f5-aws-cloudformation icon indicating copy to clipboard operation
f5-aws-cloudformation copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

IAM Role and SG created by CFT are insufficient to allow or move IPv6 addresses

Open mikeoleary opened this issue 3 years ago • 1 comments

Summary

  • The SecurityGroups created by this CFT allows IPv4 but not IPv6 traffic.
  • The IAM role created by this template should include these two actions if a user would like CFE to work with IPv6 addresses: EC2: AssignIpv6Addresses EC2: UnassignIpv6Addresses

I think the SG and IAM role should support IPv6, since we include IPv4 by default only but F5 and CFE supports both IPv4 and IPv6.

Details

I had a customer ask for help after he was told that CFE supported IPv6 failover within an AZ (ie same subnet). After deploying this template (v 5.12) I had to take the following steps to make a virtual server with IPv6 receive traffic and have failover work.

  • edit IAM role created by template to include actions of EC2: AssignIpv6Addresses and EC2: UnassignIpv6Addresses
  • edit "external" Security Group to allow traffic from IPv6 addresses
  • create a "primary" ipv6 address on each ENI. I created a matching IPv6 self IP in F5, although this was not required for me to have traffic flow and failover functionality.
  • create a "secondary" IPv6 address on ENI, and a matching VIP in F5 config to service traffic
  • No changes to default CFE config which was great.

I think we should handle the first 2 points in the CFT, since this is what we do for IPv4.

Error Details

If this is not done, this is the error message I get in /var/log/restnoded/restnoded.log:

Wed, 23 Jun 2021 15:11:21 GMT - fine: [f5-cloud-failover] disassociating ipv6 addresses: {"NetworkInterfaceId":"eni-xxxxxxxxxxxxx","Ipv6Addresses":["xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx","xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx"]} Wed, 23 Jun 2021 15:11:21 GMT - finest: [f5-cloud-failover] Function error, retrying: You are not authorized to perform this operation. Encoded authorization failure message: [long redacted encoded string] Retries left: 49

Also, I believe I hit a bug which I reported separately for the CFE when IPv6 is used and you edit your IPv6 VIPs. Something to be aware of if you are testing this. Thanks!

mikeoleary avatar Jun 23 '21 21:06 mikeoleary

Thanks for submitting this issue. We are now tracking this request internally with ID ESECLDTPLT-2715.

shyawnkarim avatar Jul 02 '21 21:07 shyawnkarim

Closing due to age. These legacy templates are now in maintenance mode and are being replaced by our next-generation templates available in the Cloud Templates 2.0 GitHub repo.

shyawnkarim avatar Nov 11 '22 23:11 shyawnkarim