Containers-roadmap: [Fargate] [request]: Support IPv6 in ECS on EC2 and Fargate

Hi @Cyberax, thanks for creating the issue! We are now actively looking at enabling native IPv6 connectivity for Fargate and ECS. Also thanks to everyone who have up-voted the proposal!

We appreciate feedback from everyone, as it helps us prioritize the most requested IPv6 scenarios. It would be especially useful to understand:

• What type of VPC resources do you want to access over IPv6?
• Are you interested in dual stack (IPv4+IPv6) or do you need IPv6-only (IPv4 disallowed) access?
• Are you planning to use IPv6 only within your VPC(s), or are you also planning to connect your tasks to IPv6 internet?
• Do you require image pulls from ECR over IPv6?
• Anything else that is important to you!

Please keep the feedback coming!

Dualstack is fine for us, we also depend on third-party IPv4-only services so realistically IPv4 is a hard requirement for the next couple of years at least. So having native AWS resources (like ECR or S3) being accessible through IPv6 is also not really a huge issue.

Some background about our IPv6 usage, it's a bit unique.

We're splitting our organization into multiple units. Each organizational unit has multiple AWS accounts (for prod, test, staging, etc.). Units are responsible for providing one or more services (accessible through API). We want these services to talk to each other with minimal infrastructure overhead and so we identified the following solutions:

1. Use public IPv4 endpoints. This works well, but exposes services to the whole Internet.
2. Join all accounts into one giant routed fabric using peered VPCs (including inter-region peering). This works well, but has issues with IP range allocations and the general setup (a huge number of moving pieces).
3. Use IPv6 endpoints with ACLs on the network level. Every account simply whitelists IPv6 ranges of all other organization's accounts in the IPv6 VPC. This way inbound connections only from accounts within our organization will be allowed.

So far the 3. is almost perfect for us, as it's very easy to setup and automate. And it works really well with regular EC2 instances.

BTW, we'd be glad to beta-test IPv6 support when it's ready (we're an NDA customer if it helps).

@Cyberax a much cleaner solution is VPC private links.
No public Web, no messy peer cidr over lap, easy security groups, and native dual stack.

@ofiliz excited to see this is been researched. Here are some answers based on my team's use case:

Application: Fargate containers deployed in VPC need to access telecom IPv6 only equipment which is on-premise in a customer's lab.

What type of VPC resources do you want to access over IPv6?
Ans: There are certain on-premise telecom networking resources which only support IPv6

Are you interested in dual stack (IPv4+IPv6) or do you need IPv6-only (IPv4 disallowed) access?
Ans: Dual Stack would be needed

Are you planning to use IPv6 only within your VPC(s), or are you also planning to connect your tasks to IPv6 internet?
Ans: IPv6 internet

I would be interested in contributing by testing during the developer preview to support this effort.

My team would like to be able to use internet-facing load balancers within the network over IPv6 so that we don't have to maintain a redundant set of internal load balancers for Fargate.

Dual-stack IPv6 is now available with awsvpc networking mode for both ECS on Fargate and ECS on EC2!
https://aws.amazon.com/about-aws/whats-new/2020/11/amazon-ecs-supports-ipv6-in-awsvpc-networking-mode/