and Size Who Assigns the Address Block Allowed Values
Private IPv4 CIDR

Private communication

/16 to /30

You Typically RFC 1918 range
Globally routable IPv6 prefix

Internet or Private Communication

/56

Oracle

Oracle allocates the IPv6 prefix.

BYOIP IPv6 prefix

Internet or Private Communication

/64 (minimum)

You IPv6 GUA are always in the range of 2000::/3.
IPv6 ULA

Private Communication

/64 (minimum)

You

This address type can be in the fc00::/7 ULA range or 2000:/3 GUA range.

We recommend you assign ULA prefixes from the fd00 half of the range.

Note

IPv6 ULA addresses allocated to VCNs are only used for internal communications even if the addresses are in the GUA range. OCI doesn't advertise the prefixes to the internet, nor route traffic between these internal prefixes and the internet.

Unique Local Addresses are globally unique addresses that allow communication between nodes on different links within the same site or between sites. They're administratively segmented and aren't for routing on the Internet. RFC 4193 provides more information about ULAs.

Internet Communication

When you enable IPv6 in a VCN, you can decide which types of IPv6 addresses are assigned: Oracle-allocated, BYOIPv6, or ULA. You can then enable IPv6 in subnets (see Task 2: Create a regional IPv6-enabled public subnet) and assign IPv6 addresses to an individual instance's VNICs or load balancers if they were created in an IPv6-enabled subnet with an IPv6 prefix. You can also decide whether internet communication with IPv6-enabled resources is allowed or prohibited by specifying the subnet is public or private. If an IPv6-enabled resource is assigned a GUA address and is hosted in a public subnet, communication to and from the internet is allowed. If an IPv6-enabled resource is hosted in a private subnet, communication to and from the internet is prohibited even if the resource has a GUA address assigned.

Assignment of IPv6 Addresses to a VNIC

To enable IPv6 for a particular VNIC, assign an IPv6 to the VNIC. IP addresses can be assigned from several IPv6 prefixes if they're assigned to the subnet. As with IPv4, when assigning an IPv6 address, you can specify the particular address you want to use, or let Oracle select one for you.

A VNIC can have an IPv6 address assigned at Compute instance creation, or you can add one after you create the instance.

A VNIC can use IPv6-only addressing, if the OS image you selected for the Compute instance supports IPv6-only addressing and the subnet is configured to only use IPv6 addressing.

You can move an IPv6 address from one VNIC to another in the same subnet.

Format of IPv6 Addresses

IPv6 addresses have 128 bits.

An IPv6 prefix block for a VCN must be /56 in size. The leftmost 56 bits identify the VCN part of the address. For example:

2001:0db8:0123:7800::/56 (or fd00::/56 for ULA addresses)

An IPv6 prefix block for a subnet must be /64 in size. The rightmost 16 bits in a subnet's prefix identify the subnet part of the address. In the following example, the 7811 is the unique part for the subnet:

2001:0db8:0123:7811::/64

In the following ULA example, the 11 is the unique part for the subnet:

fd00:0:0:11::/64

The right-most 64 bits of an IPv6 address identify the unique part specific to the particular IPv6 address. For example:

2001:0db8:0123:7811:abcd:ef01:2345:6789

When you assign an IPv6 to a VNIC, you can specify which specific IPv6 address to use (those 64 bits).

Routing for IPv6 Traffic

Both inbound- and outbound-initiated IPv6 connections are supported between a VCN and the internet, and between a VCN and an on-premises network. Communication between resources within a VCN or between VCNs is also supported.

Here are other important details about routing of IPv6 traffic:

  • IPv6 traffic is supported only through these gateways:

    • Dynamic routing gateway (DRG): For access to an on-premises network or other networks outside the region (using remote peering). Both Oracle Cloud Infrastructure FastConnect and Site-to-Site VPN support IPv6 traffic. For more details about IPv6 configuration, see the upcoming sections.
    • Internet gateway: For access to the internet.
    • Local peering gateway: For connecting two VCNs in the same region so that their resources can communicate using private IP addresses without routing the traffic over the internet or through an on-premises network.
  • IPv6 traffic between resources within a region (within and between VCNs) is supported. VCNs are dual-stack, meaning they always support IPv4 and can optionally also support IPv6. A VCN's route tables support both IPv4 and IPv6 rules in the same table. IPv4 and IPv6 rules must be discretely specified. Rules to route traffic that match a certain IPv6 prefix to the VCN's attached DRG, internet gateway, local peering gateway, or an IPv6 address (next hop) are supported.

VCN Route Tables and IPv6

The VCN's route tables support both IPv4 rules and IPv6 rules that use a DRG, local peering gateway, or internet gateway as the target. For example, the route table for a particular subnet could have these rules:

  • Rule to route traffic that matches a certain IPv4 CIDR to the VCN's attached DRG
  • Rule to route traffic that matches a certain IPv4 CIDR to the VCN's service gateway
  • Rule to route traffic that matches a certain IPv4 CIDR to the VCN's NAT gateway
  • Rule to route traffic that matches a certain IPv6 prefix to the VCN's attached DRG
  • Rule to route traffic that matches a certain IPv6 prefix to the VCN's attached internet gateway

Security Rules for IPv6 Traffic

The VCN's network security groups and security lists support both IPv4 and IPv6 security rules. For example, a network security group or security list could have these security rules:

  • Rule to allow SSH traffic from the on-premises network's IPv4 CIDR
  • Rule to allow ping traffic from the on-premises network's IPv4 CIDR
  • Rule to allow SSH traffic from the on-premises network's IPv6 prefix
  • Rule to allow ping traffic from the on-premises network's IPv6 prefix

The default security list in an IPv6-enabled VCN includes default IPv4 rules and the following default IPv6 rules:

  • Stateful ingress: Allow IPv6 TCP traffic on destination port 22 (SSH) from source ::/0 and any source port. This rule makes it easy for you to create a VCN with a public subnet and internet gateway, create a Linux instance, add an internet-access-enabled IPv6, and then immediately connect with SSH to that instance without needing to write any security rules yourself.

    Important

    The default security list doesn't include a rule to allow Remote Desktop Protocol (RDP) access. If you're using Windows images, add a stateful ingress rule for TCP traffic on destination port 3389 from source ::/0 and any source port.

    See To enable RDP access for more information.

  • Stateful ingress: Allow ICMPv6 traffic type 2 code 0 (Packet Too Big) from source ::/0 and any source port. This rule lets instances to receive Path MTU Discovery fragmentation messages.
  • Stateful egress: Choosing to allow all IPv6 traffic lets instances initiate IPv6 traffic of any kind to any destination. Notice that instances with an internet-access-enabled IPv6 can talk to any internet IPv6 address if the VCN has a configured internet gateway. And because stateful security rules use connection tracking, the response traffic is automatically allowed regardless of any ingress rules. For more information, see Stateful Versus Stateless Rules.

FastConnect and IPv6

If you use FastConnect , you can configure it so that on-premises hosts with IPv6 addresses can communicate with an IPv6-enabled VCN. In general, you must ensure that the FastConnect virtual circuit has IPv6 BGP addresses, and update the VCN's routing and security rules for IPv6 traffic.

About the IPv6 BGP Addresses

A FastConnect virtual circuit always requires IPv4 BGP addresses, but IPv6 BGP addresses are optional and only required for IPv6 traffic. Depending on how you're using FastConnect, you might be asked to provide the virtual circuit's BGP addresses yourself (both IPv4 and IPv6).

The addresses consist of a pair: one for the on-premises end of the BGP session, and another for the Oracle end of the BGP session.

When you specify a BGP address pair, you must include a subnet mask that contains both of the addresses. For IPv6, the allowed subnet masks are:

  • /64
  • /96
  • /126
  • /127

For example, you could specify 2001:db8::6/64 for the address at the on-premises end of the BGP session, and 2001:db8::7/64 for the Oracle end.

Process to Enable IPv6

In general, here's how to enable IPv6 for a FastConnect virtual circuit:

  • Virtual circuit BGP: Ensure the FastConnect virtual circuit has IPv6 BGP addresses. If you're responsible for providing the BGP IP addresses, when you set up a new virtual circuit or edit an existing one, the Console has a place for the two IPv4 BGP addresses. The Console also has a separate checkbox for Enable IPv6 Address Assignment and a place to provide the two IPv6 addresses. If you're editing an existing virtual circuit to add support for IPv6, it goes down while being reprovisioned to use the new BGP information.
  • VCN route tables: For each IPv6-enabled subnet in the VCN, update its route table to include rules that route the IPv6 traffic from the VCN to the IPv6 subnets in an on-premises network. For example, the Destination CIDR Block for a route rule would be an IPv6 subnet in an on-premises network, and the Target would be the Dynamic Routing Gateway (DRG)  attached to the IPv6-enabled VCN.
  • VCN security rules: For each IPv6-enabled subnet in the VCN, update its security lists or relevant network security groups to allow IPv6 traffic between the VCN and an on-premises network. See Security Rules for IPv6 Traffic.

If you don't already have a FastConnect connection, see these topics to get started:

Site-to-Site VPN and IPv6

If you use Site-to-Site VPN, you can configure it so that on-premises hosts with IPv6 addresses can communicate with an IPv6-enabled VCN. Here's how to enable IPv6 for the connection:

  • IPSec connection static routes: Configure the IPSec connection with the IPv6 static routes of an on-premises network.
  • VCN route tables: For each IPv6-enabled subnet in the VCN, update its route table to include rules that route the IPv6 traffic from the VCN to the IPv6 subnets in an on-premises network. For example, the Destination CIDR Block for a route rule would be an IPv6 static route for an on-premises network, and the Target would be the Dynamic Routing Gateway (DRG)  attached to the IPv6-enabled VCN.
  • VCN security rules: For each IPv6-enabled subnet in the VCN, update its security lists or relevant network security groups to allow the wanted IPv6 traffic between the VCN and an on-premises network. See Security Rules for IPv6 Traffic.

If you have an existing Site-to-Site VPN IPSec connection that uses static routing, you can update the list of static routes to include ones for IPv6. Changing the list of static routes causes Site-to-Site VPN to go down while being reprovisioned. See Changing the Static Routes.

If you don't yet have Site-to-Site VPN, see these topics to get started:

DHCPv6

DHCPv6 automatic configuration of IP addresses is supported. You don't need to statically configure any IPv6 address.

DNS

The VCN's Internet Resolver supports IPv6, which means resources in a VCN can resolve IPv6 addresses of hosts outside the VCN. Assignment of a hostname to an IPv6 address isn't supported.

Load Balancers

When you create a load balancer, you can decide to have an IPv4-only or IPv4 and IPv6 dual-stack configuration. When you use the dual-stack option, the Load Balancer service assigns both an IPv4 and an IPv6 address to the Load Balancer. The Load Balancer receives client traffic sent to the assigned IPv6 address. The Load Balancer uses only IPv4 addresses to communicate with backend servers. IPv6 communication between the Load Balancer and the backend servers isn't supported.

IPv6 address assignment occurs only at Load Balancer creation. You can't assign an IPv6 address to an existing Load Balancer.

Comparison of IPv4 and IPv6 for A VCN

The following table summarizes the differences between IPv4 and IPv6 addressing in a VCN.

Characteristic IPv4 IPv6
Addressing type supported IPv4 addressing is always required, regardless of whether IPv6 is enabled. This can be a private IPv4 CIDR. IPv6 addressing is optional per VCN, optional per subnet in an IPv6-enabled VCN, and optional per VNIC in an IPv6-enabled subnet. An IPv6-only subnet or VNIC is allowed.
Supported traffic types IPv4 traffic is supported for all gateways. IPv4 traffic between instances within the VCN is supported (east/west traffic). IPv6 traffic is supported only with these gateways: internet gateway, local peering gateway, and DRG. Both inbound- and outbound-initiated IPv6 connections are supported between a VCN and the internet, and between a VCN and an on-premises network. IPv6 traffic between resources within a region (within or between VCNs) is fully supported (east/west traffic). Also see Routing for IPv6 Traffic.
VCN size /16 to /30

Oracle GUA: /56 only

BYOIPv6: /64 or larger

ULA: /64 or larger

Subnet size /16 to /30, with 3 addresses reserved in each subnet by Oracle (first 2 and last 1). /64 only, with 8 addresses in the subnet reserved by Oracle (first 4 and last 4).
Private and public IP address space

Private: A VCN's private IPv4 CIDR can be from an RFC 1918 range or a publicly routable range (treated as private). You specify the range, unless you use the Console's VCN creation workflow, which always uses 10.0.0.0/16.

Public: The VCN doesn't have a dedicated public IPv4 address space. Oracle chooses any public addresses in a VCN.

Unlike with IPv4, a VCN can receive an allocated /56 GUA prefix from Oracle or import and assign a BYOIP prefix. Either of these can be internet routable if assigned to resources in public subnets. You also have an option to assign ULA addresses, which aren't internet routable, regardless of whether the subnet is public or private.

IP address assignment

Private: Each VNIC gets a private IPv4 address. You can select the address or let Oracle select it.

Public: You decide whether the private IPv4 address has a public IP address associated with it (assuming the VNIC is in a public subnet). Oracle chooses the public IP address.

From an API standpoint: the PrivateIp object is separate from the PublicIp object. You can remove the public IP address from the private IPv4 address at any time.

You might assign IPv6 addresses from distinct prefixes to a VNIC if they're assigned to the subnet. You can select the IPv6 address or let Oracle select it.

From an API standpoint: IP addresses are included in the Ipv6 object and the distinction between public and private is controlled using the public/private subnet flag.

Internet access You control whether a subnet is public or private. You add or remove a public IP address from a private IPv4 address on a VNIC (assuming the VNIC is in a public subnet). You control whether a subnet is public or private. You don't add or remove a public IP address to or from the VNIC as you do with IPv4. Instead you enable or disable the internet access for all IPv6-enabled resources in the subnet using the public/private subnet flag.
Primary and secondary labels Each VNIC automatically has a primary private IP address, and you can assign up to 32 secondary private IPs per VNIC. You can decide to add an IPv6 address to a VNIC, with no primary or secondary label. You can assign up to 32 IPv6 addresses per VNIC.
Hostnames You can assign hostnames to IPv4 addresses. You can't assign hostnames to IPv6 addresses.
Route rule limits See Service Limits. IPv4 and IPv6 route rules can reside together in the same route table. IPv6 route rules can target only an internet gateway, local peering gateway, or DRG. Limit on number of IPv6 route rules in a route table: 50.
Security rule limits See Service Limits. IPv4 and IPv6 security rules can reside together in same network security group or security list. IPv6 security rules can use only IPv6 prefix ranges for source or destination, and not a service prefix label used for a service gateway. Limit on number of IPv6 security rules in a security list: 50 ingress and 50 egress. Limit on number of IPv6 security rules in a network security group: 16 total.
Reserved public IP addresses Supported. Not supported.
Regional or AD-specific Primary private IPv4 addresses are AD -specific. Secondary private IPv4 addresses are AD-specific unless assigned to a VNIC in a regional subnet. Public IP addresses can be AD-specific or regional depending on the type (ephemeral or reserved). See Public IP Addresses. IPv6 addresses are regional.

Setting Up an IPv6-Enabled VCN with Internet Access

Use the following process to set up an IPv6-enabled VCN with internet access so you can easily create an instance and connect to it by using its globally routable IPv6 address.

Managing IPv6 in the Console

This section includes basic tasks for working with IPv6-related resources.

Configuring an Instance OS to use IPv6

After assigning an IPv6 address to the VNIC through the Console, the associated instance OS need to learn the assigned address. DHCPv6 automatically takes care of this, but that requires you to wait for the next refresh cycle. You can require the instance's OS to immediately refresh its IPv6 address.

Oracle Linux Configuration

Oracle Linux 8 uses the following command to refresh an IPv6 address on an instance:

sudo dhclient -6 <interface>
Note

The NetworkManager service in Oracle Linux 8 is enabled by default, if you use a custom image you might first need to run these commands:
sudo firewall-cmd --add-service=dhcpv6-client --permanent
sudo firewall-cmd --reload

See the Setting Up Networking documentation for Oracle Linux 8 for more details.

If you haven't yet, ensure that the VCN's route table and security rules are configured for the wanted IPv6 traffic. See Routing for IPv6 Traffic and Security Rules for IPv6 Traffic.

Windows Configuration

You can use the following at the Windows command line or the Network Connections UI to ask the instance to refresh the IPv6 address:

ipconfig /renew6

If you use PowerShell, you must run it as an administrator. The configuration persists through a reboot of the instance. Apply it as soon as possible after the instance is created.

If you haven't yet, ensure that the VCN's route table and security rules are configured for the wanted IPv6 traffic. See Routing for IPv6 Traffic and Security Rules for IPv6 Traffic.