We first launched our “floating” Cloud IPs feature over 10 years ago with IPv4-only public addresses, enabling customers to decouple their applications from public IP addresses and reduce the dependency on updating DNS entries.
In 2017 we added basic IPv6 support which effectively made Cloud IPs dual stack and enabled customers to use floating IPv6 addresses for incoming traffic with the limitation that outgoing IPv6 connections would still use the server’s own static IPv6 address. The intention was to do as little NAT-ing as necessary since IPv6 was supposed to help free us from the complexity of NAT!
But this can make running dynamic systems more difficult. For example, if you’re maintaining IPv6 firewall rules on 3rd party systems you need to update them any time you move a Cloud IP. Or if you’re running an SMTP server, you need to update your SPF DNS records whenever you move Cloud IPs around.
So we think it’s time for us to accept the fact that NAT isn’t going away and can serve a useful purpose!
As Kernel developer David S. Miller commented back in 2011:
People want to hide the details of the topology of their internal networks, therefore we will have NAT with ipv6 no matter what we think or feel. Everyone needs to stop being in denial, now.
So we’re changing the behaviour of Cloud IPs so when they are mapped to a Cloud Server, outgoing connections from that server’s primary IPv6 address will get translated to the IPv6 address of the Cloud IP. By “primary” IPv6 address we mean the SLAAC-configured IPv6 address of the server, which for most configurations means the IPv6 address of the first Cloud IP mapped to the Cloud Server.
For example, you can find the primary IPv6 address of a server using the IPv6 DNS record:
$ host ipv6.srv-a7ke8.gb1.brightbox.com
ipv6.srv-a7ke8.gb1.brightbox.com has IPv6 address 2a02:1348:178:aa1d:24:19ff:fee2:a876And you can find the IPv6 address of a Cloud IP using it’s DNS name:
$ host cip-9fx19.gb1.brightbox.com
cip-9fx19.gb1.brightbox.com has address 109.107.40.10
cip-9fx19.gb1.brightbox.com has IPv6 address 2a02:1348:ffff:ffff::6d6b:280aSo in this case, outgoing connections from the server with identifier
srv-a7ke8 with the Cloud IP cip-9fx19 mapped to it will change from
2a02:1348:178:aa1d:24:19ff:fee2:a876 to 2a02:1348:ffff:ffff::6d6b:280a
Just as with IPv4, if you have multiple Cloud IPs mapped to a server, the first Cloud IP’s IPv6 address is used for outgoing connections.
Outgoing IPv6 connections that stay internally within our network will not be modified by NAT, so a Brightbox server connecting to another Brightbox server over IPv6 will always keep its own static IPv6 address.
This change will be rolled out at 12pm on the 1st of December 2021. From this time, any new Cloud IP mappings to a Cloud Server will change its outgoing IPv6 address behaviour. The behaviour of existing Cloud IP mappings might not change on the 1st November, but could at any time in the future during the course of regular network maintenance, so older behaviour shouldn’t be relied on.
Only customers whose applications or external services currently reference the static IPv6 address of a Cloud Server will be affected.
If your Cloud Servers don’t have any Cloud IPs mapped, aren’t using the primary IPv6 address, or have IPv6 privacy extensions enabled (which randomise IPv6 addresses) then your connections will not be affected and nothing will change.
As above, this change won’t affect most customers but if you have any 3rd party services that reference a Cloud Server’s static IPv6 address, such as offsite firewall rules, you’ll need to update them to add your Cloud IPv6 address.
If you’re running an SMTP service that sends outgoing mail via IPv6, then you’ll need to update any relevant SPF records.
If you have any questions about this forthcoming change, please do get in touch and we’ll be happy to help.