clinton
Seems that a good number of scenarios that traditionally called for NAT gateways could be resolved by running IPv6 with an egress-only Internet Gateway (assuming the service you need to reach is IPv6 enabled).
Anyone attempted this approach? Seen any success?
1 Answers
Jacky Shu
With IPv6, you are global, not private, that’s why you need egress-only internet gateway to stop communication initiated from internet but still can talk to internet.
With NAT gateway, you don’t use public IPv4 address.
Agreed, but this isn’t necessarily a downside from a security perspective if we focus our attention on NACLs, Security Groups, and Internet Gateway configuration.
Whoops, wasn’t quite ready there. From my perspective, the major factor here is whether the external resources we wish to access are available in the IPv6 address space. This is almost definitely the case if you’re looking at the major Linux package repositories and popular APIs. I did some checks, however, on a file scanning system I’m architecting and found that the primary ClamAV database mirrors are not on IPv6 hosts. This still may be a moot point since we’re thinking of keeping the scanners immutable by baking the database updates into new AMIs or docker images a couple times a day.