IPv6 has been around for a long time, and I have dealt with many IPv6 tasks in my work. However, I never thought about switching my EC2 instance to IPv4. Yesterday, while going through my email trash, I came across a message stating that AWS will start charging for IPv4 addresses from February 1, 2024. This caught my attention, so I decided to switch my EC2 instance to IPv6 today. The process was a bit of a hassle. This article is not only applicable to EC2 instances but should also work for other Linux hosts.

![[Pasted image 20240619101143.png]]

This article was first published in the medium MPP plan. If you are a medium user, please follow me on Medium](https://medium.huizhou92.com/). Thank you very much.

Adding an IPv6 Address to EC2

Since my EC2 instance’s DNS resolution is handled by Cloudflare, I mainly referred to this blog post: Amazon’s $2bn IPv4 Tax — and How to Avoid Paying It

And also, the official AWS documentation on Migrating Your VPC from IPv4 to IPv6.

It’s worth noting that the demo in the “Migrating Your VPC from IPv4 to IPv6” documentation assumes that the VPC has both a public and a private subnet. If you, like me, only have a public subnet, you can skip that part.

I must say, AWS documentation is well-written, and there’s a lot to learn from it.

The result after completing the setup should look like this, with both IPv4 and IPv6 addresses. Make sure to add the same rules for IPv6 in the security group.

Application Support

On my EC2 instance, I only have Nginx and Docker running, and I usually log in via SSH. So, I need to add IPv6 support for Nginx and SSH.

Nginx

For your HTTP server block (the one listening on port 80), add the line listen [::]:80;. This allows Nginx to listen to both IPv4 and IPv6 HTTP traffic. Your modified server block should look like this:

1
2
3
4
5
6

server {
     listen 80;
     listen [::]:80;
     server_name hexo.hxzhouh.com;
     return 301 https://$host$request_uri;
 }

For each HTTPS server block (those listening on port 443), add listen [::]:443 ssl; inside each block. This enables Nginx to listen for HTTPS traffic on IPv6. For example, for the first HTTPS server block, you need to make the following modification:

1
2
3
4
5
6

server {
     listen 443 ssl;
     listen [::]:443 ssl;
     server_name hexo.hxzhouh.com;
     # other configurations...
 }

Make these modifications for each HTTPS server block. Then, test the Nginx configuration with Nginx -t. If there are no issues, reload the Nginx configuration with systemctl reload nginx.

SSHD

In the sshd_config file, uncomment the line AddressFamily any (i.e., remove the preceding #) to enable IPv6 listening for SSH and other applications.

1
2
3
4
5
6
7

vim /etc/ssh/sshd_config
 ​
 #Port 22
 AddressFamily any
 AddressFamily inet
 #ListenAddress 0.0.0.0
 #ListenAddress ::

Then, restart SSHD with sudo systemctl reload sshd. Use the netstat -tupln command to check if SSH is successfully listening on IPv6. If you see the following output, it means SSH is listening on IPv6:

Now the application layer modifications are complete.

DNS Configuration

Finally, in Cloudflare, modify the DNS settings by changing the previous IPv4 A records to AAAA records for IPv6.

Test

Test everything to make sure it’s working fine, and then you can delete the IPv4 address to avoid being charged.

Uppublished: Running instances cannot have their IPv4 addresses removed, but you can rebuild them using an AMI. It’s a bit of a hassle, but at least AWS won’t send me any more emails. ✌️

References

How to remove IPv4 public IP address from EC2 instances before February 2024? (IPv6)