IPv6 in Microsoft Azure

We are grateful for the preparation of the article to Mikhail Tryakhov ( @PerseptronYar ) from the company Akvelon (Yaroslavl) for the help in writing this article. Mikhail works on the Microsoft Azure CLI team (Command Line Interface) with a specialization in Networking Services.

Hello! Today it is time to talk about the long-awaited innovation, which, with smoke and haste, prepared for the conference Ignite. This event took place from 28 to 30 September in Atlanta, and it is already well written about, say, here . However, it is already known that IPv6 has become available in a number of regions (locations) of Microsoft Azure. Under the cut details.
To say that this functionality is expected - to say nothing. It is, for starters, to drive into the search engine "Azure IPv6". I announce: you will find only a couple of links, mostly revolving around Feature requests (for example, here and here ) and company promises . And so it happened!

IPv4 and IPv6 are completely different and in no way dependent on each other versions of IP. That is, it is implied that it is impossible to convert an IPv4 address to IPv6, etc. The main task that IPv6 is beginning to solve is to ensure the interaction of Azure virtual machines and IPv6 clients by integrating it with the variety of services available in NRP (Network Resource Provider), such as Load balancer, NIC (Network Interface) , public ip (public IP addresses) and derivatives.

I can not offer, for the sake of interest, to try in part of the commands described in the post on the Azure CLI platform. As I wrote in the first review article in this blog, this is a command line extension that allows you to manage your Azure infrastructure on many operating systems (Windows, Mac, many Linux distributions). To install it, you can use the instructions on the official site. Please note that the installed version should be released after September 28, 2016. The desired release is available here .

Let's draw. In the picture we will depict the existing options for customizing the balancer in blue, green - updates that have become available.

I will describe the main buns that this carries to us:

• The joy of IOT-developers and not only - support "dual stack" (IPv4 + IPv6)
• Azure DNS now supports IPv4 type A and IPv6 AAAA record sets
• Many updated images of virtual machines with the Linux operating system already support this functionality from Koro. In some cases, you need to turn to DHCP

There are a number of limitations. For example, we will not be able to make these modifications on the use of IPv6 through a graphical interface. As I wrote earlier, working with JSON and consoles will have more and more. So here, the options remain a bit:

• Create a JSON template (template) and import it into the appropriate resource groups
• Use powershell
• Use Azure XPlat CLI

To begin with, in the selected resource group (as you understand, it’s all about ARM), you need to configure the network, subnets and create an “empty” load balancer. Using the Azure CLI, it’s enough to execute commands from the above manual I will draw on the example given there (as with PowerShell, template), concentrating on the important (in terms of this topic) points. The purpose of the following paragraphs is to analyze in detail the process of deploying the specified architecture and describe the existing limitations.

Since all three methods available to us to provide IPv6 support by no means, so skating boils down to the fact that they only send generated JSON to the corresponding API-version of the Azure SDK, I consider working with JSON templates to be the most accurate to demonstrate, focusing on innovations.

Public IP Setup

So, according to the scheme drawn above, we do PUT requests and get two public IP:

{ "name": "myIPv4Vip", "id": "/subscriptions/{guid}/resourceGroups/rg1/Microsoft.Network/publicIpAddresses/ip1", "location": "West US", "tags": { “key”: “value” } , “etag”: “W/\”00000000-0000-0000-0000-000000000000\”“, "properties": { "provisioningState": “Updating|Deleting|Failed|Succeeded”, "ipAddress": "1.1.1.1", "publicIpAddressVersion": IPv4, "publicIPAllocationMethod": "Static | Dynamic", "idleTimeoutInMinutes": 4, "ipConfiguration": { "id": "/subscriptions/{guid}/../Microsoft.Network/loadbalancers/MyIpV4AndV6LB1/ipConfigurations/frontendIP1"}, "dnsSettings": { "domainNameLabel": "mylabel", "fqdn": "mylabel.westus.cloudapp.azure.com.", "reverseFqdn": "contoso.com." } } } 

Here I ask you to pay attention to a number of points.

• The resulted location is one of the few currently supported. I really try to open a source with relevant data on this issue.
• publicIpAddressVersion = IPv4 is default

 { "name": "myIPv6Vip", "id": "/subscriptions/{guid}/resourceGroups/rg1/Microsoft.Network/publicIpAddresses/myIPv6Vip", "location": "West US", "tags": { “key”: “value” } , “etag”: “W/\”00000000-0000-0000-0000-000000000000\”“, "properties": { "provisioningState": “Updating|Deleting|Failed|Succeeded”, "ipAddress”:”2015::1234:5": , "publicIpAddressVersion": IPv6, " publicIPAllocationMethod ": " Static|Dynamic", "idleTimeoutInMinutes ": 4, "ipConfiguration": { "id": "/subscriptions/{guid}/../Microsoft.Network/loadbalancers/MyIpV4AndV6LB1/ipConfigurations/frontendIP2"}, "dnsSettings": { "domainNameLabel": "mylabel", "fqdn": "mylabel.westus.cloudapp.azure.com.", "reverseFqdn": }, } 

There are a number of limitations.

• dnsSettings.fqdn is a read -only property in the FQDN format, that is, in our example, contoso09152016.westus.cloudapp.azure.com .
• DNS settings reverse FQDN is not specified, because at the moment (and in the short term) Azure DNS does not plan to support reverse requests for IPv6. Value will be empty (null / not allowed).
• The IP address will be read only.
• Public IP Allocation Method : When Static is specified, a reserved virtual IP address (reserved VIP) will be created, that is, the VIP will remain unchanged in load balancers. If the parameter is specified as Dynamic , then the value of the IP address may change when linking this address to another load balancer.
• IPv6 can only be used when creating new Public IP instances. Alas, it is impossible to change existing ones from IPv4 to IPv6.

Load Balancer Setup

The next important step in the analysis of the above architecture will be setting up the load balancer. It will be expectedly large - I ask you to see the presentation version of PUT and GET requests.

You can easily restore them completely by completing the actions according to the documentation for any of the platforms, for example, my native Azure CLI .

Pay attention to the following points.

Frontend IP Configuration-Public IP (VIP)
If the Frontend IP configuration refers to a public (public) IP address with a version of ipVersion = IPv6, the following checks will be performed:

1. There must be a different Frontend IP configuration that implements the IPv4 version.
2. A subnet (subnet with a private frontend address for the balancer) cannot be specified, because in the case of IPv6, the internal load balancer (ILB) is not supported. Therefore, all associated data (private IP address, allocation method) will be empty (null / not allowed).
3. Only one virtual IP address (VIP) version of IPv6 can be created as part of a load balancer.

Backend Address Pools (Backend)
Validation will consist of checking network interface settings (NIC). Each instance of backend adress pool-a can refer to a NIC with only one type of supported address — either IPv4 or IPv6.

Load Balancer Rule (FE <-> BE)
If the Frontend IP configuration refers to a public (public) IP address with a version of ipVersion = IPv6, the following restrictions apply:

1. Backend addresses refer to the IPv6 NIC configuration.
2. Load Balancer Probe not supported for IPv6 version

Inbound NAT pools cannot contain a configuration that refers to an IPv6 VIP.

Inbound NAT rules must satisfy the condition that the Frontend IP and Backend IP configurations must be IPv6 versions.

Outbound NAT Rules

1. May contain rules based on the IPv6 version, provided that the virtual IP address of this version is referenced by the frontend IP configurator.
2. In this case, the backend configurator should also be based on IPv6.
3. Within the load balancer, only one IPv6 virtual IP address is allowed.

Well, as mentioned above, in the existing configuration it is impossible to update the version of IP addresses (IPv4-> IPv6).

Network interface setup

Here, I also propose to refer directly to the network interface configuration example.

 { "name": "mynic1", "id": "/subscriptions/{guid}/resourceGroups/myrg1/providers/Microsoft.Network/networkInterfaces/vm1mynic1", "location": "West US", "tags": { “key”: “value” } , “etag”: “W/\”00000000-0000-0000-0000-000000000000\”“, "properties": { "provisioningState": “Updating|Deleting|Failed|Succeeded”, "virtualMachine": {"id": "/subscriptions/{guid}/../Microsoft.Compute/virtualMachines/vm1"}, "macAddress": "BC-31-5B-E2-EE-B1" "networkSecurityGroup":{"id":"/subscriptions/{guid}/../Microsoft.Network/networkSecurityGroups/myNSG1" }, "ipConfigurations": [ { "name": "myIPv4IP1", "properties": { " privateIpAddressVersion ": IPv4 "subnet": {"id": "/subscriptions/{guid}/../Microsoft.Network/virtualNetworks/myvnet1/subnets/mysub1"}, "privateIPAddress": "10.0.0.8", "privateIPAllocationMethod": "Static | Dynamic", "publicIPAddress": {} "loadBalancerBackendAddressPools": [ {"id": "/subscriptions/{guid}/../Microsoft.Network/loadBalancers/mylb1/backendAddressPools/IPv4BackendPool1"} ], "loadBalancerInboundNatRules": [ ] } }, { "name": "myIpV6Ip1", "id": "/subscriptions/{guid}/../Microsoft.Network/networkInterfaces/vm1mynic1/ipConfigurations/ myIpV6Ip1", “etag”: “W/\”00000000-0000-0000-0000-000000000000\”“, "properties": { "provisioningState": “Updating|Deleting|Failed|Succeeded”, " privateIpAddressVersion ": IPv6, "subnet": "privateIPAddress ": "privateIPAllocationMethod": Dynamic", "publicIPAddress": "loadBalancerBackendAddressPools": [ {"id": "/subscriptions/{guid}/../Microsoft.Network/loadBalancers/myIPv6lb1/backendAddressPools/IPv6BackendPool1"} ], "loadBalancerInboundNatRules": [] } } ], "dnsSettings": { "dnsServers": ["1.0.0.1","2.0.0.2"], "appliedDnsServers": ["1.0.0.1","2.0.0.2", “3.0.0.3”] }, “enableIPForwarding”: false } } 

The choice of IPv6 version imposes the following restrictions:

1. The NIC must be new, or not tied to an existing virtual machine.
2. The set of network interface configurations must have at least one with version ipVersion = IPv4.
3. The selected NIC is the only one in a virtual machine with version ipVersion = IPv6. Multi-NIC is not currently available.
4. privateIPAllocationMethod = Dynamic is the only valid value.
5. The private IP address is not available in IPv6.
6. You cannot upgrade an existing virtual machine to support IPv6 instead of IPv4.

I hope this information will help you successfully overcome all the difficulties that may arise when you start working with IPv6 in Azure.

A look into the future

If we talk about the future - at the moment, alas, I can not say when updates will be made, correcting very biting restrictions, and when this article will become useless. There is no information from either the Azure DNS team or the NRP (Network Resource Provider). Will there be a possibility of more gentle migration of existing infrastructures? For me, these questions are also open.

If we say that I still know:

• One way or another, everything is moving towards full parity in support for IPv4, IPv6 and IPv4 + IPv6.
• Networks and subnets will start supporting IPv6 - hot work is underway, and I will share these joys with you at the first opportunity.

Thank you for your attention, please contact us if you have any questions.