IPv6 web apps on Azure

IPv6 web apps on Azure

Avatar Oscar de Groot

Oscar de Groot

As part of a push to adopt modern internet standards, we attempted to make our customer’s websites available over IPv6 using Azure. We were surprised to find that support is very limited: it can be done using VMs, but not with any of the higher-level PaaS components.

The driving force behind this was internet.nl, which is an initiative of the Dutch Internet Standards Platform. It is a test tool that shows if your website has things like HTTPS and DNSSEC configured properly. It shows that we do not have IPv6.

screenshot internet.nl test results

The customer websites run on Azure Kubernetes Service (AKS), behind an Application Gateway (AppGw). The DNS is managed by an external provider. Ideally, we would just enable IPv6 on the AppGw and be done with it.

diagram azure appgw ipv6

However, this does not work: Azure AppGws do not support IPv6. ❌

Does Application Gateway support IPv6?
Application Gateway v2 does not currently support IPv6.

We considered some alternatives.

  • AKS - IPv6 support is kubenet-only and still in public preview. (docs, feature)
  • App Service - does not support IPv6. This includes derived services like Function Apps and Container Instances. (source)
  • Azure Front Door (AFD) - supports IPv6, but does not support DNSSEC.
    ℹ️ AFD does DNS-based routing. You must CNAME your domain to AFD. DNSSEC validation follows CNAME pointers, so the CNAME target must also support DNSSEC. A test showed that AFD’s DNS does not. This is likely because AFD’s DNS is Azure DNS, which does not support DNSSEC. (source)
  • External IPv6 stripping proxy - Cloudflare supports IPv6.
    However, Cloudflare uses TLS cipher suites that should be phased out, according to internet.nl. Changing Cloudflare’s TLS settings is very costly.

There is only one working alternative within Azure: a 6to4 proxy VM. We’ve verified that setting up two VMs to run as 6to4 TCP proxies does work, it indeed adds IPv6 support. The general downsides of VMs apply: they must be maintained, admin access must be secured (Bastion), and having them opens additional opportunities for vulnerabilities. Additionally, troubleshooting connection issues will become more difficult, since both the IPv6 and IPv4 routes will need to be considered.

diagram azure IPv6 rejected options

With these considerations, we’ve decided to put the IPv6 project on hold, at least until Microsoft adds support for DNSSEC. Full IPv6 support would be ideal. There is some pressure on Microsoft to implement this (“Make all services available with IPv6 addresses”), but currently no date has been set.

This article is based on research from Januari 2021. The information was last checked and updated as of May 2022.