AWS EKS
EKS Networking
IPv6
In this guide, we’ll dive into how IPv6 works in Amazon EKS when using the AWS VPC CNI plugin. By enabling IPv6 at VPC creation time, you get a dual-stack VPC (IPv4 + IPv6). As AWS services continue to evolve, IPv6-only VPCs are not yet supported, so you must use dual-stack.
Dual-Stack VPC and Prefix Delegation
When IPv6 is enabled on your VPC (and on your EKS cluster):
- Each worker node’s primary ENI gets one IPv4 and one IPv6 address.
- Kubernetes uses Prefix Delegation to hand out a
/80IPv6 block to each node.
That/80block contains ~2.8 × 10^14 addresses—orders of magnitude more than all IPv4 addresses on the Internet.
Pod Networking and NAT64 Translation
By design, EKS Pods are single-stack IPv6: they only receive an IPv6 address. To reach IPv4-only endpoints:
- Pod sends an IPv6 request.
- Node DNS resolves the target to an IPv4 address.
- The node SNATs the traffic using its IPv4 ENI.
- Responses come back over IPv4 and are mapped to the Pod’s IPv6.
All IPv6-to-IPv4 translation uses link-local addresses (169.254.0.0/16 via veth*). If the destination has native IPv6, traffic flows directly over the IPv6 ENI.
Throughput Consideration
Pods accessing IPv4 services share the same node-level IPv4 address and NAT connections. This can become a throughput bottleneck at scale—plan accordingly.
Egress-Only IPv6 Traffic
Since IPv6 addresses are globally unique, you generally don’t need SNAT or NAT Gateways for Pod-to-Pod or outbound traffic. To control outbound IPv6:
| Gateway Type | Direction |
|---|---|
| Egress-only Internet Gateway | IPv6 outbound only |
Note
AWS does not offer an ingress-only IPv6 gateway. Control incoming IPv6 traffic with Security Groups or Network ACLs.
1. Creating a Dual-Stack EKS Cluster
Use eksdemo, eksctl, or the AWS CLI to spin up a dual-stack EKS cluster:
eksdemo create cluster kodekloud \
--ipv6 \
--region us-east-2 \
--instance-type c5.large \
--kubeconfig ~/.kube/ipv6-cluster
Verify your nodes:
kubectl get nodes -o wide
You should see each node’s IPv6 under INTERNAL-IP.
Deploy a test Pod and inspect its IP:
kubectl run test-nginx --image=nginx --restart=Never --labels=app=test
kubectl get pod test-nginx -o wide
The Pod’s IP will be in IPv6 format.
2. Examining Node Interfaces
SSH into a node and list its interfaces:
ip addr show
Example eth0 output:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 ...
inet 192.168.135.79/19 brd 192.168.159.255 scope global eth0
inet6 2600:1f16:116:8064:b0ea:eb9d:7de2:9323/128 scope global
inet6 fe80::85f:8ff:fe54:c3fb/64 scope link
Link-local Pod interfaces (veth*) will show both 169.254.x.x/32 and fe80::/64.
IPv4 Routes
ip route show
default via 192.168.128.1 dev eth0
169.254.169.254 dev eth0
169.254.172.2 dev veth00f15eda scope link
192.168.128.0/19 dev eth0 proto kernel src 192.168.135.79
IPv6 Routes
ip -6 route show
2600:1f16:116:8064::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via fe80::83a:4dff:febb:2d1 dev eth0 proto ra metric 1024
3. Inspecting IPv6 Prefix Delegation
To view the /80 prefixes assigned to each node, run:
aws ec2 describe-instances \
--filters "Name=tag-key,Values=eks:cluster-name" \
--query 'Reservations[].Instances[].[InstanceId, NetworkInterfaces[].Ipv6Prefixes[]]'
Example output:
[
[
"i-02ebad56ad05a4ff",
[
{ "Ipv6Prefix": "2600:1f16:11e6:8604:2c9a::/80" }
]
],
[
"i-065cb5099cb6627ad",
[
{ "Ipv6Prefix": "2600:1f16:11e6:8603:bb16::/80" }
]
]
]
Each node receives a /80 (~280 trillion addresses) for Pod allocation—IP exhaustion is no longer a concern.
Conclusion
Enabling IPv6 in Amazon EKS provides a virtually unlimited address space per node. Although Pods today are single-stack IPv6, understanding NAT64 translation and potential NAT bottlenecks is key to designing large-scale, dual-stack clusters.
Links and References
Watch Video
Watch video content