IPv6 Support for AWS Appliance, Flow Logs, and Guard Duty.

Cloud Detection and Response (CDR) also supports IPv6 addresses for AWS. Events containing IPv6 addresses are supported across Flow Log, Guard Duty, and CDR appliances.

Key Highlights

The following are the highlights regarding IPv6 support available in the AWS cloud platform related to CDR functionality.

VPC Network

  • VPCs can be configured with dual-stack Classless Inter-Domain Routing (CIDR) blocks, supporting both IPv4 and IPv6. However, VPCs with only IPv6 addresses are currently not supported.
  • Each VPC in AWS receives a /56 IPv6 CIDR block for subnet allocation.

Subnetwork

  • AWS subnets can be configured to support IPv4-only, dual-stack (IPv4 and IPv6), or IPv6-only setups. However, traffic mirroring functionality is not supported in IPv6-only subnets, whether as a source or destination.
  • Subnets should be created with a dual-stack configuration to accommodate IPv6.
  • Each subnet within the VPC can be allocated a /64 IPv6 CIDR block from the VPC's /56 CIDR range.

IPv6 Addressing

  • All IPv6 addresses are globally unique and can be routed over the Internet.

IPv6 Connectivity

  • The AWS NAT Gateway does not support internet connectivity for IPv6 targets. For IPv6 traffic, an Internet Gateway (IGW) or Egress-Only Internet Gateway (EIGW) must be used.
  • To ensure secure deployment, the CDR Appliance should be placed in a private subnet. IPv6 connectivity can be achieved by associating it with an Egress Only Internet Gateway (EIGW). This configuration restricts inbound internet communication, keeping targets secure.
  • The Internet Gateway (IGW) should be used as the default route for public IPv6 subnets just as it is for IPv4.
  • Route tables must include appropriate IPv6 routes, for example, ::/0 to enable internet connectivity.

Traffic Mirroring - IPv6

  • VPC traffic mirroring can mirror IPv6 traffic and deliver it to the destination using a standard VxLAN tunnel, which employs an IPv4 header.
  • The traffic mirror filter should include rules that match IPv6 traffic.
  • VPC traffic mirrors do not support IPv6-only subnets. For both traffic source (TAP) and destination, IPv4 is a must, whereas IPv6 is optional.

Load Balancer - IPv6

  • While Network Load Balancers (NLBs) support dual-stack (IPv4 and IPv6), IPv6 payloads can be mirrored, but delivery to the NLB must occur over IPv4 using VxLAN.
  • GWLB endpoints (GWLBe) must be located in dual-stack subnets. GWLBe cannot be deployed in IPv6-only subnets.

Deployment Requirements for IPv6 Traffic Mirroring

The configurations below are necessary to ensure traffic mirroring support for IPv6.

  • AWS CDR should be deployed in a dual-stack (IPv4 + IPv6) private subnet when IPv6 connectivity is required.
  • Application workloads must also be deployed in dual-stack subnets.

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.