What is IPv6 and why you should use in Azure?

Posted by Harri Jaakkonen Posted on 22/01/2023 0 Comments on What is IPv6 and why you should use in Azure?
Posted in Azure, Azure AD, Conditional access, Entra, Identity, Microsoft 365, Security

What is IPv6?

First time I was introduced to IPv6 was in a classroom training ages ago. The instructor said that IPv4 has IP-addresses the same amount as a wheelbarrow has grains of salt and IPv6 has the amount of grains in the sun.

Cisco has an excellent table on the amounts.

So there is a big difference between the amounts. Also the wheelbarrow amount of grains are eventually ending. This has been a discussing for a long time and some day it’s really happening.

When IP-address allocation started, all the big companies had publicly routable addresses assigned to their internal networks also with insane /8 masks.

See more information here.

List of assigned /8 IPv4 address blocks – Wikipedia
Some large /8 blocks of IPv4 addresses, the former Class A network blocks, are assigned in whole to single organizations or related groups of organizations, either by the Internet Corporation for Assigned Names and Numbers (ICANN), through the Internet Assigned Numbers Authority (IANA), or a regiona…

Terminology and types

  • Global Unicast Address – Scope Internet – routed on Internet
  • Unique Local – Scope Internal Network and it’s internally routable, but not routed on Internet
  • Link Local – Scope network link – not routed internally or externally.

Global and Public Addresses

On the internet, global addresses begin with the 2001:

These addresses are known as global Unicast addresses and are equivalent to IPv4 public addresses.

Internal Addresses- Link Local and Unique Local

Internal addresses in IPv4 use the reserved number ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16.

These addresses are reserved for internal networks and are not routed on the Internet.

IPv6 has two Internal address types.

Link Local

These are intended to be used within an internal network and are not routed over the Internet.

It corresponds to the IPv4 address 169.254.0.0/16, which is assigned on an IPv4 network when no DHCP server can be found.

Local address links begin with fe80.

They are limited to a single link and are not routed through the internal network or the Internet.

Unique Local

Unique locals are meant to be used inside an internal network.

They are routed through the internal network but not through the Internet.

These are compared to your internal address like 192.168.0.0/24

The address space is split into two /8 zones: fc00::/8 for globally assigned addressing and fd00::/8 for locally assigned addressing. The fd00 prefix is used for manual assignment by an organization.

Why to use IPv6?

IPv6 addresses the global issue of address space depletion caused by rising demand for IP addresses as a result of technical improvements. It provides dependability and better speeds. Because IPv6 allows multicast addresses, bandwidth-intensive packet flows such as media streams can reach several destinations at the same time. It has stronger network security with IPSecurity that is built-in, it will ensure data privacy and integrity. It will also boost routing efficiency.


IPv6 enables both stateless and stateful address configuration, regardless of whether a Dynamic Host Configuration Protocol (DHCP) server is present or not and it has a larger address space and is more efficient at handling packets.

Azure and IPv6

IPv6 was introduced to Azure in 2016 at Ignite.

Azure Networking announcements for Ignite 2016
This week we are announcing several new Azure networking services and features to provide customers greater performance, higher availability, better security and more operational insights.

IPv6 in VNet

Dual-stacked IPv4/IPv6 VMs offer the most flexibility in service deployment. A single service instance can communicate with Internet clients that support both IPv4 and IPv6. Because IPv6 access to the Internet is only established when you specifically request it in your deployment, it is secure by default.

There are no fees for using Public IPv6 Addresses or Prefixes. The same charges apply to associated resources and bandwidth as they do to IPv4.

Overview of IPv6 for Azure Virtual Network
IPv6 description of IPv6 endpoints and data paths in an Azure virtual network.

Limitations

  • VPN gateways can still be deployed in a Dual-stacked VNET using solely Azure PowerShell and Azure CLI commands even if they only handle IPv4 traffic at the moment.
  • Floating IP dual-stack systems are only compatible with public load balancers (not Internal load balancers)
  • At this time, IPv6 is not supported by Application Gateway v2. Only IPv4 can be used for operation in a dual stack VNet, but only IPv4 can be used in the gateway subnet. Dual stack VNets are not supported by Application Gateway v1.
  • IPv6 connectivity for containers is not supported by the Azure platform (AKS, etc.).
  • Each NIC must have at least one IPv4 IP configuration; IPv6-only virtual machines or scale sets are not supported.
  • A VNET with existing resource navigation links cannot have IPv6 ranges added when IPv6 is added to existing IPv4 deployments.
  • Reverse DNS is not yet enabled by Azure public DNS, although forward DNS for IPv6 is.
  • While it is feasible to make NSG rules for both IPv4 and IPv6 within the same NSG, it is presently not allowed to define IP prefixes for both an IPv4 and an IPv6 subnet in the same rule.
  • Network Security Groups are not presently supported for ICMPv6.
  • Only IPv4 traffic is presently supported by Azure Virtual WAN.
  • IPv6 is not presently supported by Azure Firewall. Only IPv4 can be used for operation in a dual stack VNet, but only IPv4 can be used in the firewall subnet.

Learn article on how to create a dual-stack config for your VM.

Create an Azure virtual machine with a dual-stack network – Azure CLI – Azure Virtual Network
In this article, learn how to use the Azure CLI to create a virtual machine with a dual-stack virtual network in Azure.

Microsoft 365 and IPv6

Many Microsoft 365 services already support IPv6 natively and are directly accessible from clients that support IPv6 dual stack and IPv6 alone. In addition, clients and network solution providers can connect to IPv4 Internet services using standard IPv6 to IPv4 translation technologies (such base 64 proxies or DNS64/NAT64) by using Microsoft 365.

For example Direct Access used DNS and NAT64 to translate the traffic from IPv4 to IPv6 if you had IPv4-addresses on resources inside your network but it won’t work in reverse.

IPv6 support in Microsoft 365 services – Microsoft 365 Enterprise
Summary: Describes IPv6 support in Microsoft 365 components and in Microsoft 365 government offerings.

Conditional access and IPv6

Microsoft will begin introducing IPv6 support to Azure AD in late March 2023. Microsoft isn’t planning to require IPv6 or to deprioritize IPv4 so not to worry, you will just have a possibility to use it.

Steps to take

  • Determine which egress IPv6 addresses are in use in your organization.
  • Make or update named locations to include their IPv4 and IPv6 addresses

One example why to take these steps is EXO. The majority of IPv6 traffic proxied to Azure AD comes from Microsoft Exchange Online. When IPv6 connectivity is available, Exchange will prefer it.

The name of the game is to use Named locations and add your own egress (outgoing) IPv6 addresses for them, let’s see how you can add it.

Open Entra and Conditional Access pane from https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies (Yes, I’m also struggling to remember it, portal.azure.com comes from be spine)

Enter the IPv6 address range or if you want add only one address, add /128 behind it or use my script to grab it.

Why to use /128 if I want to add one host you ask? Because an IPv6 address uses 128 bits as opposed to 32 bits in IPv4

If you want to add as a trusted you can use for different scenarios.

Maybe just to exclude it from MFA requests

See here Microsoft’s article on the upcoming support.

IPv6 Coming to Azure AD
With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access their services and applications from IPv6 clients and IPv6 networks. Today, we’re excited to announce our plan to bring IPv…

Script to copy your public IPv6

Small but usable script for getting your IPv6 Public address and adding /128 mask to it, it will make adding your address to Conditional access an easier task.

Scripts/Get-MyPublicIPV6.ps1 at main · HarriJaakkonen/Scripts
My script pack. Contribute to HarriJaakkonen/Scripts development by creating an account on GitHub.

Closure

That was IPv6 and how it works with Azure services and beginning of April 2023 with Azure AD services, this has been a huge ask from the community to add support for IPv6, job well done Microsoft!

Happy start for your year 2023!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *