I have dual-stack ALBs in eu-west-1 (Dublin) and ap-southeast-2 (Sydney).
- port 80 redirects to https
- port 443 forwards to a target group (IPv4)
I can reach both target groups on IPv4 and IPv6 just fine by going directly to the ALBs (in each region).
Now I create a dual-stack GA with endpoints pointing at those two ALB.
- endpoints are marked HEALTHY
- I can get a normal response from the GA IPv4 address. My traffic is sent to one of the ALBs.
- I get nothing when I try to connect via the GA IPv6 address (timeout on TCP connection).
- I can ping the IPv6 GA addresses
- I've checked ACLs, security groups etc.
- Failure seems like it should not be caused by the target group, security-group or VPC, because I can reach everything by going to ALB directly (IPv6).
Any hints? What am I missing?
Updated...
VPC flow logs often show a srcaddr of 0:0:0:0:0:0:0:0 (ACCEPT OK) followed by a reply to dstaddr 0:0:0:0:0:0:0:0 (REJECT OK).
- probably because 0:0:0:0:0:0:0:0 is not a valid address?
- I don't know why I would see a srcaddr 0:0:0:0:0:0:0:0
Sometimes, however, I see a correct IPv6 srcaddr (ACCEPT OK) followed by a reply to a correct dstaddr (ACCEPT OK), however, I still get ' Connection timed out' from curl, running on my home IPv6 address or an EC2 intance with public IPv6 address.
- I verify that I have good IPv6 access by doing
curl -6 https://yahoo.com
