Load balance IPv6 services with ALB

Scenario

This topic uses the following scenario as an example. A company wants an ALB to forward requests from IPv6 clients so that the clients can use the internet to access IPv4 and IPv6 services in a VPC. The company needs to create ECS instances that have both IPv4 and IPv6 addresses, a dual-stack ALB instance in the VPC, and a server group that supports IPv6. After these configurations are complete, the ALB can forward requests from IPv6 clients to the IPv4 and IPv6 services that are deployed on the backend ECS instances.

Limitations

• For a list of regions that support dual-stack ALB instances, see Regions that support dual-stack ALB instances.

• To use the dual-stack feature, you must enable IPv6 for the vSwitches in the zones of your VPC.

• A dual-stack ALB instance can forward traffic from IPv4 and IPv6 clients to IPv4 and IPv6 backend services. For more information, see ALB instance overview.

• You cannot upgrade an existing IPv4 instance to a dual-stack instance. You can only create a new dual-stack instance.

• You can add a server group with IPv6 support enabled only to a listener or a forwarding rule of a dual-stack ALB instance.

Prerequisites

• You have created a VPC named VPC1 in the China (Shanghai) region, and two vSwitches named VSW1 and VSW2 in Zone E and Zone G, respectively. An IPv6 CIDR block is enabled for VPC1, and IPv6 is enabled for both VSW1 and VSW2. After you enable an IPv6 CIDR block for the VPC, an IPv6 gateway is created by default.

  If you plan to deploy your ALB instance across VSW1 and VSW2, note that an upgraded ALB instance requires three IP addresses from each specified vSwitch: one virtual IP (VIP) for client-facing services and two local IPs for communicating with backend servers. Ensure that VSW1 and VSW2 have enough available IP addresses to prevent instance creation failure. This requirement does not apply to non-upgraded ALB instances.

  Note

  • To ensure the elastic capabilities of upgraded ALB instances, we recommend that you reserve at least eight IP addresses in each vSwitch used by the ALB instance.

  • To ensure that an upgraded ALB instance can communicate with backend services, if you have configured access policies such as iptables or other third-party security policies on your backend servers, you must add the CIDR block of the ALB instance's vSwitch to the allowlist in advance.

• You have registered a domain name and obtained an ICP filing for it.

Step 1: Create and configure ECS instances

1. Log on to the VPC console.

2. In the left-side navigation pane, click vSwitch.

3. Select the region where the vSwitch is deployed. In this example, China (Shanghai) is selected.

4. On the vSwitch page, find the target vSwitch and choose Add Cloud Service > ECS Instance in the Actions column.

5. On the Custom Launch tab of the Elastic Compute Service buy page, create two ECS instances. Rename the IPv4 ECS instance to ECS01 and the IPv6 ECS instance to ECS02. The security groups for both ECS instances must allow traffic on port 80. For more information, see Create an instance by using the wizard.

   Click to view the ECS instance configurations for this example

   ECS instance name	Region	VPC name	vSwitch	IP version	Image
   ECS01	China (Shanghai)	VPC1	VSW1 in Zone E	IPv4	Alibaba Cloud Linux 3.2104 LTS 64-bit
   ECS02	China (Shanghai)	VPC1	VSW2 in Zone G	IPv6 Note When you create an instance with an IPv6 address, select the IPv6 checkbox and then select Assign IPv6 Address Free of Charge.	Alibaba Cloud Linux 3.2104 LTS 64-bit

6. Remotely log on to the ECS01 and ECS02 instances. For more information, see Connection methods.

7. On ECS01, run the following commands to deploy an NGINX service:

   yum install -y nginx
   systemctl start nginx.service
   cd /usr/share/nginx/html/
   echo "Hello World ! this is ipv4 rs." > index.html
   

8. On ECS02, run the following commands to deploy an NGINX service:

   yum install -y nginx
   systemctl start nginx.service
   cd /usr/share/nginx/html/
   echo "Hello World ! this is ipv6 rs." > index.html
   

9. Configure an IPv6 address for the ECS02 instance. For more information, see IPv6 communication.

   Note

   You can skip this step if your ECS02 instance uses the Alibaba Cloud Linux 3.2104 LTS 64-bit image and you selected Assign IPv6 Address Free of Charge for the IPv6 parameter during instance creation.

   1. Remotely log on to the ECS02 instance in the VPC.

   2. Configure the IPv6 address.

      Run the ip addr | grep inet6 or ifconfig | grep inet6 command.

      If the command returns output similar to the following, an IPv6 address is already configured and you can skip this step.

      [root@iZbpxxx fxe4Z ~]# ip addr | grep inet6
          inet6 ::1/128 scope host
          inet6 2408:4005:xxx:xxx:7cd5:aa9c/128 scope global dynamic noprefixroute
          inet6 fe80::xxx:cc1c/64 scope link noprefixroute

      1. If the command output does not contain inet6-related information, IPv6 is not enabled on the instance. You must first enable the IPv6 service.

      2. If the command output contains inet6-related information, IPv6 is enabled on the ECS02 instance and its IPv6 address has been assigned. You must configure the IPv6 address.

Step 2: Configure IPv6 security rule for ECS02

You must configure an IPv6 security group rule for the ECS02 instance to allow inbound requests from IPv6 clients.

1. Log in to the ECS console.

2. In the left-side navigation pane, choose Network & Security > Security Group.

3. In the top navigation bar, select the region where the security group is deployed. In this example, China (Shanghai) is selected.

4. On the Security Groups page, find the target security group and click Manage Rules in the Actions column.

5. On the Security Group Details page, click the Inbound tab in the Rules section.

6. Click Add Rule, configure an IPv6 security group rule with the following parameters, and then click Submit.

   Parameter	Description
   Action	Specifies whether to allow access. In this example, Allow is selected.
   Priority	The priority of the security group rule. A smaller value indicates a higher priority. Valid values: 1 to 100. In this example, the default value 1 is used.
   Protocol	The protocol of the inbound traffic to allow. In this example, All ICMP - IPv6 is selected.
   Source	The source IPv6 CIDR block. In this example, ::/0 is entered to allow access from all IPv6 addresses. Note The source configured in this example is for demonstration purposes only. You can allow access from a specific IPv6 CIDR block to meet your business needs.
   Destination (current instance)	The port range for which inbound traffic is allowed. If you set Protocol to All ICMP - IPv6, this field is automatically set to All (-1/-1) and is read-only.
   Description	Enter a custom description.

Step 3: Create an ALB instance

1. Log on to the ALB console.

2. On the Instances page, click Create ALB.

3. On the buy page, configure the following parameters, click Buy Now, and then complete the payment as prompted.

   This section describes only the parameters that are relevant to this document. Use the default values for other parameters. For more information about the parameters, see Create and manage an ALB instance.

   Parameter	Description
   Region	The region where the instance is deployed. In this example, China (Shanghai) is selected.
   Network Type	The network type of the instance. The system assigns a private or public service address based on your selection. In this example, select Public. Note Selecting Public for Network Type applies only to IPv4. The network type for IPv6 is private by default. This topic uses the public network type for IPv6. You must perform Step 4 to change the network type for IPv6 to public.
   VPC	Select the VPC where the instance is deployed. Note Make sure that IPv6 is enabled for the VPC.
   Zone ID	Select at least two zones. In this example, select Shanghai Zone E and Shanghai Zone G. Select a vSwitch in each selected zone. In this example, select VSW1 in Zone E and VSW2 in Zone G.
   IP Version	The IP version of the instance. In this example, select Dual-stack.
   Edition (Instance Fee)	The edition of the instance. In this example, select Standard.
   Instance Name	Enter a custom name for the instance.
   Service-linked Role	When you create an ALB instance for the first time, click Create Service-linked Role to create a service-linked role named AliyunServiceRoleForAlb. The system attaches the AliyunServiceRolePolicyForAlb policy to the role. This policy grants ALB permissions to access other cloud services. For more information, see System policies for ALB.

4. After you create a public dual-stack ALB instance, perform the following steps to change the IPv6 address of the ALB instance to a public address because this topic requires a public IPv6 address. For more information, see Protocol Version.

   1. Return to the Instances page, find the target ALB instance, and then click its ID.

   2. On the Instance Details tab, find the Network field in the Basic Information section. Then, click Change Network Type to the right of IPv6: private.

   3. In the Change Network Type dialog box, click OK.

      After the change is complete, the network type for IPv6 becomes public.

Step 4: Create a server group

1. In the left-side navigation pane, choose ALB > Server Groups.

2. On the Server Groups page, click Create Server Group.

3. In the Create Server Group dialog box, configure the following parameters and click Create.

   This section describes only the parameters that are relevant to this document. Use the default values for other parameters. For more information about the parameters, see Create and delete a server group.

   Parameter	Description
   Server Group Type	The type of the server group. In this example, select Server Type.
   Server Group Name	Enter a custom name for the server group.
   VPC	Select the VPC from the drop-down list. Only servers in this VPC can be added to the server group. Note Make sure that IPv6 is enabled for the selected VPC and that it is the same VPC that you selected when you created the ALB instance.
   Backend Server Protocol	The backend protocol. In this example, select HTTP.
   Scheduling Algorithm	The scheduling algorithm. In this example, select Weighted Round-robin.
   IPv6	Enable IPv6 for the server group. For this scenario, select Enable IPv6.
   Session Persistence	Determines whether to enable session persistence. In this example, the feature is disabled by default.
   Health Check	Specifies whether to enable health checks. In this example, health checks are enabled.
   Health Check Settings	After you enable health checks, you can click Edit to configure more parameters.

4. On the Server Group page, find the target server group and click its ID.

5. Click the Backend Servers tab and then click Add Backend Server.

6. In the Add Backend Server panel, select the ECS01 and ECS02 instances that you created. In the IP Address column, select the IPv4 address for the ECS01 instance and the IPv6 address for the ECS02 instance. Then, click Next.

7. In the Ports/Weights step, set the port and weight for the ECS01 and ECS02 instances, and then click OK.

   In this example, the port for the ECS instances is set to 80 and the weight is set to the default value of 100.

Step 5: Configure a listener

1. On the Instances page, find the target instance and click its ID.

2. Click the Listener tab and then click Create Listener.

3. In the Configure Listener wizard, configure the following parameters and click Next.

   This section describes only the parameters that are relevant to this document. Use the default values for other parameters. For more information about how to configure a listener, see Add an HTTP listener.

   Parameter	Description
   Select Listener Protocol	The protocol of the listener. In this example, select HTTP.
   Listener Port	The port that the listener uses to receive and forward requests to backend servers. In this example, enter 80.
   Listener Name	Enter a custom name for the listener.
   Advanced Settings	In this example, the default settings are used. You can click Modify to change the settings.

4. In the Server Group configuration wizard, select Server Type and the target server group under Server Type, view the backend server information, and then click Next.

5. In the Confirm step, confirm the configurations and click Submit.

6. Click OK to return to the Listener tab. When the Health Check Status column of the listener shows Healthy, it indicates that the backend servers ECS01 and ECS02 can process requests from the ALB instance.

Step 6: Configure DNS resolution

In a production environment, use your own domain name and point it to the DNS name of the ALB instance by creating a CNAME record.

1. In the left navigation pane, choose ALB > Instances.

2. On the Instances page, copy the DNS name of your ALB instance.

3. Add a CNAME record to map your domain name to the DNS name of the ALB instance.

   Note

   If your domain name is not registered with Alibaba Cloud, you must first add it to the Alibaba Cloud DNS console before you can configure DNS records. For more information, see Domain Name Management. If your domain name is registered with Alibaba Cloud, you can proceed to the next steps.

   1. Log on to the Alibaba Cloud DNS console.

   2. On the Authoritative DNS Resolution page, find your domain name and click Settings in the Operations column.

   3. On the Settings page, click Add Record.

   4. In the Add Record panel, configure the following parameters to create the CNAME record, and then click OK.

      Configuration	Description
      Record Type	Select CNAME from the drop-down list.
      Hostname	The prefix for your domain name. This tutorial uses @. Note To use the root domain, set the host to @.
      Query Source	Select Default.
      Record Value	Paste the copied DNS name of the ALB instance.
      TTL	The Time to Live (TTL) is the amount of time the record is cached on a DNS server. This tutorial uses the default value.

Step 7: Test connectivity

On a client with IPv6 connectivity, test that the ALB instance correctly routes traffic to the ECS01 and ECS02 servers.

1. Open a command-line terminal on the client.

2. Run the following command multiple times to test whether the IPv6 client can access the IPv4 and IPv6 ECS instances through the ALB instance in a round-robin fashion.

   curl -6 http://<your-domain-name> -v

   If a response similar to the following one is returned, the IPv6 client can access the IPv4 ECS instance.

   C:\Users\w***g>curl -6  http://xxx.com -v
   * Rebuilt URL to: http://xxx.com/
   *   Trying 2408:xxx:d3:c2b:df22:bc09...
   * TCP_NODELAY set
   * Connected to xxx.com (2408:xxx:f22:bc09) port 80 (#0)
   > GET / HTTP/1.1
   > Host: xxx.com
   > User-Agent: curl/7.55.1
   > Accept: */*
   >
   < HTTP/1.1 200 OK
   < Date: Wed, 07 Sep 2022 06:52:47 GMT
   < Content-Type: text/html
   < Content-Length: 31
   < Connection: keep-alive
   < Last-Modified: Wed, 07 Sep 2022 03:13:10 GMT
   < ETag: "63180c46-1f"
   < Accept-Ranges: bytes
   <
   Hello World ! this is ipv4 rs.

   If a response similar to the following one is returned, the IPv6 client can access the IPv6 ECS instance.

   C:\Users\wxxx>curl -6 http://xxx.s.com -v
   * Rebuilt URL to: http://xxx.com/
   *   Trying 2408:40xxx:df22:bc09...
   * TCP_NODELAY set
   * Connected to xxx.s.com (2408:xxx:22:bc09) port 80 (#0)
   > GET / HTTP/1.1
   > Host: xxx
   > User-Agent: curl/7.55.1
   > Accept: */*
   >
   < HTTP/1.1 200 OK
   < Date: Wed, 07 Sep 2022 06:53:04 GMT
   < Content-Type: text/html
   < Content-Length: 31
   < Connection: keep-alive
   < Last-Modified: Wed, 07 Sep 2022 03:13:50 GMT
   < ETag: "63180c6e-1f"
   < Accept-Ranges: bytes
   <
   Hello World ! this is ipv6 rs.

The results confirm that the ALB instance is successfully distributing traffic from IPv6 clients to both your IPv4 and IPv6 services.

Clean up resources

1. Clean up ECS and security group resources:

   1. Delete the ECS01 instance and its security group:

      1. Log on to the ECS console. In the top navigation bar, select the region where the instance is deployed. Find the ECS01 instance, click the icon in the Actions column, and select Release. Then, confirm the immediate release of the instance.

      2. Log on to the security group console. In the top navigation bar, select the region where the security group is deployed. Select the custom security group of ECS01 and click Delete.

   2. Follow the preceding steps to delete the ECS02 instance and its associated security group.

2. Delete DNS records:

   Delete the CNAME record that you created. For more information, see Delete a DNS record.

3. Clean up ALB resources:

   1. Log on to the ALB console. In the top navigation bar, select the region where the instance is deployed. Find the target instance, click the icon in the Actions column, and select Release. Then, confirm the operation.

   2. Remove the backend servers from the server group. For more information, see Create and manage a server group.

   3. Delete the server group. For more information, see Create and manage a server group.

4. Clean up VPC resources:

   1. Log on to the VPC console. In the top navigation bar, select the region where the VPC is deployed.

   2. Find the target VPC instance and click Delete in the Actions column. The system checks for dependent resources. If any exist, you must delete them before you can delete the VPC and its vSwitches.

Related documents

• To learn about the use cases and components of ALB, see What is Application Load Balancer?.

• For more information about the features of ALB, see Features.

• To view ALB quotas and learn how to request an increase, see Quotas and limits.

• For information about the regions that support ALB, see Regions and zones that support ALB.

• For information about ALB billing, including billing methods, billable items, and pricing, see Billing of ALB.