Help:Exposing IPv6 services

Exposing IPv6 services from Cloud VPS is possible, in a way that virtual machine instances will see ingress IPv6 traffic without NAT or other restrictions.

The IPv6 addresses that Cloud VPS instances are assigned can be publicly routable on the wider internet because they have global scope.

This method is for exposing IPv6-only services. If you need your service to be IPv4, you will still need a floating IP.

Important note

Cloud Services Terms of Use still apply, specifically the bits about privacy.

Do not expose HTTP (TCP/80) or HTTPS (TCP/443) services from your virtual machine. You should be using a web proxy, so you don't have to deal with end user privacy.

Do not expose SSH (TCP/22) over the internet. You should use the bastion instead. This approach is likely a more secure, stable, and robust setup for accessing your instances via SSH.

Procedure

The only thing you need is to enable the desired port in the security group of your virtual machine.

In your virtual machine instance:

make sure it has a routable IPv6 address assigned to its main interface (not just a link-local address in fe80::/10)

user@instance:~$ ip -6 -br a
lo               UNKNOWN        ::1/128 
ens1             UP             2a02:ec80:a000:1::123/64 fe80::a800:ff:fe58:77b1/64

make sure you can use it for outbound connections.

user@instance:~$ ping -c1 commons.wikimedia.org
PING commons.wikimedia.org(text-lb.eqiad.wikimedia.org (2620:0:861:ed1a::1)) 56 data bytes
64 bytes from text-lb.eqiad.wikimedia.org (2620:0:861:ed1a::1): icmp_seq=1 ttl=64 time=0.443 ms

--- commons.wikimedia.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.443/0.443/0.443/0.000 ms

make sure the service in your instance is listening to IPv6 connections.

user@instance:~$ sudo ss -pltn6
State       Recv-Q      Send-Q           Local Address:Port            Peer Address:Port      Process                                        
LISTEN      0           20                       [::1]:25                      [::]:*          users:(("exim4",pid=2082,fd=6))               
LISTEN      0           128                       [::]:22                      [::]:*          users:(("sshd",pid=1564,fd=8))
LISTEN      0           128                       [::]:443                     [::]:*          users:(("nginx",pid=12564,fd=9))

create or update a security group with a rule that allows the desired ingress IPv6 connection.
make sure the security group is attached to the virtual machine instance.

Communication and support

Support and administration of the WMCS resources is provided by the Wikimedia Foundation Cloud Services team and Wikimedia movement volunteers. Please reach out with questions and join the conversation:

Discuss and receive general support

Chat in real time in the IRC channel #wikimedia-cloud ^connect or the bridged Telegram group
Discuss via email after you have subscribed to the cloud@ mailing list

Stay aware of critical changes and plans

Subscribe to the cloud-announce@ mailing list (all messages are also mirrored to the cloud@ list)
Read the News wiki page

Track work tasks and report bugs

Use a subproject of the #Cloud-Services Phabricator project to track confirmed bug reports and feature requests about the Cloud Services infrastructure itself

Read stories and WMCS blog posts

Read the Cloud Services Blog (for the broader Wikimedia movement, see the Wikimedia Technical Blog)