Source URL: https://cloud.google.com/blog/products/networking/connect-ipv6-only-workloads-to-ipv4-with-dns64-and-nat64/
Source: Cloud Blog
Title: Accelerate your IPv6 journey: Introducing DNS64 and NAT64 for the Cross-Cloud Network
Feedly Summary: We introduced Cross-Cloud Network to help organizations transform hybrid and multicloud connectivity, and today, many customers are using it to build distributed applications across multiple clouds, on-premises networks, and the internet. A key aspect of this evolution is the ability to scale with IPv6 addressing. However, the transition from IPv4 to IPv6 is a gradual process creating a coexistence challenge: How do IPv6-only devices reach services and content that still resides on IPv4 networks?
To ensure a smooth transition to IPv6, we’re expanding our toolkit. After launching IPv6 Private Service Connect endpoints that connect to IPv4 published services, we are now introducing DNS64 and NAT64. Together, DNS64 and NAT64 form a robust mechanism that intelligently translates communication, allowing IPv6-only environments in Google Cloud to interact with the legacy IPv4 applications on the internet. In this post, we explore the vital role DNS64 and NAT64 play in making IPv6 adoption practical and efficient, removing the dependency on migrating legacy IPv4 services to IPv6.
The importance of DNS64 and NAT64
While dual-stack networking assigns both IPv4 and IPv6 addresses to a network interface, it doesn’t solve the pressing issues of private IPv4 address exhaustion or the increasing push for native IPv6 compliance. For major enterprises, the path toward widespread IPv6 adoption of cloud workloads involves creating new single-stack IPv6 workloads without having to migrate legacy IPv4 applications and services to IPv6. Together, DNS64 and NAT64 directly address this requirement, facilitating IPv6-to-IPv4 communication while maintaining access to existing IPv4 infrastructure.
This IPv6-to-IPv4 translation mechanism supports several critical use cases.
Enabling IPv6-only networks: As IPv4 addresses become increasingly scarce and costly, organizations can build future-proof IPv6-only environments, with DNS64 and NAT64 providing the essential translation to access remaining IPv4 services on the internet.
Gradual migration to IPv6: This allows organizations to gradually phase out IPv4 while guaranteeing their IPv6-only clients can still reach vital IPv4-only services.
Supporting legacy applications: Many critical business applications still rely solely on IPv4; these new services ensure they remain accessible to IPv6-only clients, safeguarding ongoing business operations during the transition.
aside_block
How does it work?
An IPv6-only workload begins communication by performing a DNS lookup for the specific service URL. If a AAAA record exists, then an IPv6 address is returned and the connection proceeds directly using IPv6.
However, if DNS64 is enabled but a AAAA record cannot be found, the system instead queries for an A record. Once an A record is found, DNS64 constructs a unique synthesized IPv6 address by combining the well-known 64:ff9b::/96 prefix with the IPv4 address obtained from the A record.
The NAT64 gateway recognizes that the destination address is a part of the 64:ff9b::/96 range. It extracts the original IPv4 address from the latter part of the IPv6 address and initiates a new IPv4 connection to the destination, using the NAT64 gateway’s own IPv4 address as the source. Upon receiving a response, the NAT64 gateway prepends the 64:ff9b::/96 prefix to the response packet’s source IP, providing communication back to the IPv6-only client.
Here’s a diagram of the above-mentioned scenario:
Getting started with DNS64 and NAT64
You can simply setup IPv6-only VMs with DNS64 and NAT64 as follows:
Create VPC, subnets, VMs and firewall rules
Create a DNS64 server policy
Create a NAT64 gateway
Step 1: Create VPC, subnets, VMs, and firewall rules
1.1 Create a VPC:
code_block
<ListValue: [StructValue([(‘code’, ‘gcloud compute networks create test-vpc \r\n –project=dns64-and-nat64-testing \r\n –subnet-mode=custom \r\n –mtu=1500 \r\n –bgp-routing-mode=global \r\n –bgp-best-path-selection-mode=legacy’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97ad267310>)])]>
1.2 Create an IPv6-only subnet and VM
Create an IPv6-only subnet:
code_block
<ListValue: [StructValue([(‘code’, ‘gcloud compute networks subnets create public-v6-only-subnet \\\r\n –network=test-vpc \\\r\n –project=dns64-and-nat64-testing \\\r\n –stack-type=IPV6_ONLY \\\r\n –ipv6-access-type=external \\\r\n –region=us-east1’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97ad267910>)])]>
Create an IPv6-only instance:
code_block
<ListValue: [StructValue([(‘code’, ‘gcloud compute instances create v6-only-vm-in-public-v6-only-subnet \\\r\n –subnet public-v6-only-subnet \\\r\n –stack-type IPV6_ONLY \\\r\n –zone us-east1 \\\r\n –project=dns64-and-nat64-testing’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97ad267130>)])]>
1.3 Create firewall rules to allow ssh access into both VMs from your environments:
code_block
<ListValue: [StructValue([(‘code’, ‘gcloud compute firewall-rules create allow-v6-ssh \\ \r\n–network test-vpc \\ \r\n–priority 300 \\ \r\n–direction ingress \\ \r\n–action allow \\ \r\n–source-ranges ::/0[0.0.0.0/0] \\ \r\n–destination-ranges ::/0[0.0.0.0/0] \\ \r\n–rules (tcp:22)’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97a82d7040>)])]>
Note: You might need to create more rules or different rules as per your environment to allow connectivity.
Step 2: Create a DNS64 server policy
Enable DNS64 policy:
code_block
<ListValue: [StructValue([(‘code’, ‘gcloud dns policies create allow-dns64 \\\r\n –networks=test-vpc \\\r\n –enable_dns64_all_queries\\\r\n –project=dns64-and-nat64-testing’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97a82d7d30>)])]>
This creates a DNS64 policy as shown below:
Step 3: Create a NAT64 gateway
3.1 Create a Cloud Router:
code_block
<ListValue: [StructValue([(‘code’, ‘gcloud compute routers create nat64-router \\\r\n –network=test-vpc \\\r\n –region=us-east1\\\r\n –project=dns64-and-nat64-testing’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97a82d7220>)])]>
The above command creates a Cloud Router as shown below:
3.2 Create a NAT64 gateway using the Cloud Router you created in the above step:
code_block
<ListValue: [StructValue([(‘code’, ‘gcloud beta compute routers nats create nat64-natgw \\\r\n –router=nat64-router \\\r\n –region=us-east1 \\\r\n –auto-allocate-nat-external-ips \\\r\n –nat64-all-v6-subnet-ip-ranges \\\r\n –project=dns64-and-nat64-testing’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e97a82d7790>)])]>
This creates a Cloud NAT gateway as shown below:
And that’s it!
Together at last with DNS64 and NAT64
And with that, we hope that you now understand how to connect your IPv6-only workloads to IPv4 destinations by using DNS64 and NAT64. To learn more about enabling DNS64 and NAT64 for IPv6-only workloads, check out the documentation.
AI Summary and Description: Yes
**Summary:** The text discusses the introduction of Cross-Cloud Network and its features designed to facilitate the transition from IPv4 to IPv6 addressing. It specifically focuses on the tools DNS64 and NAT64, which enable IPv6-only networks to communicate with IPv4 services and applications, making the adoption of IPv6 practical for organizations with legacy systems.
**Detailed Description:**
The content highlights the increasing necessity for organizations to transition from IPv4 to IPv6 due to the exhaustion of IPv4 addresses and the push for IPv6 compliance.
– **Cross-Cloud Network:** A service designed to enhance hybrid and multi-cloud connectivity, crucial for building distributed applications.
– **IPv6 Addressing:** Emphasizes the gradual shift towards IPv6 and addresses the coexistence challenges between IPv4 and IPv6.
– **DNS64 and NAT64:**
– **Functionality:** These tools are vital for enabling IPv6-only environments to access IPv4 services, mitigating the need to migrate legacy applications.
– **Impact on Enterprises:** They facilitate:
– **Enabling IPv6-only networks:** Organizations can create future-proof environments while retaining access to essential IPv4 resources.
– **Gradual migration to IPv6:** This ensures that IPv6 clients can connect to vital IPv4-only services during the transition period.
– **Support for legacy applications:** Continuous access to necessary applications that are still on IPv4 prevents business disruptions.
**Mechanism of Operation:**
– **DNS Lookups:** The process initiates with DNS queries, where DNS64 is enabled to synthesize IPv6 addresses from IPv4 addresses when necessary.
– **NAT64 Gateway:** This extracts the IPv4 address from the synthesized IPv6 address, establishing a connection to the destination using IPv4, effectively bridging the two protocols.
**Implementation Steps:**
1. **Create VPC and Subnets:** Establish a networking infrastructure for IPv6.
2. **DNS64 Policy Configuration:** Set up a policy to support DNS queries under DNS64.
3. **NAT64 Gateway Creation:** Implement a NAT gateway to facilitate seamless communication.
Overall, the integration of DNS64 and NAT64 is critical for organizations ensuring operational continuity while adopting modern internet protocol standards. This transition not only supports the existing infrastructures but also positions enterprises for future growth in a predominantly IPv6 environment. Security professionals should consider the implications of this transition, particularly in terms of ensuring secure connections and communications across hybrid cloud environments.