Adopting Public IPv6 for Three-Tier Web Applications

  • Thread starter Thread starter jasonmedina
  • Start date Start date
J

jasonmedina

With public IPv4 addresses nearing full allocation, the costs and effort of maintaining IPv4 public IPs for your workloads will only increase. Using IPv6 public addresses can resolve this; there are more of them, and they are more affordable to acquire. Doing so also improves compatibility any IPv6-primary clients, such as IoT devices.

With Application Gateways now supporting dual-stack configuration, you can use an IPv6 address as your front-end for web applications in Azure. Making this change only impacts the front-end; you do not need to assign any internal IPv6 address space to use this, and you can continue to use an IPv4 front-end where needed..

This document streamlines the process of exposing your current web applications to the internet via IPv6 while continuing to run IPv4 on your Azure Virtual Machines. This scenario is ideal for those who need IPv6 exposure but do not require full adoption of IPv6 within Azure.





Existing Solution

The entire environment operates on IPv4 and consists of a single Virtual Network with four subnets:



AppGwSubnet

Contains an Application Gateway that acts as the frontend, load balancing traffic to the web servers in the WebSubnet.



WebSubnet

Contains two IIS web servers that direct traffic to the AppServer Internal Load Balancer VIP in the AppSubnet, which distributes the load among the AppServers.



AppSubnet

Contains two AppServer that direct traffic to the Database Internal Load Balancer VIP in the DataSubnet, which distributes the load among the database servers.



DataSubnet

Contains two database servers using Master/Slave replication that respond to queries from the AppServers.

jasonmedina_0-1723121529047.png











Step-by-Step Adoption Process



1. Develop an IPv6 address plan and update your virtual network with an IPv6 address space.

jasonmedina_2-1723121645373.png



1a. Refer to the Conceptual planning for IPv6 networking for guidance on planning your IPv6 networking strategy. For IPv6, it is best practice to deploy a /56 prefix for your Virtual Network and /64 prefixes for your subnets.

Conceptual planning for IPv6 networking - Azure Architecture Center | Microsoft Learn



1b. Add an IPv6 address to your virtual network and to the subnet associated with your Application Gateway to support a dual-stack (IPv4 and IPv6) configuration

Add IPv6 to Virtual Network and Subnet



Note: If your subnet currently hosts an Application Gateway SKU V1, you will need to create a new subnet to deploy a Dual-Stack Application Gateway. However, if you are using Application Gateway SKU V2, you can deploy the Dual-Stack Application Gateway within the same subnet.







2. Deploy a New Dual-Stack Application Gateway and Configure new IPv4 and IPv6 Frontend IPs

jasonmedina_3-1723121701638.png



2a. Set up a new Application Gateway with dual-stack support to handle both IPv4 and IPv6 traffic. During its creation, assign new public frontend IP addresses for both IPv4 and IPv6.

Create a Dual-Stack Application Gateway

Create IPv4 and IPv6 Frontend IP's



2b. Ensure the new Dual-Stack Application Gateway is configured with the same settings as the original. This includes Listeners with TLS Certificates (for HTTPS/TLS offload), Routing Rules with Backend HTTP Settings (including certificates for End-to-End TLS), Backend Pools, and Health Probes.



2c. Both your IPv4 and IPv6 frontend IPs will use the same Web Application backend pool. Ensure the backend pool is healthy before proceeding to the next step.







3. Update Public DNS Records

jasonmedina_6-1723122352518.png





3a. Update the DNS ‘A’ record to point to the new dual-stack public IPv4 frontend IP address. Similarly, update the DNS ‘AAAA’ record to point to the new dual-stack public IPv6 frontend IP address.

Create an Azure Public DNS Record



Note: If you are using Public DNS in Azure, please follow the link above. If you are using a different Public DNS service, ensure that the records are updated accordingly





4. Decommission the Original Application Gateway

jasonmedina_4-1723122198123.png

4a. Once you’ve updated the DNS records and confirmed that your new IPv4 and IPv6 frontend IP addresses are operational on your dual-stack Application Gateway, you can safely delete the original IPv4-only Application Gateway.





Learn More:



Stay Updated on Azure Products Supporting IPv6

Conceptual planning for IPv6 networking - Azure Architecture Center



What is IPv6 for Azure Virtual Network?

Overview of IPv6 for Azure Virtual Network

Continue reading...
 
Back
Top