Four surprising IPv6 gotchas with Amazon S3
Stefan Sundin
Posted on September 14, 2024
You have been able to access Amazon S3 over IPv6 since 2016. In this post I'll describe a few reasons that I have found for why you might want to continue using IPv4 for S3, at least until the issues below are addressed by AWS.
If you are reading this a year from now (or more), then hopefully some of these gotchas are no longer relevant, so please double check each point using the provided references.
You are very likely accessing S3 over IPv4 today, since in order to use IPv6 you need to access it over the "dual-stack" endpoint which is not used by default. If you don't see "dualstack" in the S3 URL then you're using good old IPv4. If you see "dualstack" in the S3 URL then there's still a chance that you're not using IPv6, see the documentation for how to verify if your computer and network can connect to Amazon S3 using IPv6.
Here's the gotchas that I promised:
- VPC Gateway Endpoint prefix lists for S3 do not work with IPv6. 🙈
- The main downside of this is that you pay for the data transfer between your EC2 instances and S3, which may be substantial if you transfer a lot of data.
- Go to the VPC console to see if the
s3
prefix list has any IPv6 prefixes. It is likely that when AWS decides to publish IPv6 prefixes for Amazon S3, that they do so in a separate prefix list, since we already have two prefix lists forvpc-lattice
.
-
Because of reason 1, if you use a bucket policy to restrict incoming traffic using the
aws:SourceVpce
condition, this isn't compatible with the dualstack endpoint. 🙉- You can work around this issue by also using a
NotIpAddress
condition, example (replace the IPv6 CIDR range with the CIDR range for your own VPC):
"Effect": "Deny", "Condition": { "StringNotEquals": { "aws:SourceVpce": "vpce-01234567890abcdef" }, "NotIpAddress": { "aws:SourceIp": "2600:1234:abcd:800::/56" } }
- You can work around this issue by also using a
-
S3 Express does not support IPv6 right now. 🙊
- You may receive the error
"S3Express does not support Dual-stack"
if you try to access S3 Express over IPv6. - My program shrimp used to default to using the dual-stack endpoint, but I removed that once I found out about this issue. So for now you should have users explicitly opt in to IPv6.
- You may receive the error
-
Static website hosting is not supported when accessing an S3 bucket over IPv6. 🙊
- This limitation is documented on this documentation page.
So that's the quick rundown. Have you found any other gotchas? Let me know in the comments.
Posted on September 14, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.