Bring your own IPv6 addresses to Oracle Cloud

The adoption of IPv6 is increasing. So, at Oracle Cloud Infrastructure (OCI), we’re continuously and rapidly expanding our network capabilities for IPv6. With the latest development, we’re excited to announce Bring Your Own IP (BYOIP) support for IPv6. Readers who are interested in learning more about our overall IPv6 offerings are encouraged to read our previous IPv6 related blogs and documentation linked at the end of this blog.

What is BYOIP for IPv6?

BYOIP for IPv6 is an IPv6 address management solution that allows customers to import their own IPv6 global unique addresses (GUA), defined in RFC 3587, to OCI and assign them to their OCI resources.

Like the IPv4 public addresses, the IPv6 GUA addresses are publicly routable. So, after importing your own IPv6 GUA address blocks into OCI, you can request Oracle to advertise these IPv6 address blocks to the internet on your behalf so that you can use these addresses to establish the internet connectivity from your virtual cloud networks (VCNs) in OCI.

On the other hand, using the BYOIP IPv4 addresses and the BYOIP IPv6 addresses has some differences. BYOIP IPv4 public addresses are used exclusively for internet connectivity because they’re expensive and scarce, and GUA IPv6 addresses can be used for both internet connectivity and local east-west connectivity.

In addition to facilitating internet connectivity, your can use your BYOIP GUA IPv6 addresses to connect between resources hosted in OCI or to communicate with your on-premises networks if advertised by your dynamic routing gateway (DRG) over FastConnect circuits or VPN Connect tunnels.

Why BYOIP for IPv6?

When migrating their applications from on-premises to the cloud or when deploying new applications on the cloud, some customers need the ability to use their own GUA IPv6 addresses for several reasons. Many of these drivers are similar with customers for BYOIP for IPv4.

Implement a consistent IPv6 address scheme and management

When running IPv6 in OCI, you can always use GUA addresses allocated by Oracle. It’s convenient and requires the least amount of effort from them to manage the IPv6 addresses in their OCI networks. However, some customers prefer to use their own IPv6 addresses in the cloud and manage them themselves so that they can maintain a consistent IPv6 address scheme among their on-premises networks and their cloud networks. For example, a consistent IP address space can be preferable for hybrid or multicloud applications, or for migrating the on-premises applications to the cloud.

Keep the existing IP reputation

A good IP reputation means that the site or service associated with the IP is trustworthy, so they have a lower risk to get flagged as spam or malicious on the internet. For customers who offer public online services, maintaining a strong IP reputation for their service platforms or websites are important.

When migrating these types of applications or services to the cloud, the customers prefer to keep the original IP addresses so that they can carry the IP reputation over to the cloud. This requirement was started for IPv4 applications and services, but with the increasing adoption of IPv6, it’s equally as critical for IPv6 as for IPv4.

Maintain security policies consistency

Some customers offer IPv6 applications or services to their partners or customers who have tight security policies and need to allowlist their IPv6 addresses in their firewalls to allow the network connectivity. A side effect of changing these applications’ IP addresses is that the partners or customers need to change their security postures to allow the new IPv6 addresses, which introduces another risk factor that can cause delays or interruptions to the business when OCI customers migrate their applications or services to OCI from their on-premises sites. Extending their original IPv6 address space onto the cloud network becomes preferable to them. BYOIP for IPv6 enables them to achieve this goal.

IPv6 addresses compliance and regulation requirements

Some organizations are required to use their own IPv6 addresses for compliance and regulatory reasons. They can’t use the cloud provider-allocated address ranges. BYOIPv6 is a critical enabler for them to migrate or deploy their IPv6 applications on OCI.

In this scenario, BYOIP for IPv6 is a crucial capability that enables you to deploy IPv6 applications on OCI in a full compliance with the regulations that you’re subject to. It provides the flexibility to accommodate the customers’ own IPv6 address plan and scheme, and it eases the migration of the on-premises IPv6 applications to OCI.

How does IPv6 work?

You can import multiple IPv6 address blocks to your Oracle Cloud account. The imported address blocks are regional resources that the VCNs can use in the region to which they’re imported and advertised by Oracle from the region.

Working with BYOIP for IPv6 involves the following steps. The steps are similar to BYOIP for IPv4 but simplified because they don’t use IP address pools.

• Import your own IPv6 prefixes to OCI.

• Allocate the imported IPv6 prefixes for your VCNs and start to use them for your cloud resources.

Import your own IPv6 prefixes to OCI

First, prepare your own public IPv6 prefixes to be imported and meet the following prerequisites:

• Their ownership of the IPv6 prefixes must be assigned by one of the supported Regional Internet Registries (RIR): American Registry for Internet Numbers (ARIN), Réseaux IP Européens Network Coordination Centre (RIPE NCC), and Asia-Pacific Network Information Centre (APNIC). These RIRs manage, distribute, and register internet number resources, such as IPv4 and IPv6 address space and autonomous system (AS) numbers, within their respective regions.

• The IPv6 prefixes to be imported must be /48 or larger. A /48 IPv6 prefix is the smallest IPv6 prefix that is allowed to be advertised to the Internet.

Next, initiate the import request with OCI. Like the BYOIP for IPv4 process, you can do this step in the IP Management section under the Networking tab in the Oracle Cloud Console:

When you start the import process, you receive a validation token for the IPv6 prefix. Add the validation token to the RIR account information associated with the IPv6 prefix address range. This change can take up to one day to take effect. Later, Oracle uses the token to validate the authentication of the ownership and the authorization of importing the IPv6 prefix to your OCI tenancy.

Next, create a route origin authorization (ROA) object with your RIR to authorize Oracle to advertise the BYOIP IPv6 prefixes from the corresponding OCI autonomous system number (ASN). The ASN for the Oracle commercial cloud is 31898. The government cloud ASNs can be found in the corresponding government cloud documents.

Because a ROA is a cryptographically signed object that states which ASN is authorized to originate a particular IP address prefix or set of prefixes, without an ROA with the Oracle ASN for the imported IPv6 prefixes, Oracle can’t advertise the IPv6 prefixes to the internet. So, you can’t use the imported IPv6 prefixes for the internet routing and connectivity.

When both the token registration and the ROA are complete, you can return to the BYOIP screen in the Oracle Cloud Console to complete the submission of the IPv6 prefix import request by clicking the Finish Import button.

After receiving the customer’s IPv6 prefix import request, Oracle starts a workflow to verify the authentication of the IPv6 prefixes and the authorization of importing the IPv6 prefixes to your tenancy in OCI. When the validation is complete, which can take up to 10 business days, the imported IPv6 prefix are valid and available for you to use. They can now be assigned the same way that Oracle allocated IPv6 addresses. For example, you can assign them to the subnets in the VCNs and OCI resources deployed in the subnets that need IPv6 addresses.

Manage and use the imported IPv6 address blocks

You can assign an entire imported IPv6 address block to a single VCN or further divide it into multiple subdivisions and assign the subdivision IPv6 prefixes to different VCNs in the same region. The Oracle Cloud Console UI makes this IPv6 prefixes management easier by providing the intelligent IPv6 address range calculation and assistance.

For example, if a customer has imported a /48 IPv6 address block, and they want to divide it into multiple /56 prefixes and use them for their VCNs, they submit this request in the Console UI. The Console lists out all the /56 prefixes with the address ranges. After this initial carving, the customer can also further divide an unused subdivision prefix into smaller prefixes for future use. Because the smallest IPv6 prefixes can be assigned to a VCN is /64, the smallest subdivision of the BYOIPv6 address block customers is allowed to create is /64 too. It provides a built-in error protection for the address management.

The BYOIPv6 prefixes management UI also reflects the usage status of each subdivision IPv6 prefix, whether they’re assigned to a VCN and which VCNs they’re assigned to. The following screenshot shows an example for this BYOIPv6 prefix management assistance. It makes the IPv6 prefixes management that could be painful into an easy task.

You can use the BYOIPv6 prefixes to provision your existing or new IPv4 and IPv6 dual-stack VCNs. When configuring the IPv6 prefix for a VCN, instead of using an Oracle allocated IPv6 prefixes, you now have a new option of assigning a BYOIPv6 prefix to the VCN:

After assigning a BYOIPv6 prefix to a VCN, you can start to use the addresses in this prefix to provision the subnets, the virtual network interface cards (VNICs), the network load balancers, the application load balancers, and all IPv6 capable gateways in the VCN. As with using Oracle assigned IPv6 prefixes, an IPv6-enabled subnet must have a /64 IPv6 prefix. The only difference is that, when using BYOIPv6 addresses, the /64 IPv6 prefix is out of the VCN’s BYOIPv6 prefix address range instead of from an Oracle owned IPv6 address range.

You can use the imported BYOIPv6 prefixes for internet connectivity and the cloud internal network connectivity. To use them for internet routing, request Oracle to advertise these IPv6 prefixes from the OCI ASN. You can submit the request to Oracle after the import process for the BYOIPv6 address block is completed. You can also advertise these IPv6 prefixes to your on-premises networks through either FastConnect or VPN tunnels so that you can establish the hybrid cloud connectivity between your OCI network and on-premises networks.

The following diagram shows an example of VCN IPv6 prefixes configuration using a BYOIP IPv6 address block:

Conclusion

With the support for BYOIPv6, OCI makes it easier for our customers to migrate their IPv6 applications to the cloud or to deploy new IPv6 applications in the cloud. It reduces the interruption by avoiding the address changes or security policy modification. It also allows the customers carry over their good IP reputation to the cloud.

For more information about the BYOIP functionality on Oracle Cloud Infrastructure, see the following resources:

• Bring Your Own IP documentation

• IPv6 on Oracle Cloud Infrastructure blog

• IPv6 on Oracle network load balancer blog

• Complete the transition to IPv6 with Oracle Government Cloud

• BYOIPv6 on Oracle Cloud Infrastructure documentation