Amazon CloudFront | IPv6

Question 1

How do I customize content with Lambda@Edge?

IPv6

Amazon CloudFront | Networking & Content Delivery

Answer 1

Once you have identified a content delivery decision you would like to make at the CloudFront edge, identify which cache behaviors, and what point in the request flow the logic applies to (i.e., when a viewer request lands, when a request is forwarded to or received back from the origin, or right before responding back to the end viewer). Next, write a Node.js Lambda function using the Lambda console or API, and associate it with the selected CloudFront trigger event for your distribution. Once saved, the next time an applicable request is made to your distribution, the function is propagated to the CloudFront edge, and will scale and execute as needed. Learn more in our documentation.

What events can be triggered with Amazon CloudFront?

Your functions will automatically trigger in response to the following Amazon CloudFront events:

Viewer Request - This event occurs when an end user or a device on the Internet makes an HTTP(S) request to CloudFront, and the request arrives at the edge location closest to that user.

Viewer Response - This event occurs when the CloudFront server at the edge is ready to respond to the end user or the device that made the request.

Origin Request - This event occurs when the CloudFront edge server does not already have the requested object in its cache, and the viewer request is ready to be sent to your backend origin webserver (e.g. Amazon EC2, or Application Load Balancer, or Amazon S3).

Origin Response - This event occurs when the CloudFront server at the edge receives a response from your backend origin webserver.

Question 2

What is IPv6?

IPv6

Amazon CloudFront | Networking & Content Delivery

Answer 2

Every server and device connected to the Internet must have a numeric Internet Protocol (IP) address. As the Internet and the number of people using it grows exponentially, so does the need for IP addresses. IPv6 is a new version of the Internet Protocol that uses a larger address space than its predecessor IPv4. Under IPv4, every IP address is 32 bits long, which allows 4.3 billion unique addresses. An example IPv4 address is 192.0.2.1. In comparison, IPv6 addresses are 128 bits, which allow for approximately three hundred and forty trillion, trillion unique IP addresses. An example IPv6 address is: 2001:0db8:85a3:0:0:8a2e:0370:7334

Question 3

What can I do with IPv6?

IPv6

Amazon CloudFront | Networking & Content Delivery

Answer 3

Using IPv6 support for Amazon CloudFront, your applications can connect to Amazon CloudFront edge locations without needing any IPv6 to IPv4 translation software or systems. You can meet the requirements for IPv6 adoption set by governments - including the U.S. Federal government – and benefit from IPv6 extensibility, simplicity in network management, and additional built-in support for security.

Question 4

Should I expect a change in Amazon CloudFront performance when using IPv6?

IPv6

Amazon CloudFront | Networking & Content Delivery

Answer 4

No, you will see the same performance when using either IPv4 or IPv6 with Amazon CloudFront.

Question 5

Are there any Amazon CloudFront features that will not work with IPv6?

IPv6

Amazon CloudFront | Networking & Content Delivery

Answer 5

All existing features of Amazon CloudFront will continue to work on IPv6, though there are two changes you may need for internal IPv6 address processing before you turn on IPv6 for your distributions.

If you have turned on the Amazon CloudFront Access Logs feature, you will start seeing your viewer’s IPv6 address in the “c-ip” field and may need to verify that your log processing systems continue to work for IPv6.

When you enable IPv6 for your Amazon CloudFront distribution, you will get IPv6 addresses in the ‘X-Forwarded-For’ header that is sent to your origins. If your origin systems are only able to process IPv4 addresses, you may need to verify that your origin systems continue to work for IPv6.

Additionally, if you use IP whitelists for Trusted Signers, you should use an IPv4-only distribution for your Trusted Signer URLs with IP whitelists and an IPv4 / IPv6 distribution for all other content. This model sidesteps an issue that would arise if the signing request arrived over an IPv4 address and was signed as such, only to have the request for the content arrive via a different IPv6 address that is not on the whitelist.

To learn more about IPv6 support in Amazon CloudFront, see “IPv6 support on Amazon CloudFront” in the Amazon CloudFront Developer Guide.

Question 6

Does that mean if I want to use IPv6 at all I cannot use Trusted Signer URLs with IP whitelist?

IPv6

Amazon CloudFront | Networking & Content Delivery

Answer 6

No. If you want to use IPv6 and Trusted Signer URLs with IP whitelist you should use two separate distributions. You should dedicate a distribution exclusively to your Trusted Signer URLs with IP whitelist and disable IPv6 for that distribution. You would then use another distribution for all other content, which will work with both IPv4 and IPv6.

Question 7

If I enable IPv6, will the IPv6 address appear in the Access Log?

IPv6

Amazon CloudFront | Networking & Content Delivery

Answer 7

Yes, your viewer’s IPv6 addresses will now be shown in the “c-ip” field of the access logs, if you have the Amazon CloudFront Access Logs feature enabled. You may need to verify that your log processing systems continue to work for IPv6 addresses before you turn on IPv6 for your distributions. Please contact Developer Support if you have any issues with IPv6 traffic impacting your tool or software’s ability to handle IPv6 addresses in access logs. For more details, please refer to the Amazon CloudFront Access Logs documentation.

Question 8

Can I disable IPv6 for all my new distributions?

IPv6

Amazon CloudFront | Networking & Content Delivery

Answer 8

Yes, for both new and existing distributions, you can use the Amazon CloudFront console or API to enable / disable IPv6 per distribution.

Question 9

Are there any reasons why I would want to disable IPv6?

IPv6

Amazon CloudFront | Networking & Content Delivery

Answer 9

In discussions with customers, the only common case we heard about was internal IP address processing. When you enable IPv6 for your Amazon CloudFront distribution, in addition to getting an IPv6 address in your detailed access logs, you will get IPv6 addresses in the ‘X-Forwarded-For’ header that is sent to your origins. If your origin systems are only able to process IPv4 addresses, you may need to verify that your origin systems continue to work for IPv6 addresses before you turn on IPv6 for your distributions.

Question 10

I enabled IPv6 for my distribution but a DNS lookup doesn’t return any IPv6 addresses. What is happening?

IPv6

Amazon CloudFront | Networking & Content Delivery

Answer 10

Amazon CloudFront has very diverse connectivity around the globe, but there are still certain networks that do not have ubiquitous IPv6 connectivity. While the long term future of the Internet is obviously IPv6, for the foreseeable future every endpoint on the Internet will have IPv4 connectivity. When we find parts of the Internet that have better IPv4 connectivity than IPv6, we will prefer the former.