Four surprising IPv6 gotchas with Amazon S3

stefansundin

Stefan Sundin

Posted on September 14, 2024

Four surprising IPv6 gotchas with Amazon S3

You have been able to access Amazon S3 over IPv6 since 2016. In this post I'll describe a few reasons that I have found for why you might want to continue using IPv4 for S3, at least until the issues below are addressed by AWS.

If you are reading this a year from now (or more), then hopefully some of these gotchas are no longer relevant, so please double check each point using the provided references.

You are very likely accessing S3 over IPv4 today, since in order to use IPv6 you need to access it over the "dual-stack" endpoint which is not used by default. If you don't see "dualstack" in the S3 URL then you're using good old IPv4. If you see "dualstack" in the S3 URL then there's still a chance that you're not using IPv6, see the documentation for how to verify if your computer and network can connect to Amazon S3 using IPv6.

Here's the gotchas that I promised:

  1. VPC Gateway Endpoint prefix lists for S3 do not work with IPv6. 🙈
    • The main downside of this is that you pay for the data transfer between your EC2 instances and S3, which may be substantial if you transfer a lot of data.
    • Go to the VPC console to see if the s3 prefix list has any IPv6 prefixes. It is likely that when AWS decides to publish IPv6 prefixes for Amazon S3, that they do so in a separate prefix list, since we already have two prefix lists for vpc-lattice.
  2. Because of reason 1, if you use a bucket policy to restrict incoming traffic using the aws:SourceVpce condition, this isn't compatible with the dualstack endpoint. 🙉

    • You can work around this issue by also using a NotIpAddress condition, example (replace the IPv6 CIDR range with the CIDR range for your own VPC):
    "Effect": "Deny",
    "Condition": {
      "StringNotEquals": {
        "aws:SourceVpce": "vpce-01234567890abcdef"
      },
      "NotIpAddress": {
        "aws:SourceIp": "2600:1234:abcd:800::/56"
      }
    }
    
  3. S3 Express does not support IPv6 right now. 🙊

    • You may receive the error "S3Express does not support Dual-stack" if you try to access S3 Express over IPv6.
    • My program shrimp used to default to using the dual-stack endpoint, but I removed that once I found out about this issue. So for now you should have users explicitly opt in to IPv6.
  4. Static website hosting is not supported when accessing an S3 bucket over IPv6. 🙊

So that's the quick rundown. Have you found any other gotchas? Let me know in the comments.

💖 💪 🙅 🚩
stefansundin
Stefan Sundin

Posted on September 14, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related