Introduction

This article covers how to add IPv6 to a load balancer on Google Cloud and create the correct DNS resource records. Google Compute Engine does not support IPv6, so this requires that a Google HTTP Load Balancer (and family of services) is serving traffic for the backend instances.

This article also shows how to configure IPv6 DNS resource records for both Google Domains and Google Cloud DNS. We will also test IPv6 and discuss some common warnings.

What is IPv6?

The most popular protocol on the Internet today is IP version 4 (IPv4). This is the IP in TCP/IP. IPv4 is the protocol that everyone thinks of when provisioning both internal and public computing systems and devices. IPv4 addresses are 32-bit wide providing for over 4 billion unique addresses. The specification reserves some of these address ranges for private networks.

IP version 6 (IPv6) is sometimes called The Next Generation Internet. However, adoption has been slow. IPv6 addresses are 128-bits wide providing approximately 3.4×10^38 (340 undecillion) (340 billion billion billion billion) addresses.

Long ago, everyone assumed that we would run out of IPv4 addresses. This has not happened yet, but this will happen. The cloud will definitely contribute to IPv4 address exhaustion.

The FCC has a nice document that describes IPv6 in easy-to-understand concepts: Internet Protocol Version 6: IPv6 for Consumers. Tim Peterson also wrote a nice article: WTF is IPv6? Catchy title.

Is IPv6 important?

Yes. IPv6 is very important to the long-term health of the Internet. This article is my contribution to making this happen for Google Cloud.

VPCs do not Support IPv6 Traffic

This is an important point to understand. You cannot configure IPv6 inside your Google Cloud network. You can only configure IPv6 for externally facing services managed by Google Cloud.

Google Cloud VPC networks only support IPv4 unicast traffic. VPC networks do not support broadcast, multicast, or IPv6 traffic.

This also means you cannot create VPC firewall rules for IPv6. Google Cloud Armor supports both IPv4 and IPv6 allow and deny list rules.

Prerequisites

You will need the correct permissions and have access to change the configuration for the following services:

  • Google Cloud VPC External IP addresses
  • DNS Server
  • Google HTTP Load Balancer

This article assumes that you already have a Google HTTP Load Balancer configured and running in the cloud. I also assume that you have a correctly setup DNS server for your domains.

This article covers two of my domains jhanley.com and jhanley.dev. The first is with Google Cloud DNS, the second Google Domains. I will show the setup for both DNS servers.

Google Cloud HTTP Load Balancer

Google Cloud supports IPv6 for HTTP, SSL Proxy and TCP Proxy Load Balancing. The load balancer accepts IPv6 connections from clients, then proxies these connections to your instances over IPv4.

Important points

Source: IPv6 Termination for HTTP(S), SSL Proxy, and TCP Proxy Load Balancing

  • Use a single anycast IPv6 address for multi-region deployment: You only need one load balancer IPv6 address for application instances running across multiple regions. This means that your DNS server has a single AAAA record and that you need not load balance among multiple IPv6 addresses. Caching of AAAA records by clients is not an issue since there’s only one address to cache. User requests to the IPv6 address are automatically load balanced to the closest healthy instance with available capacity.
  • Load balance HTTP, HTTPS, HTTP/2, TCP, and SSL/TLS IPv6 client traffic.
  • Overflow across regions with a single IPv6 load balancer address: If instances in one region are out of resources or unhealthy, the global load balancer automatically directs requests from users to the next closest region with available resources. Once the closest region has available resources, global load balancing reverts back to serving via this region. Global load balancing requires that you use the Premium Tier of Network Service Tiers.
  • Run dual stack: To serve both IPv6 and IPv4 clients, create two load balancer IP resources—one for IPv6 and the other for IPv4—and associate both with the same IPv4 application instances. IPv4 clients connect to the IPv4 address while IPv6 clients connect to the IPv6 address. These clients are then automatically load balanced to the closest healthy instances with available capacity. We provide IPv6 forwarding rules without charge, so you pay for only the IPv4 ones.

Allocate an External IPv6 Address

Before changing our HTTP load balancer, we need to allocate an IPv6 static address. Allocating an address is easy, but sometimes it takes a while for the address to provision. Complete this step and grab some fresh coffee …

Go to the Google Cloud Console -> VPC network -> External IP addresses. Click on “Reserve Static Address”. Fill in the details for your network, but make certain you select IPv6 under “IP version”. Click Reserve and wait for the IPv6 address to provision.

Save the IPv6 address. We will need this later to configure the DNS servers and the HTTP load balancer.

IPv4 and IPv6 addresses are free while assigned to an instance. They are $0.01 per hour if not assigned.

This screenshot shows the reservation of an IPv6 static address. Note that IPv6 addresses are always global. You cannot reserve a regional IPv6 address. Regional addresses are typically used with Google Compute Engine instances.

HTTP Load Balancer – Configure IPv6

Go to the Google Cloud Console -> Network services -> Load balancing.

Select your load balancer. In my case, I click on “jhanley” under Name. This brings up a screen that displays details on my HTTP Load Balancer configuration.

Click on EDIT. This will bring up the “Edit HTTP(S) load balancer” screen. Since the frontend of our load balancer manages IPv6 and not the backend, select “Frontend configuration”.

Refer to the next screenshot. I have two protocols configured. One for HTTP and another for HTTPS. Both protocols are configured with IPv4. Now we will create new frontends configured for IPv6. Click “Add Frontend IP and Port”.

Complete the “New Frontend IP and port” form. Select “HTTP” for the protocol, “IPv6” for the IP version, the IPv6 address we created above for the IP address and 80 for the Port. Click Done.

Refer to the next screenshot. Click “Add Frontend IP and Port” again. This time we will create an HTTPS frontend. Notice I have selected four certificates, one for each domain: jhanley.com, www.jhanley.com, jhanley.dev, www.jhanley.com.

Select “HTTPS” for the protocol, “IPv6” for the IP version, the IPv6 address we created above for the IP address and 443 for the Port. Click Done.

In the following screenshot, notice the four listeners. Two for port 80 (IPv4 and IPv6) and two for port 443 (IPv4 and IPv6).

Review everything. Once you are satisfied everything is correct, click “Update”.

Go back to the Google Cloud Console -> Network services -> Load balancing. Wait for the changes to provision. You will see a green checkbox.

Configure Google Domains

This step configures Google Domains. The steps are nearly identical for most DNS servers. If you are using Google Cloud DNS, go to the next major step.

I never noticed this before but Google has its own root domain: .google just like .com.

Go to the Google Domains console: https://domains.google/.   Click “Manage My Domains” in the top right.

My page looks like this:

Click on “Manage” for the desired domain. We will now configure this domain for IPv6. This brings up a panel. Select “DNS”. Scroll down to the section titled “Custom resource records”. Your screen should look like this:

We will add two resource records. One for the root (@) and one for www. Both will be AAAA resource records. Both resource records use the same IPv6 address.

The first resource record looks like this. Click Add.

The next one for www:

The minimum Time-To-Live (TTL) for Google Domains is one hour. This means that if you make a mistake, you will need to wait up to an hour to see any changes you make if you need to edit after add. Make sure your entries are correct before clicking Add.

Wait a few minutes, something like five or ten for the new records to provision.

The Internet has several tools to test your server’s IPv6 support. I use  https://ready.chair6.net/ to test my domains for IPv6.

Below is the result for jhanley.dev. Everything has a PASS.

Run the test on the www domain: www.jhanley.dev. Notice that the results are different. I have three warnings. After the screenshot, I will discuss each one.

Warning: Could not resolve nameservers for hostname www.jhanley.dev.

This is normal. www is a resource record to the domain jhanley.com. Normally you do not assign name servers unless you want www.jhanley.dev to be a full subdomain with its own DNS servers.

Warning: Hostname www.jhanley.dev does not have MX records.

This is normal. Standard practice is to have the domain jhanley.dev handle the records for the email server as email normal goes to username@jhanley.dev. However, if we had set up www.jhanley.dev to be a full domain then we would also set up email on that subdomain. Example: username@www.jhanley.dev.

Warning: Could not resolve nameservers for hostname www.jhanley.dev.

This is normal. Our name servers are not located inside jhanley.dev. For example, let’s say that we were hosting our own DNS servers for our domain jhanley.dev. Our name servers use the pattern ns1.jhanley.dev, ns2.jhanley.dev, etc. The issue is that there is a circular reference.

To resolve the domain name, DNS would query in this order: root, TLD nameserver, and authoritative nameserver. By having the authoritative nameservers inside the domain itself, these nameservers cannot be found without help.

DNS Glue records provide an A record that is authoritative for the nameserver avoiding the circular reference. Since we are using Google’s DNS servers, no circular reference is present. Also, since we do not control Google’s DNS servers, we do not know what the authoritative IPv4 addresses are to remove the warning.

Configure Google Cloud DNS

In the previous section I setup IPv6 for my domain jhanley.dev and www.jhanley.dev which is managed by Google Domains. Now I will configure IPv6 for jhanley.com and www.jhanley.com which is managed by Google Cloud DNS.

Go to the Google Cloud Console -> Network services -> Cloud DNS. Click on the Zone name you want to configure. I am not including a screenshot of this step to keep my records private.

In the screen for “Zone details” click on “Add record set”.

I will configure the AAAA record for the root “jhanley.com”. Configure records in a similar way. Select AAAA for the Resource Record Type. Enter the IPv6 address. Change the TTL to 1 hour, or your desired Time-To-Live. Click Create.

Click Add record set again. I will now configure the AAAA record for “www.jhanley.com”. Enter www for the DNS name. Select AAAA for the Resource Record Type. Enter the IPv6 address. Change the TTL to 1 hour, or your desired Time-To-Live. Click Create.

Wait a few minutes, something like five or ten for the new records to provision.

The Internet has several tools to test your server’s IPv6 support. I use  https://ready.chair6.net/ to test my domains for IPv6.

Below is the result for jhanley.com. Everything has a PASS.

Run the test on the www domain: www.jhanley.dev. Notice that the results are different. I have three warnings. After the screenshot, I will discuss each one.

Warning: Could not resolve nameservers for hostname www.jhanley.com.

This is normal. www is a resource record to the domain jhanley.com. Normally you do not assign name servers unless you want www.jhanley.com to be a full subdomain with its own DNS servers.

Warning: Hostname www.jhanley.com does not have MX records.

This is normal. Standard practice is to have the domain jhanley.com handle the records for the email server as email normal goes to username@jhanley.dev. However, if we had set up www.jhanley.com to be a full domain then we would also set up email on that subdomain. Example: username@www.jhanley.com.

Warning: Could not resolve nameservers for hostname www.jhanley.com.

This is normal. Our name servers are not located inside jhanley.com. For example, let’s say that we were hosting our own DNS servers for our domain jhanley.com. Our name servers use the pattern ns1.jhanley.com, ns2.jhanley.com, etc. The issue is that there is a circular reference.

To resolve the domain name, DNS would query: root, TLD nameserver, and authoritative nameserver. By having the authoritative nameservers inside the domain itself, these nameservers cannot be found without help.

DNS Glue records provide an A record that is authoritative for the nameserver avoiding the circular reference. Since we are using Google’s DNS servers, no circular reference is present. Also, since we do not control Google’s DNS servers, we do not know what the authoritative IPv4 addresses are to remove the warning.

Summary

This article discussed IPv6 in Google Cloud. I created a global IPv6 address in Google Cloud, setup IPv6 in my Google Load Balancer and configured both Google Domains and Google Cloud DNS to resolve IPv6 AAAA record requests. Then I tested that IPv6 works correctly for the four domain names.

This article is not a deep dive into IPv6 on Google Cloud. There are several limitations I hope Google will resolve in the future. However, as a customer facing load balancer, I now fully support IPv6 for my domains.

 

Date created: May 11, 2019
Last updated: May 11, 2019