What is IPv6?
First time I was introduced to IPv6 was in a classroom training ages ago. The instructor said that IPv4 has IP-addresses the same amount as a wheelbarrow has grains of salt and IPv6 has the amount of grains in the sun.
Cisco has an excellent table on the amounts.
So there is a big difference between the amounts. Also the wheelbarrow amount of grains are eventually ending. This has been a discussing for a long time and some day it’s really happening.
When IP-address allocation started, all the big companies had publicly routable addresses assigned to their internal networks also with insane /8 masks.
See more information here.
Terminology and types
- Global Unicast Address – Scope Internet – routed on Internet
- Unique Local – Scope Internal Network and it’s internally routable, but not routed on Internet
- Link Local – Scope network link – not routed internally or externally.
Global and Public Addresses
On the internet, global addresses begin with the 2001:
These addresses are known as global Unicast addresses and are equivalent to IPv4 public addresses.
Internal Addresses- Link Local and Unique Local
Internal addresses in IPv4 use the reserved number ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16.
These addresses are reserved for internal networks and are not routed on the Internet.
IPv6 has two Internal address types.
These are intended to be used within an internal network and are not routed over the Internet.
It corresponds to the IPv4 address 169.254.0.0/16, which is assigned on an IPv4 network when no DHCP server can be found.
Local address links begin with fe80.
They are limited to a single link and are not routed through the internal network or the Internet.
Unique locals are meant to be used inside an internal network.
They are routed through the internal network but not through the Internet.
These are compared to your internal address like 192.168.0.0/24
The address space is split into two /8 zones: fc00::/8 for globally assigned addressing and fd00::/8 for locally assigned addressing. The fd00 prefix is used for manual assignment by an organization.
Why to use IPv6?
IPv6 addresses the global issue of address space depletion caused by rising demand for IP addresses as a result of technical improvements. It provides dependability and better speeds. Because IPv6 allows multicast addresses, bandwidth-intensive packet flows such as media streams can reach several destinations at the same time. It has stronger network security with IPSecurity that is built-in, it will ensure data privacy and integrity. It will also boost routing efficiency.
IPv6 enables both stateless and stateful address configuration, regardless of whether a Dynamic Host Configuration Protocol (DHCP) server is present or not and it has a larger address space and is more efficient at handling packets.
Azure and IPv6
IPv6 was introduced to Azure in 2016 at Ignite.
IPv6 in VNet
Dual-stacked IPv4/IPv6 VMs offer the most flexibility in service deployment. A single service instance can communicate with Internet clients that support both IPv4 and IPv6. Because IPv6 access to the Internet is only established when you specifically request it in your deployment, it is secure by default.
There are no fees for using Public IPv6 Addresses or Prefixes. The same charges apply to associated resources and bandwidth as they do to IPv4.
- VPN gateways can still be deployed in a Dual-stacked VNET using solely Azure PowerShell and Azure CLI commands even if they only handle IPv4 traffic at the moment.
- Floating IP dual-stack systems are only compatible with public load balancers (not Internal load balancers)
- At this time, IPv6 is not supported by Application Gateway v2. Only IPv4 can be used for operation in a dual stack VNet, but only IPv4 can be used in the gateway subnet. Dual stack VNets are not supported by Application Gateway v1.
- IPv6 connectivity for containers is not supported by the Azure platform (AKS, etc.).
- Each NIC must have at least one IPv4 IP configuration; IPv6-only virtual machines or scale sets are not supported.
- A VNET with existing resource navigation links cannot have IPv6 ranges added when IPv6 is added to existing IPv4 deployments.
- Reverse DNS is not yet enabled by Azure public DNS, although forward DNS for IPv6 is.
- While it is feasible to make NSG rules for both IPv4 and IPv6 within the same NSG, it is presently not allowed to define IP prefixes for both an IPv4 and an IPv6 subnet in the same rule.
- Network Security Groups are not presently supported for ICMPv6.
- Only IPv4 traffic is presently supported by Azure Virtual WAN.
- IPv6 is not presently supported by Azure Firewall. Only IPv4 can be used for operation in a dual stack VNet, but only IPv4 can be used in the firewall subnet.
Learn article on how to create a dual-stack config for your VM.
Microsoft 365 and IPv6
Many Microsoft 365 services already support IPv6 natively and are directly accessible from clients that support IPv6 dual stack and IPv6 alone. In addition, clients and network solution providers can connect to IPv4 Internet services using standard IPv6 to IPv4 translation technologies (such base 64 proxies or DNS64/NAT64) by using Microsoft 365.
For example Direct Access used DNS and NAT64 to translate the traffic from IPv4 to IPv6 if you had IPv4-addresses on resources inside your network but it won’t work in reverse.
Conditional access and IPv6
Microsoft will begin introducing IPv6 support to Azure AD in late March 2023. Microsoft isn’t planning to require IPv6 or to deprioritize IPv4 so not to worry, you will just have a possibility to use it.
Steps to take
- Determine which egress IPv6 addresses are in use in your organization.
- Make or update named locations to include their IPv4 and IPv6 addresses
One example why to take these steps is EXO. The majority of IPv6 traffic proxied to Azure AD comes from Microsoft Exchange Online. When IPv6 connectivity is available, Exchange will prefer it.
The name of the game is to use Named locations and add your own egress (outgoing) IPv6 addresses for them, let’s see how you can add it.
Open Entra and Conditional Access pane from https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies (Yes, I’m also struggling to remember it, portal.azure.com comes from be spine)
Enter the IPv6 address range or if you want add only one address, add /128 behind it or use my script to grab it.
Why to use /128 if I want to add one host you ask? Because an IPv6 address uses 128 bits as opposed to 32 bits in IPv4
If you want to add as a trusted you can use for different scenarios.
Maybe just to exclude it from MFA requests
See here Microsoft’s article on the upcoming support.
Script to copy your public IPv6
Small but usable script for getting your IPv6 Public address and adding /128 mask to it, it will make adding your address to Conditional access an easier task.
That was IPv6 and how it works with Azure services and beginning of April 2023 with Azure AD services, this has been a huge ask from the community to add support for IPv6, job well done Microsoft!
Happy start for your year 2023!