Hacker News new | ask | show | jobs
by roboben 862 days ago
I can just imagine that moving to IPv6 is as messy on Azure than it is on AWS.

Don’t get me wrong, actually using it is simpler, you can just have your range and then be free to do whatever you want. But the fact that it was added later to a stack never made for it shows everywhere, which makes UX tough.

Currently struggling with metadata service weirdness and slowness in IPv6 land on AWS :’)
3 comments
jiggawatts 862 days ago
It's almost certainly worse in Azure than AWS.

Random examples:

Azure hands out contiguous blocks of 16 IPv6 addresses. No, not a /56 or anything useful like that. Sixteen addresses.

If you enable IPv6 in some virtual network, other peered virtual networks will have unrelated services just break. Like Postgres, Azure VPNs, and more.

There are no IPv6 to IPv4 gateways, and you can't even build such a thing yourself without enabling IPv6 in the whole virtual network... which breaks other networks!

Azure NATs IPv6, defeating the entire purpose of the thing. It's basically IPv4 with extra steps.

Azure doesn't support IPv6 for any of their PaaS offerings, especially not in their firewall rules.

Etc...

If you think there are excuses for any of this, consider this: IPv6 has been a standard for two decades and Windows has supported IPv6 since 2000.

I like to swap IPv4 and IPv6 in any sentence to gauge the insanity of it. E.g.: "Enabling IPv4 breaks unrelated services in other networks" would have you running for the hills, would it not?

link
charcircuit 862 days ago
>you think there are excuses for any of this, consider this: IPv6 has been a standard for two decades and Windows has supported IPv6 since 2000.

That's like complaining that Linux came out in the 1990s yet Photoshop doesn't support Linux. Like how it doesn't make economic sense for Adobe to support Linux, it doesn't make sense for a lot of organizations to additionally support ipv6 when they can just support ipv4.

link
jiggawatts 862 days ago
Microsoft was an early IPv6 adopter, they even experimentally "forced" it onto their customers by making their DirectAccess VPN tech IPv6 only! They control both Azure, and the OS it runs on (Windows). Sure, bits of it runs on Linux, but they have their own distro of that too that they control (Mariner).

This would be more like complaining that Linus Torvalds prefers not to use open source software.

link
suncore 862 days ago
That should be 16 IPv6 /64 networks, right? Which means Azure gives you a /60 prefix, I guess?
link
cpressland 862 days ago
No, he’s right. Sixteen singular addresses. And those a quite expensive for what they are.
link
jrpelkonen 862 days ago
Very prudent of them to not hand those addresses out like candy. They don’t want to wake up one morning and realize that they’ve run out!
link
jiggawatts 861 days ago
It’s easy to guess what happened: they developed an IPv4-only network stack and baked the limitations and constraints of IPv4 into it: private addresses are mandatory, public addresses are scarce, and NAT is required.

Then they got told to “do the needful” and make IPv6 happen, so they did… by weaving IPv6 support through the tangled briar patch of their codebase. They wove it through the NAT, the tiny public address blocks, and the mandatory private address spaces on virtual networks.

The result is IPv4 with a sticker on it with a hand-written label that says “IPv6”.

“Job done boss!”

link
jeroenhd 862 days ago
With how weirdly complicated Azure was about IPv6 last time I looked into it, I wouldn't be surprised if it'd be more complicated than on AWS.

I'm not convinced it ever improved. Looking up a quick guide brings up https://learn.microsoft.com/en-us/azure/virtual-network/ip-s... which tells you to just... assign a random network from 2404:f800::? What even is this network? Are they using a routable IPv6 address as a substitute for an ULA for their NAT'ing load balancers? Why 2404:f800:8000:122::/64 specifically?

link
WirelessGigabit 861 days ago
Microsoft owns 2404:f800::/30.

I just did the tutorial and I noticed that in the Azure portal it shows a public IPv6 address and a private IPv6 address. From my machine I connect to the public one and magically end up on the private one.

Curling what is my ip6 from the machine yield the public IPv6 address.

I suppose all of this is needed to ensure LB can be done? And it's easier to do with a range like this than a ULA which by default isn't routable.

link
jeroenhd 861 days ago
They do, but they tell you to use a specific /64, which confuses me. I would've expected them to say something like "the address starting with 2404:f800 in your dashboard".

The "private" IPv6 address can be a ULA without any issues if the network is designed to be fully NAT'ed (i.e. for load balancing, maybe failover I guess). If you're not using the global address on your local machine and translate the public address into a private one, your local network doesn't need to have a routable IP address.

I suppose it works just as well, but it makes using IPv6 more confusing for now reason. It's as if Microsoft decide to use 20.64.0.0/10 for private networking on Azure, which they can do (they own that space after all, they can decide not to use it), but just doesn't make much sense.

link
hossbeast 862 days ago
I'm curious what issues you're having with the metadata service on IPv6?
link