IPv6 networking
evroc Compute supports IPv6 alongside IPv4, giving you the flexibility to run workloads on dual-stack or IPv6-only networks. This page explains how IPv6 works with VPCs, subnets, and VMs on the evroc platform.
What is a stack type?
Every VPC, subnet, and VM has a stack type that determines which IP protocols it uses:
- Dual-stack — IPv4 and IPv6 addresses are both assigned
- IPv6-only — Only IPv6 addresses are assigned
A resource's stack type must be compatible with its parent resource. A dual-stack VPC can contain dual-stack or IPv6-only subnets. An IPv6-only VPC can only contain IPv6-only subnets. A VM's stack type must be compatible with the subnet it runs in.
| Subnet type | Valid VM stack types |
|---|---|
| Dual-stack | Dual-stack, IPv6-only |
| IPv6-only | IPv6-only |
IPv6 address assignment
When you create a dual-stack or IPv6-only subnet, evroc automatically allocates a /64 IPv6 CIDR block for it from the parent VPC's IPv6 block. You don't specify this range — the service handles it and reflects the allocated CIDR on the subnet's status.
VMs receive their IPv6 addresses automatically from the subnet's range. Like IPv4 addresses, these are assigned by the system rather than specified at creation time.
Default networking
When you create a new project, evroc automatically provisions a dual-stack VPC and one dual-stack subnet per availability zone. This means IPv6 is present from the start — you don't need to enable it.
The default VPC receives a /56 IPv6 CIDR block and each default subnet receives a /64 block carved from that VPC range. The /64 blocks are not contiguous - different projects can have different orders of /64 blocks across zones.
Security groups and IPv6
Security group rules can target IPv6 addresses and CIDR ranges using the same fields as IPv4. A rule that specifies an IPv6 CIDR only applies to IPv6 traffic, and a rule that specifies an IPv4 CIDR only applies to IPv4 traffic.
The default security groups provided with every project include both IPv4 and IPv6 rules, so VMs with IPv6 addresses aren't left with implicit deny on all traffic. When you create custom rules for IPv6 workloads, write separate rules for each protocol version:
# Ingress rule for IPv4 SSH
remote:
address:
ipAddressOrCIDR: 0.0.0.0/0
# Ingress rule for IPv6 SSH
remote:
address:
ipAddressOrCIDR: ::/0
Limitations
The following features aren't supported:
- Customer-specified IPv6 CIDR blocks for VPCs or subnets — these are service-allocated
- Static IPv6 address assignment on VMs — addresses are assigned automatically
- NAT64 or DNS64 for IPv6-only VMs to reach IPv4-only internet destinations
- Multiple network interfaces on a VM
Next steps
- Learn how to configure VPCs with IPv6 support
- Learn how to configure subnets with IPv6 support