This chapter covers IPv6 in Azure Virtual Networks, a key topic for the AZ-104 exam under Objective 4.1 (Configure and manage virtual networking). While IPv6 questions typically comprise less than 5% of the exam, they often appear as tricky scenario-based items that test your understanding of addressing, routing, and coexistence with IPv4. You will learn how to enable IPv6, assign addresses, configure routing, and troubleshoot common issues. Mastery of this topic can differentiate you from other candidates and is increasingly relevant as organizations adopt dual-stack networking.
Jump to a section
Imagine a city where every building has a unique, global address like '123 Main Street, Springfield, IL, USA, Earth, Solar System, Milky Way.' This is IPv6. The city council (Azure) assigns each building a /64 block of addresses — enough for every apartment, office, and even every light bulb to have its own public address. No more sharing addresses via a receptionist (NAT). When a package arrives for 'Apartment 456, 123 Main Street,' the postal service (router) looks at the street number (prefix) and delivers it directly to the building. The building's internal mailroom (switch) then uses the apartment number (interface ID) to hand the package to the exact apartment. Because every device has a globally unique address, there's no need for address translation. The post office (ISP) can route packages directly from sender to receiver without modifying the address. However, if the city wants to keep certain buildings private, they can use unique local addresses (like using a private courier service) that only work within the city and not on the global postal network. The postal service uses a routing table (like a map) that aggregates addresses by neighborhood (prefix aggregation) to keep the map small and efficient.
What is IPv6 and Why Does Azure Support It?
IPv6 (Internet Protocol version 6) is the successor to IPv4, defined in RFC 2460. It uses 128-bit addresses, providing approximately 340 undecillion (3.4×10^38) addresses, compared to IPv4's 4.3 billion. Azure supports IPv6 to allow customers to overcome IPv4 address exhaustion, meet regulatory requirements (e.g., US federal agencies must support IPv6), and enable end-to-end connectivity without NAT. On the AZ-104 exam, IPv6 appears primarily in the context of dual-stack configurations (IPv4+IPv6) for Azure VMs, load balancers, and virtual network gateways.
IPv6 Address Structure in Azure
An IPv6 address is written as eight groups of four hexadecimal digits, e.g., 2001:db8:85a3::8a2e:370:7334. The address is divided into two parts:
- Prefix (first 64 bits): Identifies the network. In Azure, the prefix is typically a /64 block assigned to the virtual network subnet.
- Interface ID (last 64 bits): Identifies the specific network interface. Azure automatically generates this using the EUI-64 format (based on the MAC address) or a random identifier for privacy (RFC 4941).
Azure assigns public IPv6 addresses from the range 2603:1020::/48 for global regions. For private IPv6 communication within a virtual network, Azure uses Unique Local Addresses (ULAs) from the fd00::/8 block, specifically fd00::/8 for internal use. However, Azure does not currently support private IPv6 addressing for VMs; all IPv6 addresses assigned to Azure VMs are public by default.
IPv6 Configuration in Azure Virtual Networks
To use IPv6 in Azure, you must create a dual-stack virtual network and subnet. Here are the key steps:
Create a dual-stack virtual network: When creating a VNet, specify both IPv4 and IPv6 address spaces. For example:
- IPv4: 10.1.0.0/16
- IPv6: 2603:1020:1::/48 (Azure assigns a /48 block per region)
Create a dual-stack subnet: Within the VNet, create a subnet with both IPv4 and IPv6 prefixes. The IPv6 subnet must be /64.
Assign IPv6 addresses to NICs: When creating a VM, select the dual-stack subnet and assign an IPv6 address. You can choose dynamic or static assignment. For static, you must specify the IPv6 address from the subnet range.
Configure network security groups (NSGs): NSGs support rules for IPv6 traffic. You can create rules using the IPv6 protocol or specifying source/destination prefixes.
Use a load balancer: Azure Load Balancer supports IPv6 frontends. You can create a public load balancer with an IPv6 public IP address to distribute traffic to backend VMs.
Routing: Azure automatically creates system routes for IPv6 traffic within the VNet. You can add custom routes (UDRs) for IPv6 prefixes, but note that forced tunneling (default route 0.0.0.0/0) does not apply to IPv6 traffic. IPv6 traffic cannot be forced through a VPN gateway or Azure Firewall using a default route.
Key Components and Defaults
- IPv6 address types in Azure: - Public IPv6 addresses: Assigned from Azure's public pool. They are globally routable. - Private IPv6 addresses: Not supported for VMs. Azure does not assign private IPv6 addresses from ULA space to NICs. However, you can use IPv6 for internal communication within a VNet using public addresses (since the VNet is isolated, traffic stays internal). - DNS: Azure DNS supports AAAA records for IPv6 addresses. You can create DNS zones and records for IPv6 names. - VM sizes: Not all VM sizes support IPv6. For example, basic tier VMs may not support IPv6. Always check the VM documentation. - Number of IPv6 addresses per NIC: You can assign multiple IPv6 addresses to a single NIC (up to 256 per NIC). - IPv6 and Azure services: - Azure Load Balancer: Supports IPv6 frontends (public only). Internal load balancers do not support IPv6. - Application Gateway: Does not support IPv6 frontends. - VPN Gateway: Supports IPv6 for site-to-site VPN (IKEv2 only) and ExpressRoute. - Azure Firewall: Supports IPv6 filtering. - Azure DNS: Supports AAAA records.
How IPv6 Works Internally in Azure
When a VM with an IPv6 address sends a packet, the following occurs: 1. The source VM uses Neighbor Discovery Protocol (NDP, RFC 4861) to resolve the destination IPv6 address to a MAC address. NDP replaces ARP in IPv6. 2. The packet is forwarded by the Azure virtual switch to the destination VM within the same subnet, or to the gateway for inter-subnet routing. 3. Azure's routing fabric uses the IPv6 prefix to determine the next hop. For public IPv6 traffic, the packet is routed to the Azure edge router and then to the internet. 4. For inbound traffic, Azure's load balancer (if configured) distributes packets to backend VMs based on the load balancing rules.
Interaction with Related Technologies
NAT: IPv6 eliminates the need for NAT because every device can have a globally unique address. However, Azure does not support IPv6 NAT (no IPv6-to-IPv6 NAT). If you need to translate between IPv4 and IPv6, you must use a proxy or application-layer gateway.
Azure Firewall: Can filter IPv6 traffic. You can create rules based on IPv6 addresses and ports.
Network Watcher: Supports IPv6 connectivity troubleshooting. You can use IP Flow Verify and Next Hop to diagnose IPv6 traffic.
Azure Site Recovery: Does not support IPv6 replication.
Verification Commands
To verify IPv6 configuration in Azure, use the Azure CLI or PowerShell.
Azure CLI:
# List IPv6 addresses on a NIC
az network nic ip-config list --nic-name <nic-name> --resource-group <rg>
# Show public IPv6 address
az network public-ip show --name <pip-name> --resource-group <rg>
# Check effective routes for IPv6
az network nic show-effective-route-table --name <nic-name> --resource-group <rg>PowerShell:
Get-AzNetworkInterface -Name <nic-name> -ResourceGroupName <rg> | Select-Object -ExpandProperty IpConfigurationsExam Tips
Remember that Azure does not support private IPv6 addresses for VMs. All assigned IPv6 addresses are public.
IPv6 cannot be forced through a VPN gateway using a default route. You must use explicit routes.
Internal load balancers do not support IPv6; only public load balancers do.
Application Gateway does not support IPv6 frontends.
Azure DNS supports AAAA records for IPv6.
NSG rules can be applied to IPv6 traffic; use the IPv6 protocol in rules.
1. Plan IPv6 Addressing
Before enabling IPv6, determine the IPv6 address space. Azure provides a /48 block per region (e.g., `2603:1020::/48`). You must allocate a /64 subnet for each subnet that needs IPv6. Ensure that the IPv6 address space does not overlap with any on-premises IPv6 ranges if you plan to use VPN or ExpressRoute. Also, consider that Azure does not support private IPv6 addresses for VMs, so all VM IPv6 addresses will be public (but traffic stays within Azure unless routed to the internet).
2. Create Dual-Stack VNet and Subnet
In the Azure portal, during VNet creation, add both an IPv4 address space (e.g., `10.1.0.0/16`) and an IPv6 address space (e.g., `2603:1020:1::/48`). Then, create a subnet with both prefixes: IPv4 (e.g., `10.1.0.0/24`) and IPv6 (e.g., `2603:1020:1:0::/64`). The IPv6 subnet must be exactly /64. You can also add IPv6 to an existing VNet by adding an IPv6 address space and creating a dual-stack subnet.
3. Create Public IPv6 Address Resource
For internet-facing scenarios, create a public IPv6 address resource. In the portal, navigate to 'Public IP addresses' and create a new one with IP version set to IPv6. You can choose dynamic or static assignment. Dynamic addresses change when the resource is stopped/deallocated; static addresses persist. Note that Azure assigns IPv6 addresses from its public pool, which are globally routable.
4. Configure VM with IPv6
When creating a VM, select the dual-stack subnet. In the networking tab, you can assign an IPv6 address to the primary NIC. By default, Azure assigns a dynamic IPv6 address from the subnet range. You can also assign a static IPv6 address by specifying the exact address. After creation, the VM will have both an IPv4 and an IPv6 address. Verify by logging into the VM and running `ipconfig` (Windows) or `ip addr` (Linux).
5. Configure NSG Rules for IPv6
Network Security Groups (NSGs) support IPv6. You can create inbound and outbound rules with source/destination prefixes as IPv6 addresses or CIDR blocks. For example, to allow SSH from a specific IPv6 range, create a rule with source `2001:db8::/32`, destination `*`, port 22, protocol TCP. Remember that NSG rules are stateful, so return traffic is automatically allowed. Also, Azure default rules allow IPv6 traffic within the VNet and deny inbound from the internet.
6. Verify Connectivity
After configuration, test IPv6 connectivity. From a VM, ping another VM's IPv6 address within the same VNet. For internet connectivity, ping an external IPv6 host like `ipv6.google.com`. Use `tracert` (Windows) or `traceroute6` (Linux) to see the path. If connectivity fails, check NSG rules, route tables, and ensure the VM's OS has IPv6 enabled. Also, verify that the Azure VM size supports IPv6 (e.g., not all Basic tier VMs do).
Enterprise Scenario 1: Dual-Stack Web Application
A global e-commerce company needs to serve customers from countries where IPv6 adoption is high (e.g., India, Germany). They deploy a dual-stack web application in Azure. The frontend uses Azure Load Balancer with both IPv4 and IPv6 public IPs. Backend VMs are placed in a dual-stack subnet. The load balancer distributes incoming traffic to VMs based on the client's IP version. The company also uses Azure DNS with A and AAAA records. Performance: The load balancer handles up to 10,000 concurrent connections per frontend IP. Misconfiguration example: If the NSG rule for the backend subnet only allows IPv4 traffic, IPv6 requests from the load balancer will be dropped, causing intermittent failures.
Enterprise Scenario 2: IPv6-Only IoT Backend
A manufacturing company deploys an IoT solution where devices use IPv6. The backend services run in Azure. They create a dual-stack VNet, but the IoT devices only send IPv6 traffic. The backend VMs receive IPv6 traffic from the internet via a public IPv6 address. The company uses Azure Firewall to filter IPv6 traffic. They also use VPN Gateway with IPv6 support for communication with on-premises systems. Scale: They handle 100,000 devices sending telemetry every minute. Common issue: Forgetting to configure the firewall rules for IPv6, causing all traffic to be blocked. Also, they discovered that Azure Site Recovery does not support IPv6, so they had to use a separate recovery mechanism.
Enterprise Scenario 3: Hybrid Cloud with IPv6
A financial institution has an on-premises network with IPv6 deployed. They extend their IPv6 network to Azure using ExpressRoute with IPv6 support. They create a dual-stack VNet and configure a virtual network gateway with IPv6. They use custom routes to direct IPv6 traffic between on-premises and Azure. They also use Network Watcher to troubleshoot connectivity. Performance: ExpressRoute supports up to 10 Gbps for IPv6 traffic. Misconfiguration: If the on-premises router advertises a default route (::/0) via BGP, Azure will not accept it because Azure does not support default routes for IPv6. They had to use specific prefixes for routing.
What AZ-104 Tests on IPv6
The AZ-104 exam includes IPv6 under Objective 4.1 (Configure and manage virtual networking). Expect 1-2 questions that typically involve:
Identifying which Azure services support IPv6 (e.g., Load Balancer [public only], VPN Gateway, Azure Firewall, DNS).
Understanding that Azure does not support private IPv6 addresses for VMs.
Knowing that internal load balancers do not support IPv6.
Recognizing that forced tunneling (default route) does not apply to IPv6.
Configuring dual-stack VNets and subnets.
Common Wrong Answers
'You can assign private IPv6 addresses from the ULA range fd00::/8 to VMs.' This is wrong because Azure does not support private IPv6 for VMs. All VM IPv6 addresses are public.
'IPv6 traffic can be forced through a VPN gateway using a default route (::/0).' This is incorrect. Azure does not accept default routes for IPv6. You must use explicit routes.
'Internal load balancers support IPv6 frontends.' False. Only public load balancers support IPv6.
'Application Gateway supports IPv6 frontends.' False. Application Gateway does not support IPv6.
Specific Numbers and Terms to Memorize
/64 subnet size for IPv6 in Azure.
Azure's public IPv6 range: 2603:1020::/48.
Number of IPv6 addresses per NIC: up to 256.
IPv6 support: VPN Gateway (IKEv2), ExpressRoute, Load Balancer (public), Firewall, DNS.
No support: Internal Load Balancer, Application Gateway, Site Recovery, forced tunneling.
Edge Cases
If you assign a static IPv6 address to a VM, ensure it is within the subnet range. Azure does not validate this at creation but the VM will not be reachable if the address is outside the subnet.
IPv6 addresses assigned to VMs are public but traffic remains within the VNet unless the VM is exposed to the internet. This can cause confusion about security.
When using dual-stack, NSGs must have rules for both IPv4 and IPv6 separately. A rule for IPv4 does not apply to IPv6.
How to Eliminate Wrong Answers
If an option mentions 'private IPv6 address' for a VM, eliminate it immediately.
If an option suggests using Application Gateway or Internal Load Balancer for IPv6, eliminate it.
If an option says 'default route for IPv6', eliminate it.
Focus on services explicitly listed as supporting IPv6 in the Azure documentation.
Azure assigns public IPv6 addresses from the 2603:1020::/48 range.
All IPv6 subnets must be /64 in size.
Azure does not support private IPv6 addresses for VMs.
Internal load balancers and Application Gateway do not support IPv6.
Forced tunneling (default route) does not apply to IPv6 traffic.
NSG rules for IPv6 are separate from IPv4 rules.
Azure DNS supports AAAA records for IPv6.
VPN Gateway supports IPv6 for site-to-site VPN using IKEv2.
You can assign up to 256 IPv6 addresses per NIC.
Azure Firewall can filter IPv6 traffic.
Network Watcher supports IPv6 for troubleshooting.
Azure Site Recovery does not support IPv6 replication.
These come up on the exam all the time. Here's how to tell them apart.
IPv4 in Azure
32-bit address, e.g., 10.1.0.4
Supports private addresses (RFC 1918)
Default route (0.0.0.0/0) supported for forced tunneling
All Azure services support IPv4
NAT is commonly used for internet access
IPv6 in Azure
128-bit address, e.g., 2603:1020:1:0::a
No private addresses for VMs; all are public
No default route (::/0) accepted; forced tunneling not available
Limited service support (e.g., no Internal LB, no App Gateway)
No NAT needed; end-to-end global addressing
Mistake
You can assign private IPv6 addresses (ULA) to Azure VMs.
Correct
Azure does not support private IPv6 addresses for VMs. All IPv6 addresses assigned to VMs are public from Azure's public pool (e.g., 2603:1020::/48). Private IPv6 is only used for internal VNet communication but the addresses are still public; however, traffic stays within Azure unless routed to the internet.
Mistake
IPv6 traffic can be forced through a VPN gateway using a default route (::/0).
Correct
Azure does not accept a default route for IPv6. Forced tunneling only applies to IPv4. To route IPv6 traffic through a VPN gateway, you must add explicit routes for specific IPv6 prefixes.
Mistake
Internal load balancers support IPv6 frontends.
Correct
Internal load balancers do not support IPv6. Only public load balancers can have an IPv6 frontend IP configuration.
Mistake
Application Gateway supports IPv6 frontends.
Correct
Application Gateway does not support IPv6 frontends. It only supports IPv4.
Mistake
IPv6 addresses in Azure are always dynamic.
Correct
You can assign both dynamic and static IPv6 addresses to VMs and public IPs. Static addresses persist even when the resource is stopped/deallocated.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. Azure does not support assigning private IPv6 addresses (from ULA range fd00::/8) to VMs. All IPv6 addresses assigned to VMs are public IPs from Azure's public pool. However, traffic between VMs within the same VNet stays internal and does not go over the internet.
Yes, but only the public load balancer supports IPv6 frontends. Internal load balancers do not support IPv6. You can create a public load balancer with an IPv6 public IP address to distribute traffic to backend VMs.
No. Forced tunneling (using a default route of 0.0.0.0/0) only applies to IPv4 traffic. Azure does not accept a default route (::/0) for IPv6. To route IPv6 traffic through a VPN gateway or firewall, you must add explicit routes for specific IPv6 prefixes.
Azure services that support IPv6 include: Virtual Networks (dual-stack), Public Load Balancer, VPN Gateway (IKEv2), ExpressRoute, Azure Firewall, Azure DNS (AAAA records), and Network Watcher. Services that do NOT support IPv6 include: Internal Load Balancer, Application Gateway, and Azure Site Recovery.
In the NSG rule, set the Protocol to 'IPv6' or specify IPv6 addresses in the Source/Destination fields. For example, to allow SSH from a specific IPv6 range, create a rule with source '2001:db8::/32', destination '*', port 22, protocol TCP. Remember that NSG rules for IPv4 and IPv6 are independent.
Yes, you can assign up to 256 IPv6 addresses to a single NIC. This is useful for hosting multiple websites or services on a single VM.
The default and only supported IPv6 subnet size in Azure is /64. You cannot create an IPv6 subnet with a different prefix length.
You've just covered IPv6 in Azure Virtual Networks — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?