IPv6 on the Default Network ("private")

Since April 2016, the shared internal network (called "private") has IPv6 configured. This means that all instances connected to this network get an IPv6 address in addition to the IPv4 address. While the IPv4 address is a "private" address according to RFC 1918, the IPv6 address will be a globally routable one.

What does this mean for my instances?

If you use the shared internal network ("private") and a suitable operating system, then your instances will be able to communicate with IPv6 in addition to IPv4. As with IPv4, outbound connectivity "just works". To accept inbound connections, you have to do something—but less than for IPv4.

In particular, Floating IP addresses are neither available nor necessary in IPv6. Instead, your instance's IPv6 address will be globally unique and routable.  However, as with IPv4, you need to allow inbound connections via Security Groups. Note that access rules in Security Groups refer to either IPv4 (default) or IPv6, and you need to specify two rules to allow something for both. To allow inbound access to a service from anywhere on the Internet, you need to specify a rule that allows ""—for IPv4—and another one that allows "::/0"—for IPv6.

If you only use IPv6 for your instance, i.e. without a Floating IP address, you'll save a public IPv4 address and costs that come with it. This also means the other end connecting to your instance (e.g. for SSH or RDP access) needs to be IPv6 enabled too.

What if I don't want IPv6?

You can disable IPv6 in your instance, or you can use your own private tenant network without IPv6.  But in general, we encourage you to use IPv6. By default it will only be used in outbound connections towards servers that already support IPv6. In order to accept inbound connections, you need to open up Security Groups explicitly for IPv6 (see above), and publish your instance's IPv6 address to clients, for example using DNS.

Are IPv6 addresses stable?

The global IPv6 addresses used on the default network are derived from the interface's MAC (more precisely, EUI-64) address.  This address is stable over the lifetime of the instance.  Unlike with Floating IPs in IPv4, we cannot move IPv6 addresses between instances.  If you want this flexibility, you could use DNS hostnames instead of addresses or a load balancer that hides the addresses of the underlying instances.