Reputation: 11
IPv6 DNS query on Azure
I need to launch an IPv6 DNS query from my Azure VM. I need to control all the parameters of this query. I can do it via network calls or via the dig command. Can I do this with Azure? This probably: can the load balancer support an outbound IPv6 DNS query?
Upvotes: 1
Views: 1202
Answers (2)
Reputation: 11
We needed to confirm that our DNS servers handled queries coming in over IPv6, and Azure was one of the cloud providers we could use. It wasn't easy, but I eventually got it to work.
In order to get outgoing IPv6 service from an Azure VM, the VM needs to be created in an availability set with a load balancer that has public dynamic IPv6 addresses, inbound NAT rules for both IPv4 and IPv6, and load balancing rules for same. Existing VMs can't be reconfigured to support this. Azure seems to create some some of tunnel between the configured load balancer and the VMs you put in the same availability set. This isn't obvious from the VM's perspective, except in that you can only communicate over IPv6 with the outside Internet and not with the other VMs in your Azure submit.
IPv6 support isn't currently possible to configure through the Azure portal. I made heavy use of the following two links to get this working:
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ipv6-overview
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ipv6-internet-ps
You'll need a Windows VM to run much of the above; PowerShell for Linux and AzureRM.NetCore.Preview does not have feature parity with PowerShell in Windows.
I had to hack at the above example for some time before coming up with the following ... you may need to hack it some more to work in your environment. Note that I ran this script from within Powershell ISE so I could pre-configure the environment with $mySecureCredentials and Login-AzureRMAccount as necessary.
The below will create a Centos 7.3 VM that can initiate IPv6 DNS queries against the Internet. Note that you'll have to enable your IPv6 interfaces in the guest after rebooting. Unfortunately my rep is too low to post more than 2 links, so search for 'azure linux dhcp ipv6' to see how enable DHCPv6 client configuration on your VM.
$resgroupName = 'YourResourceGroup'
$location = 'east US' # of course, select your preferred location
# you will need some secure credentials. run something like:
# $mySecureCredentials = Get-Credential -Message "Type the username and password of the local administrator account."
# you will also need to log into azure (Login-AzureRMAccount)
# IP addresses, load balancer config
$publicIPv4= New-AzureRmPublicIpAddress -name 'lb-pub-ipv4' -ResourceGroupName $resgroupName -location $location `
-Allocationmethod Static -IpAddressVersion IPv4 -domainnamelabel my-lbnrpipv4
$publicIPv6 = New-AzureRmPublicIpAddress -name 'lb-pub-ipv6' -ResourceGroupName $resgroupName -location $location `
-AllocationMethod Dynamic -IpAddressVersion IPv6 -DomainNameLabel my-lbnrpipv6
$FEIPConfigv4 = New-AzureRmLoadBalancerFrontendIpConfig -name "LB-Frontendv4" -PublicIpAddress $publicIPv4
$FEIPConfigv6 = New-AzureRmLoadBalancerFrontendIpConfig -name "LB-Frontendv6" -PublicIpAddress $publicIPv6
$backendpoolipv4 = New-AzureRmLoadBalancerBackendAddressPoolConfig -name "BackendPoolIPv4"
$backendpoolipv6 = New-AzureRmLoadBalancerBackendAddressPoolConfig -name "BackendPoolIPv6"
# This script assumes you already have a virtual network defined - replace myRG-vnet with the name of the virtual network you want to use.
$vnet = Get-AzureRmVirtualNetwork -name myRG-vnet -ResourceGroupName $resgroupName
# I assume you want to use the default subnet.
$backendSubnet = Get-AzureRmVirtualNetworkSubnetConfig -name default -virtualnetwork $vnet
# Create NAT rules for load balancer
# Even if you don't actually need any inbound rules, some rules appear to be necessary to make outbound IPv6 work.
# Inbound SSH
$inboundNATRule1v4 = New-AzureRmLoadBalancerInboundNatRuleConfig -name "NicNatRulev4" -FrontendIpConfiguration $FEIPConfigv4 -Protocol TCP -FrontendPort 22 -BackendPort 22
$inboundNATRule1v6 = New-AzureRmLoadBalancerInboundNatRuleConfig -name "NicNatRulev6" -FrontendIpConfiguration $FEIPConfigv6 -Protocol TCP -FrontendPort 22 -BackendPort 22
$lbrule1v4 = New-AzureRmLoadBalancerRuleConfig -name "HTTPv4" -FrontendIpConfiguration $FEIPConfigv4 -BackendAddressPool $backendpoolipv4 -Protocol TCP -FrontendPort 80 -BackendPort 80
$lbrule1v6 = New-AzureRmLoadBalancerRuleConfig -name "HTTPv6" -FrontendIpConfiguration $FEIPConfigv6 -BackendAddressPool $backendpoolipv6 -Protocol TCP -FrontendPort 80 -BackendPort 80
$NRPLB = New-AzureRmLoadBalancer -ResourceGroupName $resgroupName -name 'myNrpIPv6LB' -location $location `
-FrontendIpConfiguration $FEIPConfigv4,$FEIPConfigv6 -BackendAddressPool $backendpoolipv4,$backendpoolipv6 `
-LoadBalancingRule $lbrule1v4,$lbrule1v6 -inboundNatRule $inboundNATRule1v4,$inboundNATRule1v6
$nic1IPv4 = New-AzureRmNetworkInterfaceIpConfig -name "IPv4IPConfig" -PrivateIpAddressVersion "IPv4" -subnet $backendSubnet -LoadBalancerBackendAddressPool $backendpoolipv4 -LoadBalancerInboundNatRule $inboundNATRule1v4
$nic1IPv6 = New-AzureRmNetworkInterfaceIpConfig -name "IPv6IPConfig" -PrivateIpAddressVersion "IPv6" -LoadBalancerBackendAddressPool $backendpoolipv6 -LoadBalancerInboundNatRule $inboundNATRule1v6
$nic1 = New-AzureRmNetworkInterface -Name 'myNrpIPv6Nic0' -IpConfiguration $nic1IPv4,$nic1IPv6 `
-resourceGroupName $resgroupName -location $location
New-AzureRmAvailabilitySet -name "myNrpIPv6AvSet" -resourcegroupname $resgroupName -location $location
$avset1 = Get-AzureRmAvailabilitySet -resourcegroupname $resgroupName -name 'myNrpIPv6AvSet'
try {
New-AzureRmStorageAccount -ResourceGroupName $resgroupName -name 'mynrpipv6stacct' -location $location -skuname `
"Standard_LRS" -erroraction stop
} catch {
echo "new storage account failed, let's just hope it was a dup and gets found anyway"
}
# find my existing storage account
$storAcct = Get-AzureRmStorageAccount -resourcegroupname $resgroupName -name 'mynrpipv6stacct'
if ($storAcct -eq $null) {
throw "I could not find a storage accoount"
}
$nic1 = Get-AzureRmNetworkInterface -ResourceGroupName $resgroupName -name 'myNrpIPv6Nic0'
$vm1 = New-AzureRmVMConfig -vmName 'myNrpLinuxIPv6VM1' -vmSize 'Standard_d1' -AvailabilitySetId $avset1.Id
$vm1 = Set-AzureRmVMOperatingSystem -vm $vm1 -Linux -ComputerName 'myNrpLinuxIPv6VM1' -Credential $mySecureCredentials
$vm1 = Set-AzureRmVMSourceImage -VM $vm1 -PublisherName OpenLogic -Offer CentOS -Skus '7.3' -Version "latest"
$vm1 = Add-AzureRmVMNetworkInterface -VM $vm1 -Id $nic1.Id -Primary
$osDisk1Uri = $storAcct.PrimaryEndpoints.Blob.ToString() + "vhds/myNrpLinuxIPv6VM1osdisk.vhd"
$vm1 = Set-AzureRmVMOSDisk -VM $vm1 -Name 'myNrpLinuxIPv6VM1osdisk' -VhdUri $osDisk1Uri -CreateOption FromImage
echo now creating...
new-azurermvm -ResourceGroupName $resgroupName -location $location -VM $vm1
echo done
Upvotes: 1
Reputation: 241
I don't understand what you mean by launch an IPv6 query. Do you mean query for an AAAA record or do you mean IPv6 network traffic? If you meant he query type then tools like nslookup and dig allow you to control the query but when looking up a hostname in things like browsers they let the OS decide how to resolve the name, that's not Azure specific. If you're talking about IP level traffic, the Azure DNS recursive resolvers are only contactable using IPv4 at present.
Upvotes: 0
Related Questions
- GetHostAddress() returns no IPv6, only IPv4
- Does azure function support ipv6?
- IPv6 support for Azure other than the load balancer thing
- IPv6 support for Azure
- Allow ipv6 address in Azure firewall
- Azure Cloud Service I can not get IPv6 address from REMOTE_ADDR nor HTTP_X_FORWARDED_FOR
- Resolve IPv6 address from hostname
- DNS.GethostEntry Unable to get remote machine ipv6 adress
- failing to get IPv6 remotely
- Returning IPv6 addresses from DNS server in C#