Blog ENG - AWS - Post 7 2025
There’s a moment in every transformation program where the technical debt stops being an inconvenient speed bump and becomes a hard blocker. For years, IPv4 on the “outside” of IPSec tunnels has been exactly that, especially for teams aiming at IPv6‑only mandates or trying to conserve scarce public IPv4. With AWS Site‑to‑Site VPN now supporting IPv6 on the outside IPs, that blocker finally moves out of the way.
What actually changed: plain and simple
AWS now lets you configure IPv6 addresses for the outer tunnel endpoints of Site‑to‑Site VPN, not just the inner tunnel addresses. Practically, this means you can build pure IPv6 VPN connections end‑to‑end, avoiding the awkward IPv6→IPv4→IPv6 translation dance many architectures had to perform. It also helps teams under IPv6‑only mandates align their connectivity with policy and compliance expectations.
Key points you’ll care about:
- Dual support: Outer tunnel IPs can be IPv6, and inner traffic can be either IPv6 or IPv4 (but not both in the same connection). If you need both, plan on separate VPN connections for IPv4 and IPv6 inner traffic.
- Scope: IPv6 outer tunnel IPs are supported only when the VPN terminates on a Transit Gateway (TGW) or Cloud WAN. Virtual private gateways do not support IPv6 on the outside.
- Availability: The capability is offered across most commercial and GovCloud (US) Regions, with a launch caveat excluding Europe (Milan) at announcement time.
Why this matters (beyond the headline)
From an IT strategy lens, three benefits stand out:
- Address conservation & cost: Public IPv4 scarcity is very real. By using IPv6 for the outer tunnel, you avoid consuming public IPv4 on both ends of the tunnel. Moreover, on AWS, IPv6 outer tunnel IPs carry no public‑IPv4 addressing cost. That’s cleaner design and less budget friction.
- Operational simplicity: Removing v4/v6 cross‑addressing schemes simplifies routing, policies, and troubleshooting. You can keep your stack “one‑protocol‑deep” where it counts (especially helpful for teams moving decisively to IPv6‑only).
- Compliance alignment: Regulated sectors pushing for IPv6‑only networking finally have an outside‑IPv6 option on managed VPN, which reduces the number of exceptions you need to carry through audits.
Design patterns that work (and the ones that don’t)
- IPv6‑only outside, IPv6 inside: Ideal when your TGW/Cloud WAN and on‑prem are both IPv6‑ready. Keep routing clean; exchange IPv6 routes via BGP; validate MTU. IPSec behavior and throughput/packet‑rate match IPv4 VPNs, so performance expectations remain stable.
- IPv6‑outside with IPv4 inside: Useful during phased migrations: you preserve IPv4 application payloads inside the tunnel while moving your transport layer to IPv6. Again, remember the “one inner protocol per connection” rule.
- What to avoid: Don’t expect outside‑IPv6 support on virtual private gateways, it’s not there. And private‑IP (NATed) VPNs don’t support IPv6 outer addresses; those scenarios remain IPv4‑oriented.
A pragmatic migration playbook (from the field)
- Inventory & readiness: Confirm your regions and termination targets (TGW or Cloud WAN) support the feature; note the original launch exception for Europe (Milan). Check device OS/firmware for stable IPv6 IPSec/BGP.
- Plan separate connections: If you carry both IPv4 and IPv6 application traffic, design two VPN connections. Keep routing policies and monitoring distinct to avoid confusion.
- Allocate outside IPv6 on both ends: You must assign IPv6 addresses to both the AWS side and your customer gateway (for both tunnels in the VPN connection). Treat addressing and ACLs as first‑class IPv6 citizens.
- Create new, not convert: You can’t enable IPv6 on an existing connection. Build new IPv6‑outside VPNs, test, then cut traffic over and retire the legacy ones. This reduces incidental downtime and configuration drift.
- BGP & routes: Exchange routes over BGP where possible; keep IPv4 and IPv6 route advertisements scoped to the right connections. Validate failover behavior across the two tunnels.
- Test end‑to‑end: Validate reachability, MTU, and IPSec stability with real application flows (not just ping). Performance characteristics are parity with IPv4, but confirming with payloads catches edge cases early.
Common questions I’m hearing
- “Will this break my monitoring or runbooks?”
Not if you separate runbooks per connection and clearly label metrics/alerts as IPv4‑inner vs IPv6‑inner. The transport outside being IPv6 doesn’t change IPSec semantics. - “Do I still need NAT64 or 464XLAT?”
If you’re aiming for IPv6‑only and your applications are truly IPv6‑aware, outside‑IPv6 support helps avoid translation layers. Where IPv4‑only apps persist, keep dual paths with clear demarcation. - “Any performance surprises?”
None expected specific to IPv6: throughput, PPS, MTU, and route limits are the same as IPv4 VPNs. Focus your performance testing on application payloads and path MTU discovery.
Final thoughts
For me, this update isn’t just a nice‑to‑have, it’s a strategic unlock. By putting IPv6 on the outside of AWS Site‑to‑Site VPN, you can finally align connectivity with your addressing principles instead of bending designs around IPv4 scarcity. That means cleaner architectures, simpler operations, and one fewer reason to postpone an IPv6‑first roadmap.
If you’re moving now, keep it pragmatic: stand up new connections rather than retrofitting old ones, and separate IPv4 and IPv6 inner traffic so routes, runbooks, and alerts stay unambiguous. Treat BGP policy and monitoring as first‑class work items, not afterthoughts. These small choices compound into stability, especially during cutovers.
The bigger picture is about momentum. Start with a pilot between a TGW or Cloud WAN and one well‑understood on‑prem segment, prove the path, and socialize the wins. From there, scale with confidence – knowing performance parity holds and regional nuances are manageable – and let IPv6 become the default rather than the exception in your network portfolio.