subnets: configure default subnets to use NAT64/DNS64

tthvo · tthvo · commit d51af0e0aeb3 · 2025-07-29T14:38:42.000-07:00
This allows IPv6-only workloads to reach IPv4-only services. AWS supports this via NAT64/DNS64. More details: https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-nat64-dns64.html
diff --git a/pkg/cloud/services/interfaces.go b/pkg/cloud/services/interfaces.go
@@ -35,6 +35,8 @@ const (
 	AnyIPv4CidrBlock = "0.0.0.0/0"
 	// AnyIPv6CidrBlock is the CIDR block to match all IPv6 addresses.
 	AnyIPv6CidrBlock = "::/0"
+	// NAT64CidrBlock is the well-known CIDR block defined in RFC6052 for NAT64.
+	NAT64CidrBlock = "64:ff9b::/96"
 )
 
 // ASGInterface encapsulates the methods exposed to the machinepool
diff --git a/pkg/cloud/services/network/routetables.go b/pkg/cloud/services/network/routetables.go
@@ -362,6 +362,13 @@ func (s *Service) getNatGatewayPrivateRoute(natGatewayID string) *ec2.CreateRout
 	}
 }
 
+func (s *Service) getNat64PrivateRoute(natGatewayID string) *ec2.CreateRouteInput {
+	return &ec2.CreateRouteInput{
+		NatGatewayId:             aws.String(natGatewayID),
+		DestinationIpv6CidrBlock: aws.String(services.NAT64CidrBlock),
+	}
+}
+
 func (s *Service) getEgressOnlyInternetGateway() *ec2.CreateRouteInput {
 	return &ec2.CreateRouteInput{
 		DestinationIpv6CidrBlock:    aws.String(services.AnyIPv6CidrBlock),
@@ -456,6 +463,7 @@ func (s *Service) getRoutesToPrivateSubnet(sn *infrav1.SubnetSpec) (routes []*ec
 
 	routes = append(routes, s.getNatGatewayPrivateRoute(natGatewayID))
 	if sn.IsIPv6 {
+		routes = append(routes, s.getNat64PrivateRoute(natGatewayID))
 		if !s.scope.VPC().IsIPv6Enabled() {
 			// Safety net because EgressOnlyInternetGateway needs the ID from the ipv6 block.
 			// if, for whatever reason by this point that is not available, we don't want to
diff --git a/pkg/cloud/services/network/routetables_test.go b/pkg/cloud/services/network/routetables_test.go
@@ -161,6 +161,13 @@ func TestReconcileRouteTables(t *testing.T) {
 				})).
 					After(privateRouteTable)
 
+				m.CreateRoute(context.TODO(), gomock.Eq(&ec2.CreateRouteInput{
+					DestinationIpv6CidrBlock: aws.String("64:ff9b::/96"),
+					NatGatewayId:             aws.String("nat-01"),
+					RouteTableId:             aws.String("rt-1"),
+				})).
+					After(privateRouteTable)
+
 				m.CreateRoute(context.TODO(), gomock.Eq(&ec2.CreateRouteInput{
 					DestinationIpv6CidrBlock:    aws.String("::/0"),
 					EgressOnlyInternetGatewayId: aws.String("eigw-01"),
@@ -247,6 +254,13 @@ func TestReconcileRouteTables(t *testing.T) {
 				})).
 					After(privateRouteTable)
 
+				m.CreateRoute(context.TODO(), gomock.Eq(&ec2.CreateRouteInput{
+					DestinationIpv6CidrBlock: aws.String("64:ff9b::/96"),
+					NatGatewayId:             aws.String("nat-01"),
+					RouteTableId:             aws.String("rt-1"),
+				})).
+					After(privateRouteTable)
+
 				m.CreateRoute(context.TODO(), gomock.Eq(&ec2.CreateRouteInput{
 					DestinationIpv6CidrBlock:    aws.String("::/0"),
 					EgressOnlyInternetGatewayId: aws.String("eigw-01"),
@@ -1199,6 +1213,10 @@ func TestService_getRoutesForSubnet(t *testing.T) {
 					DestinationCidrBlock: aws.String("0.0.0.0/0"),
 					NatGatewayId:         aws.String("nat-gw-fromZone-us-east-1a"),
 				},
+				{
+					DestinationIpv6CidrBlock: aws.String("64:ff9b::/96"),
+					NatGatewayId:             aws.String("nat-gw-fromZone-us-east-1a"),
+				},
 				{
 					DestinationIpv6CidrBlock:    aws.String("::/0"),
 					EgressOnlyInternetGatewayId: aws.String("vpc-eigw"),
diff --git a/pkg/cloud/services/network/subnets.go b/pkg/cloud/services/network/subnets.go
@@ -545,6 +545,28 @@ func (s *Service) createSubnet(sn *infrav1.SubnetSpec) (*infrav1.SubnetSpec, err
 			return nil, errors.Wrapf(err, "failed to set subnet %q attribute assign ipv6 address on creation", *out.Subnet.SubnetId)
 		}
 		record.Eventf(s.scope.InfraCluster(), "SuccessfulModifySubnetAttributes", "Modified managed Subnet %q attributes", *out.Subnet.SubnetId)
+
+		// Enable DNS64 so that the Route 53 Resolver returns DNS records for IPv4-only services
+		// containing a synthesized IPv6 address prefixed 64:ff9b::/96.
+		// This is needed alongside NAT64 to allow IPv6-only workloads to reach IPv4-only services.
+		// We only need to enable on private subnets.
+		if !sn.IsPublic {
+			if err := wait.WaitForWithRetryable(wait.NewBackoff(), func() (bool, error) {
+				if _, err := s.EC2Client.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
+					SubnetId: out.Subnet.SubnetId,
+					EnableDns64: &types.AttributeBooleanValue{
+						Value: aws.Bool(true),
+					},
+				}); err != nil {
+					return false, err
+				}
+				return true, nil
+			}, awserrors.SubnetNotFound); err != nil {
+				record.Warnf(s.scope.InfraCluster(), "FailedModifySubnetAttributes", "Failed modifying managed Subnet %q attributes: %v", *out.Subnet.SubnetId, err)
+				return nil, errors.Wrapf(err, "failed to set subnet %q attribute enable dns64", *out.Subnet.SubnetId)
+			}
+			record.Eventf(s.scope.InfraCluster(), "SuccessfulModifySubnetAttributes", "Modified managed Subnet %q attributes", *out.Subnet.SubnetId)
+		}
 	}
 
 	// AWS Wavelength Zone's public subnets does not support to map Carrier IP address on launch, and
diff --git a/pkg/cloud/services/network/subnets_test.go b/pkg/cloud/services/network/subnets_test.go
@@ -1781,14 +1781,6 @@ func TestReconcileSubnets(t *testing.T) {
 				}).Return(&ec2.ModifySubnetAttributeOutput{}, nil).
 					After(firstSubnet)
 
-				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
-					AssignIpv6AddressOnCreation: &types.AttributeBooleanValue{
-						Value: aws.Bool(true),
-					},
-					SubnetId: aws.String("subnet-2"),
-				}).Return(&ec2.ModifySubnetAttributeOutput{}, nil).
-					After(firstSubnet)
-
 				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
 					MapPublicIpOnLaunch: &types.AttributeBooleanValue{
 						Value: aws.Bool(true),
@@ -1865,6 +1857,22 @@ func TestReconcileSubnets(t *testing.T) {
 				}, nil).
 					After(secondSubnet)
 
+				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
+					AssignIpv6AddressOnCreation: &types.AttributeBooleanValue{
+						Value: aws.Bool(true),
+					},
+					SubnetId: aws.String("subnet-2"),
+				}).Return(&ec2.ModifySubnetAttributeOutput{}, nil).
+					After(secondSubnet)
+
+				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
+					EnableDns64: &types.AttributeBooleanValue{
+						Value: aws.Bool(true),
+					},
+					SubnetId: aws.String("subnet-2"),
+				}).Return(&ec2.ModifySubnetAttributeOutput{}, nil).
+					After(secondSubnet)
+
 				m.DescribeAvailabilityZones(context.TODO(), gomock.Any()).
 					Return(&ec2.DescribeAvailabilityZonesOutput{
 						AvailabilityZones: []types.AvailabilityZone{
@@ -3656,15 +3664,6 @@ func TestReconcileSubnets(t *testing.T) {
 					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
 					After(firstSubnet)
 
-				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
-					AssignIpv6AddressOnCreation: &types.AttributeBooleanValue{
-						Value: aws.Bool(true),
-					},
-					SubnetId: aws.String("subnet-2"),
-				}).
-					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
-					After(firstSubnet)
-
 				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
 					MapPublicIpOnLaunch: &types.AttributeBooleanValue{
 						Value: aws.Bool(true),
@@ -3741,6 +3740,22 @@ func TestReconcileSubnets(t *testing.T) {
 				}, nil).
 					After(secondSubnet)
 
+				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
+					AssignIpv6AddressOnCreation: &types.AttributeBooleanValue{
+						Value: aws.Bool(true),
+					},
+					SubnetId: aws.String("subnet-2"),
+				}).Return(&ec2.ModifySubnetAttributeOutput{}, nil).
+					After(secondSubnet)
+
+				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
+					EnableDns64: &types.AttributeBooleanValue{
+						Value: aws.Bool(true),
+					},
+					SubnetId: aws.String("subnet-2"),
+				}).Return(&ec2.ModifySubnetAttributeOutput{}, nil).
+					After(secondSubnet)
+
 				m.DescribeAvailabilityZones(context.TODO(), gomock.Any()).
 					Return(&ec2.DescribeAvailabilityZonesOutput{
 						AvailabilityZones: []types.AvailabilityZone{
@@ -3903,15 +3918,6 @@ func TestReconcileSubnets(t *testing.T) {
 					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
 					After(zone1PublicSubnet)
 
-				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
-					AssignIpv6AddressOnCreation: &types.AttributeBooleanValue{
-						Value: aws.Bool(true),
-					},
-					SubnetId: aws.String("subnet-2"),
-				}).
-					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
-					After(zone1PublicSubnet)
-
 				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
 					MapPublicIpOnLaunch: &types.AttributeBooleanValue{
 						Value: aws.Bool(true),
@@ -3988,6 +3994,24 @@ func TestReconcileSubnets(t *testing.T) {
 				}, nil).
 					After(zone1PrivateSubnet)
 
+				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
+					AssignIpv6AddressOnCreation: &types.AttributeBooleanValue{
+						Value: aws.Bool(true),
+					},
+					SubnetId: aws.String("subnet-2"),
+				}).
+					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
+					After(zone1PrivateSubnet)
+
+				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
+					EnableDns64: &types.AttributeBooleanValue{
+						Value: aws.Bool(true),
+					},
+					SubnetId: aws.String("subnet-2"),
+				}).
+					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
+					After(zone1PrivateSubnet)
+
 				// zone 2
 				m.DescribeAvailabilityZones(context.TODO(), &ec2.DescribeAvailabilityZonesInput{
 					ZoneNames: []string{"us-east-1c"},
@@ -4077,14 +4101,6 @@ func TestReconcileSubnets(t *testing.T) {
 					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
 					After(zone2PublicSubnet)
 
-				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
-					AssignIpv6AddressOnCreation: &types.AttributeBooleanValue{
-						Value: aws.Bool(true),
-					},
-					SubnetId: aws.String("subnet-2"),
-				}).
-					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
-					After(zone2PublicSubnet)
 				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
 					MapPublicIpOnLaunch: &types.AttributeBooleanValue{
 						Value: aws.Bool(true),
@@ -4160,6 +4176,24 @@ func TestReconcileSubnets(t *testing.T) {
 					},
 				}, nil).
 					After(zone2PrivateSubnet)
+
+				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
+					AssignIpv6AddressOnCreation: &types.AttributeBooleanValue{
+						Value: aws.Bool(true),
+					},
+					SubnetId: aws.String("subnet-2"),
+				}).
+					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
+					After(zone2PrivateSubnet)
+
+				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
+					EnableDns64: &types.AttributeBooleanValue{
+						Value: aws.Bool(true),
+					},
+					SubnetId: aws.String("subnet-2"),
+				}).
+					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
+					After(zone2PrivateSubnet)
 			},
 		},
 	}

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,8 @@ const (`
`35`	`35`	`AnyIPv4CidrBlock = "0.0.0.0/0"`
`36`	`36`	`// AnyIPv6CidrBlock is the CIDR block to match all IPv6 addresses.`
`37`	`37`	`AnyIPv6CidrBlock = "::/0"`
	`38`	`+ // NAT64CidrBlock is the well-known CIDR block defined in RFC6052 for NAT64.`
	`39`	`+ NAT64CidrBlock = "64:ff9b::/96"`
`38`	`40`	`)`
`39`	`41`
`40`	`42`	`// ASGInterface encapsulates the methods exposed to the machinepool`