**Help improve this page** 

To contribute to this user guide, choose the **Edit this page on GitHub** link that is located in the right pane of every page.

# Learn about IPv6 addresses to clusters, Pods, and services
<a name="cni-ipv6"></a>

 **Applies to**: Pods with Amazon EC2 instances and Fargate Pods

By default, Kubernetes assigns `IPv4` addresses to your Pods and services. Instead of assigning `IPv4` addresses to your Pods and services, you can configure your cluster to assign `IPv6` addresses to them. Amazon EKS doesn’t support dual-stacked Pods or services, even though Kubernetes does. As a result, you can’t assign both `IPv4` and `IPv6` addresses to your Pods and services.

You select which IP family you want to use for your cluster when you create it. You can’t change the family after you create the cluster.

For a tutorial to deploy an Amazon EKS `IPv6` cluster, see [Deploying an Amazon EKS `IPv6` cluster and managed Amazon Linux nodes](deploy-ipv6-cluster.md).

The following are considerations for using the feature:

## `IPv6` Feature support
<a name="_ipv6_feature_support"></a>
+  **No Windows support**: Windows Pods and services aren’t supported.
+  **Nitro-based EC2 nodes required**: You can only use `IPv6` with AWS Nitro-based Amazon EC2 or Fargate nodes.
+  **EC2 and Fargate nodes supported**: You can use `IPv6` with [Assign security groups to individual Pods](security-groups-for-pods.md) with Amazon EC2 nodes and Fargate nodes.
+  **Outposts not supported**: You can’t use `IPv6` with [Deploy Amazon EKS on-premises with AWS Outposts](eks-outposts.md).
+  **FSx for Lustre is not supported**: The [Use high-performance app storage with Amazon FSx for Lustre](fsx-csi.md) is not supported.
+  **Custom networking not supported**: If you previously used [Deploy Pods in alternate subnets with custom networking](cni-custom-network.md) to help alleviate IP address exhaustion, you can use `IPv6` instead. You can’t use custom networking with `IPv6`. If you use custom networking for network isolation, then you might need to continue to use custom networking and the `IPv4` family for your clusters.

## IP address assignments
<a name="_ip_address_assignments"></a>
+  **Kubernetes services**: Kubernetes services are only assigned an `IPv6` addresses. They aren’t assigned IPv4 addresses.
+  **Pods**: Pods are assigned an IPv6 address and a host-local IPv4 address. The host-local IPv4 address is assigned by using a host-local CNI plugin chained with VPC CNI and the address is not reported to the Kubernetes control plane. It is only used when a pod needs to communicate with an external IPv4 resources in another Amazon VPC or the internet. The host-local IPv4 address gets SNATed (by VPC CNI) to the primary IPv4 address of the primary ENI of the worker node.
+  **Pods and services**: Pods and services receive only `IPv6` addresses, not `IPv4` addresses. When Pods need to communicate with external `IPv4` endpoints, they use NAT on the node itself. This built-in NAT capability eliminates the need for [DNS64 and NAT64](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64). For traffic requiring public internet access, the Pod’s traffic is source network address translated to a public IP address.
+  **Routing addresses**: When a Pod communicates outside the VPC, its original `IPv6` address is preserved (not translated to the node’s `IPv6` address). This traffic is routed directly through an internet gateway or egress-only internet gateway.
+  **Nodes**: All nodes are assigned an `IPv4` and `IPv6` address.
+  **Fargate Pods**: Each Fargate Pod receives an `IPv6` address from the CIDR that’s specified for the subnet that it’s deployed in. The underlying hardware unit that runs Fargate Pods gets a unique `IPv4` and `IPv6` address from the CIDRs that are assigned to the subnet that the hardware unit is deployed in.

## How to use `IPv6` with EKS
<a name="_how_to_use_ipv6_with_eks"></a>
+  **Create new cluster**: You must create a new cluster and specify that you want to use the `IPv6` family for that cluster. You can’t enable the `IPv6` family for a cluster that you updated from a previous version. For instructions on how to create a new cluster, see Considerations .
+  **Use recent VPC CNI**: Deploy Amazon VPC CNI version `1.10.1` or later. This version or later is deployed by default. After you deploy the add-on, you can’t downgrade your Amazon VPC CNI add-on to a version lower than `1.10.1` without first removing all nodes in all node groups in your cluster.
+  **Configure VPC CNI for `IPv6` **: If you use Amazon EC2 nodes, you must configure the Amazon VPC CNI add-on with IP prefix delegation and `IPv6`. If you choose the `IPv6` family when creating your cluster, the `1.10.1` version of the add-on defaults to this configuration. This is the case for both a self-managed or Amazon EKS add-on. For more information about IP prefix delegation, see [Assign more IP addresses to Amazon EKS nodes with prefixes](cni-increase-ip-addresses.md).
+  **Configure `IPv4` and `IPv6` addresses**: When you create a cluster, the VPC and subnets that you specify must have an `IPv6` CIDR block that’s assigned to the VPC and subnets that you specify. They must also have an `IPv4` CIDR block assigned to them. This is because, even if you only want to use `IPv6`, a VPC still requires an `IPv4` CIDR block to function. For more information, see [Associate an IPv6 CIDR block with your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#vpc-associate-ipv6-cidr) in the Amazon VPC User Guide.
+  **Auto-assign IPv6 addresses to nodes:** When you create your nodes, you must specify subnets that are configured to auto-assign `IPv6` addresses. Otherwise, you can’t deploy your nodes. By default, this configuration is disabled. For more information, see [Modify the IPv6 addressing attribute for your subnet](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html#subnet-ipv6) in the Amazon VPC User Guide.
+  **Set route tables to use `IPv6` **: The route tables that are assigned to your subnets must have routes for `IPv6` addresses. For more information, see [Migrate to IPv6](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6.html) in the Amazon VPC User Guide.
+  **Set security groups for `IPv6` **: Your security groups must allow `IPv6` addresses. For more information, see [Migrate to IPv6](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6.html) in the Amazon VPC User Guide.
+  **Set up load balancer**: Use version `2.3.1` or later of the AWS Load Balancer Controller to load balance HTTP applications using the [Route application and HTTP traffic with Application Load Balancers](alb-ingress.md) or network traffic using the [Route TCP and UDP traffic with Network Load Balancers](network-load-balancing.md) to `IPv6` Pods with either load balancer in IP mode, but not instance mode. For more information, see [Route internet traffic with AWS Load Balancer Controller](aws-load-balancer-controller.md).
+  **Add `IPv6` IAM policy**: You must attach an `IPv6` IAM policy to your node IAM or CNI IAM role. Between the two, we recommend that you attach it to a CNI IAM role. For more information, see [Create IAM policy for clusters that use the `IPv6` family](cni-iam-role.md#cni-iam-role-create-ipv6-policy) and [Step 1: Create the Amazon VPC CNI plugin for Kubernetes IAM role](cni-iam-role.md#cni-iam-role-create-role).
+  **Evaluate all components**: Perform a thorough evaluation of your applications, Amazon EKS add-ons, and AWS services that you integrate with before deploying `IPv6` clusters. This is to ensure that everything works as expected with `IPv6`.