How to setup dual-stack IPv4 IPv6 Azure VM without a load-balancer

I wanted to document my Microsoft Azure saga in getting a public IPv6 address to work in a virtual machine without a load balancer in front of it. My needs were pretty simple and straightforward I wanted a virtual server that had a static IPv4 and IPv6 public addresses so that I can monitor my home network and other websites.

You would think this would be pretty easy, a few clicks and done? That wasn’t my experience on Azure and setting this up isn’t easy nor straightforward. Below is how to get it done, if this helps you – you can buy me a coffee or beer.

What Microsoft documentation said

You can use public IPv6 address on a load balancer which needs to be a separate paid server/product in front of your servers. This isn’t what I was looking – I complained about it on github with screenshots issue #69167.

Disclaimer: I have no expertise on Microsoft Azure prior to this (I currently work at Google and GCP is what we do). I chose to use Azure for my hobby/playground primarily because I get $50 a month free credit with my MSDN subscription.

My hacky (undocumented) way of getting it set up

  1. Create a new Virtual Machine

Use portal.azure.com – I am not going to go in depth here but I will call out the items you need to make sure to enable or change at setup.

Do pay attention to these when creating VM:

  • Use "create a resource" select "Ubuntu Server 18.04 LTS" and should default to virtual server.
  • Make sure to select ‘create new resource group’ to bundle everything of this server together.
  • Disable default ‘scheduled shutdown’

Deploy it. Go back to the newly created resource group.

  1. Edit Virtual Network to add IPv6 (address space)

You should see only IPv4 listed here. Like 10.0.0.0/24 – add IPv6.

Input: ace:cab:deca::/48

Hit save.

  1. Edit Virtual Network to add IPv6 (subnets)

You should see default click it. On the right dialog that opens click Add IPv6 address space

Input: ace:cab:deca::/64

Make sure to select a network Security Group. (whatever the name you gave it). Save.

  1. Create a dual-stack IPv4 and IPv6 public address

Search Azure for Public IP addresses create one.

Pay attention at creation:

  • Select IP version both
  • Select SKU standard
  • Ensure you associate it to your VM resource group and zone otherwise it won’t work
  1. Stop virtual machine.

Self explanatory, or during step 1 make sure to ensure it won’t be auto started.

  1. Associate the new NIC and delete the old NIC from the VM

With the VM shutdown, networking settings > "Attach network interface" menu. Select create and attach network interface.

At NIC create:

  • NIC security group select NONE.
  • Select Private IPv6 address. Give it a name "v6" for me.

Detach the old NIC and delete from resource group (self-explanatory).

  1. Associate the public IPv6 and IPv6 to the network interface

Go to the new NIC we created and associated, "IP configuration" menu.

You should see ‘ipconfig1’ is IPv4 and "v6" is secondary with our local IPv6 we gave on step 2.

Associate IPv4 public address by clicking ipconfig1 a new menu with a drop-down box and the new IPv4 (dual-stack) shows up. Select and save.

Associate IPv6 public address same as above. You should end up with something like this

  1. Incoming firewall rules

Make sure to add necessary firewall rules, if you created the default settings on the security group you probably already have SSH (port 22) and that’s it.

You probably want to add a rule for ICMP traffic (ping).

If you like to have no security at all (or implement your own firewall on the virtual server) you can add a blanked incoming rule for all ports 0-65535 and this should open everything.

Note microsoft IPv6 implementation sucks and ICMP ping on IPv6 incoming/outgoing WILL NOT WORK! This is what tripped me out and I spent several hours trying to troubleshoot something that Microsoft could have easily documented… but here we are… I spent hours frustrated but hopefully with this guide I wrote for you it saved you all this time. If you appreciated it – remember you can buy me a coffee 🙂

Go ahead start your virtual server and you should be able to use nmap on its IPv6 address or SSH remotely and see it work. See above in:re ping on IPv6.

Updates

June 2021: Reader “Ben R” contacted me about this article and shared some noteworthy information for folks using older VM images or installations. DHCPv6 may be disabled and must be manually enabled. See this article for enabling DHCPv6 on Azure.

Leave a Reply