GCP – Accelerate your IPv6 journey: Introducing DNS64 and NAT64 for the Cross-Cloud Network
We introduced Cross-Cloud Network to help organizations transform hybrid and multicloud connectivity, and today, many customers are using it to build distributed applications across multiple clouds, on-premises networks, and the internet. A key aspect of this evolution is the ability to scale with IPv6 addressing. However, the transition from IPv4 to IPv6 is a gradual process creating a coexistence challenge: How do IPv6-only devices reach services and content that still resides on IPv4 networks?
To ensure a smooth transition to IPv6, we’re expanding our toolkit. After launching IPv6 Private Service Connect endpoints that connect to IPv4 published services, we are now introducing DNS64 and NAT64. Together, DNS64 and NAT64 form a robust mechanism that intelligently translates communication, allowing IPv6-only environments in Google Cloud to interact with the legacy IPv4 applications on the internet. In this post, we explore the vital role DNS64 and NAT64 play in making IPv6 adoption practical and efficient, removing the dependency on migrating legacy IPv4 services to IPv6.
The importance of DNS64 and NAT64
While dual-stack networking assigns both IPv4 and IPv6 addresses to a network interface, it doesn’t solve the pressing issues of private IPv4 address exhaustion or the increasing push for native IPv6 compliance. For major enterprises, the path toward widespread IPv6 adoption of cloud workloads involves creating new single-stack IPv6 workloads without having to migrate legacy IPv4 applications and services to IPv6. Together, DNS64 and NAT64 directly address this requirement, facilitating IPv6-to-IPv4 communication while maintaining access to existing IPv4 infrastructure.
This IPv6-to-IPv4 translation mechanism supports several critical use cases.
-
Enabling IPv6-only networks: As IPv4 addresses become increasingly scarce and costly, organizations can build future-proof IPv6-only environments, with DNS64 and NAT64 providing the essential translation to access remaining IPv4 services on the internet.
-
Gradual migration to IPv6: This allows organizations to gradually phase out IPv4 while guaranteeing their IPv6-only clients can still reach vital IPv4-only services.
-
Supporting legacy applications: Many critical business applications still rely solely on IPv4; these new services ensure they remain accessible to IPv6-only clients, safeguarding ongoing business operations during the transition.
- aside_block
- <ListValue: [StructValue([(‘title’, ‘$300 to try Google Cloud networking’), (‘body’, <wagtail.rich_text.RichText object at 0x3e97ad267460>), (‘btn_text’, ”), (‘href’, ”), (‘image’, None)])]>
How does it work?
An IPv6-only workload begins communication by performing a DNS lookup for the specific service URL. If a AAAA record exists, then an IPv6 address is returned and the connection proceeds directly using IPv6.
However, if DNS64 is enabled but a AAAA record cannot be found, the system instead queries for an A record. Once an A record is found, DNS64 constructs a unique synthesized IPv6 address by combining the well-known 64:ff9b::/96 prefix with the IPv4 address obtained from the A record.
The NAT64 gateway recognizes that the destination address is a part of the 64:ff9b::/96 range. It extracts the original IPv4 address from the latter part of the IPv6 address and initiates a new IPv4 connection to the destination, using the NAT64 gateway’s own IPv4 address as the source. Upon receiving a response, the NAT64 gateway prepends the 64:ff9b::/96 prefix to the response packet’s source IP, providing communication back to the IPv6-only client.
Here’s a diagram of the above-mentioned scenario:
Getting started with DNS64 and NAT64
You can simply setup IPv6-only VMs with DNS64 and NAT64 as follows:
-
Create VPC, subnets, VMs and firewall rules
-
Create a DNS64 server policy
-
Create a NAT64 gateway
Step 1: Create VPC, subnets, VMs, and firewall rules
1.1 Create a VPC:
- code_block
- <ListValue: [StructValue([(‘code’, ‘gcloud compute networks create test-vpc rn –project=dns64-and-nat64-testing rn –subnet-mode=custom rn –mtu=1500 rn –bgp-routing-mode=global rn –bgp-best-path-selection-mode=legacy’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97ad267310>)])]>
1.2 Create an IPv6-only subnet and VM
-
Create an IPv6-only subnet:
- code_block
- <ListValue: [StructValue([(‘code’, ‘gcloud compute networks subnets create public-v6-only-subnet \rn –network=test-vpc \rn –project=dns64-and-nat64-testing \rn –stack-type=IPV6_ONLY \rn –ipv6-access-type=external \rn –region=us-east1’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97ad267910>)])]>
- Create an IPv6-only instance:
- code_block
- <ListValue: [StructValue([(‘code’, ‘gcloud compute instances create v6-only-vm-in-public-v6-only-subnet \rn –subnet public-v6-only-subnet \rn –stack-type IPV6_ONLY \rn –zone us-east1 \rn –project=dns64-and-nat64-testing’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97ad267130>)])]>
1.3 Create firewall rules to allow ssh access into both VMs from your environments:
- code_block
- <ListValue: [StructValue([(‘code’, ‘gcloud compute firewall-rules create allow-v6-ssh \ rn–network test-vpc \ rn–priority 300 \ rn–direction ingress \ rn–action allow \ rn–source-ranges ::/0[0.0.0.0/0] \ rn–destination-ranges ::/0[0.0.0.0/0] \ rn–rules (tcp:22)’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97a82d7040>)])]>
Note: You might need to create more rules or different rules as per your environment to allow connectivity.
Step 2: Create a DNS64 server policy
Enable DNS64 policy:
- code_block
- <ListValue: [StructValue([(‘code’, ‘gcloud dns policies create allow-dns64 \rn –networks=test-vpc \rn –enable_dns64_all_queries\rn –project=dns64-and-nat64-testing’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97a82d7d30>)])]>
This creates a DNS64 policy as shown below:
Step 3: Create a NAT64 gateway
3.1 Create a Cloud Router:
- code_block
- <ListValue: [StructValue([(‘code’, ‘gcloud compute routers create nat64-router \rn –network=test-vpc \rn –region=us-east1\rn –project=dns64-and-nat64-testing’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97a82d7220>)])]>
The above command creates a Cloud Router as shown below:
3.2 Create a NAT64 gateway using the Cloud Router you created in the above step:
- code_block
- <ListValue: [StructValue([(‘code’, ‘gcloud beta compute routers nats create nat64-natgw \rn –router=nat64-router \rn –region=us-east1 \rn –auto-allocate-nat-external-ips \rn –nat64-all-v6-subnet-ip-ranges \rn –project=dns64-and-nat64-testing’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97a82d7790>)])]>
This creates a Cloud NAT gateway as shown below:
And that’s it!
Together at last with DNS64 and NAT64
And with that, we hope that you now understand how to connect your IPv6-only workloads to IPv4 destinations by using DNS64 and NAT64. To learn more about enabling DNS64 and NAT64 for IPv6-only workloads, check out the documentation.
Read More for the details.