Building IPv6 Dual-Stack Azure Application Gateways: A Terraform Guide

Introduction to Azure Application Gateway with IPv6 Support using Terraform

As businesses grow and the internet expands, the limitations of IPv4 have become evident, especially with the exhaustion of available addresses. IPv6 solves this by offering a nearly limitless address space, along with improved routing, better auto-configuration, enhanced security, and better performance for mobile devices.

Azure Application Gateway, a scalable Layer 7 load balancer, supports dual-stack deployment, allowing applications to handle both IPv4 and IPv6 traffic seamlessly. Adding IPv6 support does not require changes to the backend, so there is a minimal impact to the organization.  This feature is crucial for organizations transitioning to IPv6 or serving global users who rely on it. Supporting both protocols ensures future-proof infrastructure while maintaining smooth connectivity. 

Terraform, as an infrastructure-as-code (IaC) tool, automates the deployment and management of Azure resources like Application Gateway. With Terraform, you can consistently and efficiently integrate IPv6 support into your existing setups.

Why is IPv6 Support Important?

1. IPv4 Address Exhaustion: The limited number of public IPv4  addresses is running out. IPv6 provides a vast address space for future internet growth.
2. Global Accessibility: IPv6 adoption is increasing as more regions face IPv4 scarcity. Supporting IPv6 ensures your application remains accessible globally.
   
   Figure 1: IPv6 uptake as a % of all Internet users – 2012 to the present. Source: APNIC Labs.
   
   
3. Improved Efficiency: IPv6 enhances network performance with simplified routing, a higher payload and better auto-configuration , especially for mobile and IoT devices.
4. Enhanced Security: IPv6 natively supports IPsec, making secure communication easier to implement across your network.
5. Future-Proofing: Adopting IPv6 early ensures your infrastructure is ready for future growth and keeps your applications relevant.

Recently, a customer requested an Azure Application Gateway with IPv6 support to boost their website’s score on Internet.nl, a platform that evaluates compliance with modern internet standards. This is a practical example of how IPv6 can enhance your web presence and meet industry benchmarks.

In this blog, we will explore how to deploy an Azure Application Gateway with dual-stack IPv4 & IPv6 support using Terraform, ensuring your application is future-ready.

Key Caveats and Limitations

While dual-stack deployment enhances flexibility, there are several important limitations when using IPv6 with Azure Application Gateway:

• v2 SKU Required: Only the v2 SKU supports dual-stack (IPv4 and IPv6). The v1 SKU does not support IPv6.
• No IPv6 Backend Support: Backend pools only support IPv4, meaning IPv6 traffic to the gateway must be routed to IPv4 backends.
• No IPv6 Private Link: Private Link connections are limited to IPv4, as IPv6 is not supported for Private Link on Application Gateway.
• No IPv6-Only Gateway: The Application Gateway must be dual-stack, as IPv6-only configurations are not supported.
• Ingress Controller Limitation: Application Gateway Ingress Controller (AGIC) for Kubernetes does not currently support IPv6 configurations.
• No IPv4 to Dual-Stack Upgrades: You cannot upgrade an existing IPv4 gateway to dual-stack. Redeployment is required for dual-stack functionality.
• No IPv6 WAF Custom Rules: Web Application Firewall (WAF) does not support custom rules with IPv6 match conditions. Standard rule sets must be used for IPv6 traffic.

Deploy a Dual stack Application Gateway using Terraform

Our main.tf file contains the CIDR ranges used in the subnet for IPv4 and IPv6  (make sure to edit the subscription_id to reflect your own). You also need to think of some address ranges to use. More information on how to conceptually plan these can be found in this link. It is important to note that IPv6 subnets in Azure need to have a size of /64.

The first step is to create a virtual network and/or add an IPv6 address range to your virtual network. This is a required step for the subnet to be able to support IPv4 and IPv6. For this demo I've picked an IPv6 range of 2001:0db8:abcd::/48 which includes 1,208,925,819,614,629,174,706,176 addresses.

The result:

Now we are ready to create the subnet, and/or add the IPv6 range to the subnet by adding the address prefixes for both IPv4 and IPv6 ranges. It is important to note that the application gateway subnet can contain only application gateways. So, no other resources are allowed.

The result:

The next step is to create some public IP resources for the Application gateway, both IPv4 and IPv6. These will be linked to the Application Gateway in the next section. IPv6 Application Gateway supports up to 4 frontend IP addresses: two IPv4 addresses (Public and Private) and two IPv6 addresses (Public and Private).

The supporting resources have been deployed and we can start to deploy the Application Gateway resource. First we use a locals block to define variables, which is convenient for keeping the code structured and following the DRY (Don’t Repeat Yourself) principle.

In this configuration we deploy a WAF V2 SKU application gateway with the gateway_ip_configuration linked to the subnet we created earlier. The frontend_ip_configuration blocks define the public and private IP’s for IPv4 and IPv6.

Now we will create the public and private configuration for the website1.nl backend. We are using an HTTP configuration in this example, but in a non-testing environment you would use the more secure HTTPS protocol and link a certificate. In this example we will create a public frontend for IPv6. It is also possible to add a private IPv6 address and route that traffic to your IPv4 backend(s). When using a public and private IPv6 listener it is important to use a different frontend port. 

Conclusion

In conclusion, we’ve successfully deployed an Azure Application Gateway with dual-stack IPv4 and IPv6 support using Terraform. This ensures your application is ready to handle both modern IPv6 traffic and existing IPv4 traffic without any backend changes. Supporting IPv6 is a practical step toward keeping your infrastructure future-ready, providing better network performance, and enhancing global accessibility for your users. By future-proofing your setup today, you’re not just enhancing your current capabilities; you're ensuring smooth sailing for the challenges of tomorrow.