Oracle Cloud Infrastructure Documentation

IPv6 Addresses

This topic describes support for IPv6 addressing in your VCN.

Highlights

  • IPv6 addressing is currently supported only in the US Government Cloud. See For All Government Cloud Customers.
  • During VCN creation, you choose whether the VCN is enabled for IPv6. You also choose whether each subnet in an IPv6-enabled VCN is enabled for IPv6. You cannot change whether a VCN or subnet is IPv6-enabled after creation.
  • IPv6-enabled VCNs use a /48 IPv6 CIDR block. Oracle assigns a /48 public IPv6 CIDR block to the VCN for internet communication. You can either let the private IPv6 CIDR block be the same as the public CIDR, or provide your own value (in which case it's referred to as a custom IPv6 CIDR). All subnets are /64.
  • You also choose whether a given VNIC in an IPv6-enabled subnet has IPv6 addresses (up to 32 maximum per VNIC), and whether each address can be used for internet communication.
  • You can choose which particular IPv6 address in the subnet is assigned to a VNIC. This means you can plan how the VCN's private and public address space is allocated within your organization.
  • Only these Networking gateways support IPv6 traffic: An optional virtual router that you can add to your VCN to provide a path for private network traffic between your VCN and on-premises network. and An optional virtual router that you can add to your VCN. It provides a path for network traffic between your VCN and the internet..
  • Both inbound- and outbound-initiated IPv6 connections are supported between your VCN and the internet, and between your VCN and your on-premises network.
  • Private IPv6 traffic between resources within a region (intra- and inter-VCN) is not yet supported. See other important details in Routing for IPv6 Traffic.
  • Both FastConnect and IPSec VPN support IPv6 traffic between your VCN and on-premises network. You must configure the FastConnect or IPSec VPN for IPv6.

Overview of IPv6 Addresses

Oracle supports dual-stack IPv4/IPv6 addressing for VCNs. Every VCN always supports IPv4, and you can optionally enable IPv6 during VCN creation. Enabling IPv6 for the VCN means that when you create a subnet, you can optionally enable it to also have IPv6 addresses. Therefore a VCN can have a mix of IPv4-only subnets and IPv6-enabled subnets.

After you create a Compute instance, you may optionally add an IPv6 to the VNIC. You can add up to 32 IPv6s to a given VNIC. You can remove an IPv6 from a VNIC at any time.

CIDRs Assigned to an IPv6-Enabled VCN

An IPv6-enabled VCN has 3 CIDR blocks assigned to it. The following table summarizes them.

IPv4 or IPv6 Use and Size Who Assigns the CIDR Block Allowed Values
Private IPv4 CIDR

Private communication

/16 to /30

You Typically RFC 1918 range

Private IPv6 CIDR *

On-premises communication

Only /48

Optionally, you can assign it. If you do, it's referred to in this documentation as a custom IPv6 CIDR.

Or, you can let Oracle assign it.

Important: You must assign this value if you want instances in the same VCN to communicate with each other using public IPv6 addresses. For more information, see Routing for IPv6 Traffic.

If you assign it, see Allowed Custom IPv6 CIDR Ranges.

Public IPv6 CIDR

Internet communication

Only /48

Oracle

If you assign the VCN's private IPv6 CIDR, it will be different from the public IPv6 CIDR that Oracle assigns.

But if you let Oracle assign the VCN's private IPv6 CIDR, Oracle uses the same CIDR for both the private and public IPv6 CIDRs. That means the private address and public address for a given IPv6 are the same.

* Oracle assigns IPv6 CIDR blocks that are NOT in the IPv6 unique local address (ULA) range. This range is analogous to the IPv4 RFC 1918 private ranges. Therefore, all Oracle-assigned IPv6 CIDRs can be considered public ranges by this definition.

Allowed Custom IPv6 CIDR Ranges

Your custom IPv6 CIDR block can be in these general ranges:

  • Global unicast: 2000::/3
  • ULA: fc00::/7

But it cannot be in these IANA special registry ranges:

  • IETF protocol assignments: 2001::/23
  • Documentation: 2001:db8::/32
  • 6to4: 2002::/16
  • Direct Delegation AS112 Service: 2620:4f:8000::/48

Internet Communication

Regardless of whether you or Oracle assigns the VCN's private IPv6 CIDR, Oracle also assigns the VCN an IPv6 CIDR block for the public IP address space (the public IPv6 CIDR). These addresses are used for internet communication. If you do not assign a custom CIDR, Oracle uses the same Oracle-assigned public IPv6 CIDR for the private address space. This means that a given VNIC might use the same IPv6 IP address for both private and internet communication.

You control whether a given IPv6 address can be used for internet communication. If the IPv6 is in a private subnet, it can never be used for internet communication. If it's in a public subnet, you can enable or disable internet access for that IPv6 at any time. If internet access is enabled, the IPv6 uses its public IPv6 address for communication.

Assignment of IPv6 Addresses to a VNIC

To enable IPv6 for a given VNIC, you assign an IPv6 to the VNIC. You can assign up to 32 IPv6s to a VNIC.

As with IPv4, when assigning an IPv6, you can specify the particular address you want to use, or let Oracle choose one for you. By choosing the IPv6 addresses yourself, you can plan how the VCN's private and public address space is allocated within your organization.

You also choose whether the IPv6 has internet access enabled (it is enabled by default if the VNIC is in a public subnet). A VNIC with an internet-enabled IPv6 is not required to have a public IPv4 address.

You can move an IPv6 address from one VNIC to another in the same subnet.

After adding an IPv6 to a VNIC, you must configure the instance's OS to use the IPv6.

Format of IPv6 Addresses

IPv6 addresses have 128 bits.

An IPv6 CIDR block for a VCN must be /48 in size. The left 48 bits identify the VCN portion of the address. For example:

2001:0db8:0123::/48

An IPv6 CIDR block for a subnet must be /64 in size. The right 16 bits in a subnet's CIDR identify the subnet portion of the address. In the following example, the 1111 is the unique portion for the subnet:

2001:0db8:0123:1111::/64

The right-most 64 bits of an IPv6 address identify the unique portion specific to the particular IPv6 address. For example:

2001:0db8:0123:1111:abcd:ef01:2345:6789

For a given IPv6, those right-most 64 bits are identical for both the private and public address for an IPv6. When you assign an IPv6 to a VNIC, you can specify which specific IPv6 address to use (those 64 bits). Therefore you can control how the private and public address space is allocated within your organization.

Example 1: You assign a custom CIDR
Example 2: You let Oracle assign the VCN's CIDR

Routing for IPv6 Traffic

Both inbound- and outbound-initiated IPv6 connections are supported between your VCN and the internet, and between your VCN and your on-premises network.

Here are other important details about routing of IPv6 traffic:

  • Currently IPv6 traffic is supported only through these gateways:

  • Traffic between instances on their public IPv6 addresses is supported and must traverse the VCN's internet gateway. Exception: if the given IPv6 uses the same address for both private and public communication, traffic between instances on their public IPv6 address is not supported. Therefore, if you want instances in the same VCN to communicate with each other using public IPv6 addresses, specify your own private IPv6 CIDR when creating the VCN. This means the private address for an IPv6 in the VCN will be different than its public address. For more information, see CIDRs Assigned to an IPv6-Enabled VCN.
  • Private IPv6 traffic between resources within a region (intra- and inter-VCN) is not yet supported.

VCN Route Tables and IPv6

The VCN's route tables support both IPv4 rules and IPv6 rules that use a DRG or internet gateway as the target. For example, the route table for a given subnet could have these rules:

  • Rule to route traffic that matches a certain IPv4 CIDR to the VCN's attached DRG
  • Rule to route traffic that matches a certain IPv4 CIDR to the VCN's service gateway
  • Rule to route traffic that matches a certain IPv4 CIDR to the VCN's NAT gateway
  • Rule to route traffic that matches a certain IPv6 CIDR to the VCN's attached DRG
  • Rule to route traffic that matches a certain IPv6 CIDR to the VCN's attached internet gateway

Security Rules for IPv6 Traffic

Like route tables, the VCN's network security groups and security lists support both IPv4 and IPv6 rules. For example, a network security group or security list could have these security rules:

  • Rule to allow SSH traffic from the on-premises network's IPv4 CIDR
  • Rule to allow ping traffic from the on-premises network's IPv4 CIDR
  • Rule to allow SSH traffic from the on-premises network's IPv6 CIDR
  • Rule to allow ping traffic from the on-premises network's IPv6 CIDR

The default security list in an IPv6-enabled VCN includes default IPv4 rules and the following default IPv6 rules:

  • Stateful ingress: Allow IPv6 TCP traffic on destination port 22 (SSH) from source ::/0 and any source port. This rule makes it easy for you to create a new VCN with a public subnet and internet gateway, create a Linux instance, add an internet-access-enabled IPv6, and then immediately connect with SSH to that instance without needing to write any security rules yourself.

    Important

    The default security list does not include a rule to allow Remote Desktop Protocol (RDP) access. If you're using Windows images, make sure to add a stateful ingress rule for TCP traffic on destination port 3389 from source ::/0 and any source port.

    See To enable RDP access for more information.

  • Stateful ingress: Allow ICMPv6 traffic type 2 code 0 (Packet Too Big) from source ::/0 and any source port. This rule enables your instances to receive Path MTU Discovery fragmentation messages.
  • Stateful egress: Allow all IPv6 traffic. This allows instances to initiate IPv6 traffic of any kind to any destination. Notice that this means the instances with an internet-access-enabled IPv6 can talk to any internet IPv6 address if the VCN has a configured internet gateway. And because stateful security rules use connection tracking, the response traffic is automatically allowed regardless of any ingress rules. For more information, see Connection Tracking Details for Stateful Rules.

FastConnect and IPv6

If you use FastConnect provides an easy way to create a dedicated, private connection between your data center or existing network and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options, and a more reliable and consistent networking experience compared to internet-based connections., you can configure it so that on-premises hosts with IPv6 addresses can communicate with an IPv6-enabled VCN. In general, you must ensure that the FastConnect virtual circuit has IPv6 BGP addresses, and update the VCN's routing and security rules for IPv6 traffic.

About the IPv6 BGP Addresses

A FastConnect virtual circuit always requires IPv4 BGP addresses, but IPv6 BGP addresses are optional and only required for IPv6 traffic. Depending on how you're using FastConnect, you might be asked to provide all of the virtual circuit's BGP addresses yourself (both IPv4 and IPv6).

The addresses consist of a pair: one for your end of the BGP session, and another for the Oracle end of the BGP session.

When you specify a BGP address pair, you must include a subnet mask that contains both of the addresses. Specifically for IPv6, the allowed subnet masks are:

  • /64
  • /96
  • /126
  • /127

For example, you could specify 2001:db8::6/127 for the address at your end of the BGP session, and 2001:db8::7/127 for the Oracle end.

Process to Enable IPv6

In general, here's how to enable IPv6 for a FastConnect virtual circuit:

  • Virtual circuit BGP: Ensure the FastConnect virtual circuit has IPv6 BGP addresses. If you're responsible for providing the BGP IP addresses, when you set up a new virtual circuit or edit an existing one, there's a place for the two IPv4 BGP addresses. There's a separate check box for Enable IPv6 Address Assignment and a place to provide the two IPv6 addresses. Be aware that if you're editing an existing virtual circuit to add support for IPv6, it will go down while it's being reprovisioned to use the new BGP information.
  • VCN route tables: For each IPv6-enabled subnet in the VCN, update its route table to include rules that route the IPv6 traffic from the VCN to the desired IPv6 subnets in your on-premises network. For example, the Destination CIDR Block for a route rule would be an IPv6 subnet in your on-premises network, and the Target would be the An optional virtual router that you can add to your VCN to provide a path for private network traffic between your VCN and on-premises network. attached to the IPv6-enabled VCN.
  • VCN security rules: For each IPv6-enabled subnet in the VCN, update its security lists or relevant network security groups to allow the desired IPv6 traffic between the VCN and your on-premises network. See Security Rules for IPv6 Traffic.

If you do not yet have a FastConnect connection, see these topics to get started:

VPN Connect and IPv6

If you use VPN Connect, you can configure it so that on-premises hosts with IPv6 addresses can communicate with an IPv6-enabled VCN. Here's how to enable IPv6 for the connection:

  • IPSec connection static routes: Configure the IPSec connection with the IPv6 static routes of your on-premises network. Currently the Oracle IPSec VPN does not support BGP dynamic routing.
  • VCN route tables: For each IPv6-enabled subnet in the VCN, update its route table to include rules that route the IPv6 traffic from the VCN to the desired IPv6 subnets in your on-premises network. For example, the Destination CIDR Block for a route rule would be an IPv6 static route for your on-premises network, and the Target would be the An optional virtual router that you can add to your VCN to provide a path for private network traffic between your VCN and on-premises network. attached to the IPv6-enabled VCN.
  • VCN security rules: For each IPv6-enabled subnet in the VCN, update its security lists or relevant network security groups to allow the desired IPv6 traffic between the VCN and your on-premises network. See Security Rules for IPv6 Traffic.

If you have an existing IPSec VPN that uses static routing, you can update the list of static routes to include ones for IPv6. Be aware that changing the list of static routes causes the IPSec VPN to go down while it's being reprovisioned. See Changing the Static Routes.

If you do not yet have an IPSec VPN, see these topics to get started:

DHCP

Currently DHCPv6 auto-configuration of IP addresses is not supported.

DNS

The VCN's Internet Resolver supports IPv6, which means resources in your VCN can resolve IPv6 addresses of hosts outside the VCN. IPv6 traffic between resources within the VCN is not yet supported, and assignment of a hostname to an IPv6 address is not supported.

Load Balancers

When you create a load balancer, you can optionally choose to have an IPv4/IPv6 dual-stack configuration. When you choose the IPv6 option, the Load Balancing service assigns both an IPv4 and an IPv6 address to the load balancer. The load balancer receives client traffic sent to the assigned IPv6 address. The load balancer uses only IPv4 addresses to communicate with backend servers. There is no IPv6 communication between the load balancer and the backend servers.

IPv6 address assignment occurs only at load balancer creation. You cannot assign an IPv6 address to an existing load balancer.

Comparison of IPv4 and IPv6 for Your VCN

The following table summarizes the differences between IPv4 and IPv6 addressing in a VCN.

Characteristic IPv4 IPv6
Addressing type supported IPv4 addressing is always required, regardless of whether IPv6 is enabled. IPv6 addressing is optional per VCN, optional per subnet in an IPv6-enabled VCN, and optional per VNIC in an IPv6-enabled subnet.
Supported traffic types IPv4 traffic is supported for all gateways. IPv4 traffic between instances within the VCN is supported (east/west traffic). IPv6 traffic is supported only with these gateways: internet gateway and DRG. Both inbound- and outbound-initiated IPv6 connections are supported between your VCN and the internet, and between your VCN and your on-premises network. Private IPv6 traffic between resources within a region (intra- and inter-VCN) is not yet supported (east/west traffic). Also see the caveats in Routing for IPv6 Traffic.
VCN size /16 to /30 /48 only
Subnet size /16 to /30, with 3 addresses reserved in each subnet by Oracle (first 2 and last 1). /64 only, with 8 addresses in the subnet reserved by Oracle (first 4 and last 4).
Private and public IP address space

Private: A VCN's private IPv4 CIDR can be from an RFC 1918 range or a publicly routable range (in which case, it's treated as private). You must specify the range, unless you use the Console's VCN creation wizard, which always uses 10.0.0.0/16.

Public: The VCN does not have a dedicated public IPv4 address space. Any public addresses in your VCN are always chosen by Oracle.

You can specify a /48 from the list of supported ranges for the private IPv6 CIDR (see CIDRs Assigned to an IPv6-Enabled VCN). If you don't specify a range, Oracle assigns a /48 CIDR that is used for both the private and public IP address space. Important: You must assign this value if you want instances in the same VCN to communicate with each other using public IPv6 addresses. For more information, see Routing for IPv6 Traffic.

Unlike with IPv4, your VCN has a dedicated public IPv6 address space, which is always /48 in size. When you assign an IPv6 to a VNIC, you can choose the address, or you can let Oracle chose it.

IP address assignment

Private: Each VNIC gets a private IPv4 address. You can choose the address or let Oracle choose it.

Public: You determine whether the private IPv4 address has a public IP address associated with it (assuming the VNIC is in a public subnet). Oracle chooses the public IP address.

From an API standpoint: the PrivateIp object is separate from the PublicIp object. You can remove the public IP address from the private IPv4 address at any time.

You decide whether a VNIC in an IPv6-enabled subnet gets an IPv6. You can choose the private IPv6 address or let Oracle choose it.

You also decide whether that IPv6 has internet access enabled (assuming the VNIC is in a public subnet). You can remove the internet access for that IPv6 at any time. When an IPv6 is internet enabled, it has a public IPv6 address. The public IPv6 address always has the same right-most 64 bits as the private IPv6 address.

Recall that if Oracle assigns the VCN's private IPv6 CIDR, then the private and public CIDRs for the VCN are the same. In that case, each IPv6 uses the same address (all 128 bits) for both its private IP address and public IP address.

From an API standpoint: both the private and public IP addresses are included in the Ipv6 object and always exist together.

Internet access You control whether a subnet is public or private. You add or remove a public IP address from a private IPv4 address on a VNIC (assuming the VNIC is in a public subnet). You control whether a subnet is public or private. You do not add or remove a public IP address to or from the VNIC as you do with IPv4. Instead you enable or disable the internet access for a given IPv6 that you've added to a VNIC (assuming the VNIC is in a public subnet).
Primary and secondary labels Each VNIC automatically has a primary private IP address, and you can assign up to 31 secondary private IPs per VNIC. You choose to add an IPv6 to a VNIC. There is no primary or secondary label for it. You can assign up to 32 IPv6s per VNIC.
Hostnames You can assign hostnames to IPv4 addresses. You cannot assign hostnames to IPv6 addresses.
Route rule limits See Service Limits. IPv4 and IPv6 route rules can reside together in the same route table. IPv6 route rules can target only an internet gateway or DRG. Limit on number of IPv6 route rules in a route table: 8.
Security rule limits See Service Limits. IPv4 and IPv6 security rules can reside together in same network security group or security list. IPv6 security rules can use only IPv6 CIDR ranges for source or destination, and not a service CIDR label used for a service gateway. Limit on number of IPv6 security rules in a security list: 8 ingress and 8 egress. Limit on number of IPv6 security rules in a network security group: 16 total.
Reserved public IP addresses Supported. Not supported.
Regional or AD-specific Primary private IPv4 addresses are One or more isolated, fault-tolerant Oracle data centers that host cloud resources such as instances, volumes, and subnets. A region contains one or more availability domains.-specific. Secondary private IPv4 addresses are AD-specific unless assigned to a VNIC in a regional subnet. Public IP addresses can be AD-specific or regional depending on the type (ephemeral or reserved). See Public IP Addresses. IPv6 addresses are regional.

Setting Up an IPv6-Enabled VCN with Internet Access

Use the following process if you want to set up an IPv6-enabled VCN with internet access so you can easily launch an instance and connect to it by using its public IPv6 address.

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Task 1: Create the IPv6-enabled VCN
Task 2: Create a regional IPv6-enabled public subnet
Task 3: Create the internet gateway
Task 4: Update the default route table to use the internet gateway
Task 5: Update the default security list (optional)
Task 6: Create an instance
Task 7: Add an internet-enabled IPv6 to the instance
Task 8: Configure the instance's OS to use the IPv6

Managing IPv6s in the Console

This section includes basic tasks for working with IPv6-related resources.

To create an IPv6-enabled VCN
To create an IPv6-enabled subnet
To assign an IPv6 to a VNIC
To move an IPv6 to another VNIC in the subnet
To delete an IPv6 from a VNIC
To enable or disable internet access for an IPv6

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

For IPv6 addressing, there's an Ipv6 object with the following operations:

Configuring the OS to Use an IPv6

After assigning an IPv6 to a VNIC, you must configure the OS to use the IPv6.

Getting the IPv6 Virtual Router IP (Default Gateway)

You need the IPv6 virtual router IP (called the default gateway in Windows), which is included in the instance metadata available at the following URL:

http://169.254.169.254/opc/v1/vnics/

Here's an example response:

[ {
  "vnicId" : "ocid1.vnic.oc1.phx.examplevq7kncmdtfr23dznohdkd2cywjcem33eg3dxa",
  "privateIp" : "10.0.3.7",
  "vlanTag" : 3396,
  "macAddr" : "00:00:17:01:14:0C",
  "virtualRouterIp" : "10.0.3.1",
  "subnetCidrBlock" : "10.0.3.0/24",
  "ipv6SubnetCidrBlock" : "2001:0db8:95f4::/64",
  "ipv6VirtualRouterIp" : "2001:0db8::200:17ff:fee3:c491"
} ]

Oracle Linux 7 Configuration

The following commands are for Oracle Linux 7. They are NOT persistent through a reboot. You need the IPv6 virtual router IP from the instance metadata (see the previous section).

sysctl net.ipv6.conf.all.disable_ipv6=0

ip -6 addr add <private_IPv6_address>/64 dev <interface_name>

ip -6 route add default via <IPv6_virtual_router_IP> dev <interface_name>

For example:

sysctl net.ipv6.conf.all.disable_ipv6=0

ip -6 addr add 2001:0db8:95f4::abcd:1234/64 dev ens3

ip -6 route add default via 2001:0db8::200:17ff:fee3:c491 dev ens3

If you haven't yet, make sure the VCN's route table and security rules are configured for the desired IPv6 traffic. See Routing for IPv6 Traffic and Security Rules for IPv6 Traffic.

Windows Configuration

You can use a command line or the Network Connections UI.

Command Line
Network Connections UI