Instance types

Standard AWS EC2 virtual machine instances do not support nested-KVM, so do not use these.

You will need to use the x86_64 "bare metal" instance types, such as c5n.metal. These are expensive, typically $93-$143 per day depending on the geographic region, but massively powerful (e.g. 72 cores) and run the emulation amazingly quickly. We have used them in live workshops successfully.

Being real servers, they take about 5 minutes to boot. EBS is supported for the instance storage.


Do not select the ARM/Graviton-based metal servers, such as a1.metal or c6g.metal

Enabling IPv6

AWS has full support for IPv6. Enabling it allows students to access the platform over IPv6, which may work better than IPv4 in areas of the world which are heavily NAT'd. It also allows the lab VMs to make outbound IPv6 access, such as traceroute6.

Configure VPC

Go to service "VPC" and select your VPC.

VPC details

Select Actions > Edit CIDRs

Edit CIDRs

Click on "Add new IPv6 CIDR"


Leave radio button "Amazon-provided IPv6 CIDR block" selected, and click "Select CIDR"

This will assign a /56 block of IPv6 space to your VPC.

Configure subnets

Still in service "VPC", select "Subnets". Normally this will show three subnets, one for each availability zone in the region.

List subnets

You now need to do the follow set of steps for each subnet in turn.

Check one subnet, and then select Actions > Edit IPv6 CIDRs

Edit IPv6 CIDRs

Click the button "Add IPv6 CIDR"


This will show your prefix with a box where you can enter two hex digits for the 8 bits of the prefix that you can set, between 00 and ff.

If this is the first subnet, enter 00 (if it's the second subnet, enter 01 etc). Click Save.

When you have completed all the subnets, it should look like this:

List subnets after completion

Configure routing table

Still in service "VPC", select "Routing tables"

Routing tables

You should have one routing table selected. Click "Edit routes", add a new route to ::/0, and select your internet gateway (igw-XXXX) as the target from the dropdown.

Add IPv6 default route

Click "Save routes"

Configure instances

If you have any existing EC2 instancs, you can add IPv6 addresses for them, even while they are running.

Go to service "EC2" and select "Instances"

List instances

Select one instance, then using the multi-level menu select Actions > Networking > Manage IP addresses

Instance actions menu

Under IPv6 addresses, click button "Assign new IP address"

Manage IP addresses

An IPv6 address box will appear - leave it blank, commented "Auto-assign"

Assign new IP address

Click Save. You will get a confirmation box:

Confirm add IP address

When you've done this for all instances, click the refresh button in the instance list, and you should see the addresses in the IPv6 column.

List instances after completion

Modern instances, like Ubuntu, should automatically pick up the IPv6 address when running, and will be visible using ip -6 addr list

Configure security groups

The final step is to update security groups on instances so that inbound IPv6 access is permitted.

For each instance, find what security group it uses. Then navigate to "Security Groups" and select the appropriate group.

Security group details

Examine "Inbound rules". If there is a rule that allows but not one that allows ::/0 then you will need to edit it.

Click "Edit inbound rules"

Edit rules

You can now either add a new rule, or add ::/0 to the existing rule(s) which allow

Click "Save rules"

After completion it will look like this:

Security group details after edit

Check Outbound rules too, to ensure that outbound access to ::/0 (i.e. all the IPv6 internet) is allowed.

Update DNS

Test from the outside that you can ping the instance on its IPv6 address, and connect on ports 80 and 443.

Finally you can add the main and wildcard AAAA records. If you currently have       A     ....
*   A     ....

then you would also add:       AAAA  .......
*   AAAA  .......