Understanding AWS – Egress Only Internet Gateways (EIGWs)

IPv6 is designed with the goal of being an end-2-end protocol and as such AWS do not support NAT or prefix translation of IPv6 addresses. When you create a resource within a VPC that is IPv6 enabled it is assigned one or more IPv6 address from Amazons GUA allocation. A GUA address is global, unique and routable on the public internet.

The concept of a private VPC as such does not exist when using IPv6. However, there is certainly a need to ensure that certain IPv6 addressed resources are not accessible from the internet in the same way as we have with IPv4 addressed resources by putting them in a private VPC and providing internet access via a NAT gateway. To achieve this similar functionality to IPv4 hosts AWS have created the Egress Only Internet Gateway (EIGW). As with any AWS managed component a EIGW is a scalable and highly redundant VPC component that provides IPv6 addressed resources access to the internet but blocks access from the internet to the resources. The EIGW does not translate the IPv6 address of the resource and the resources assigned GUA address is the address that is visible on the public internet.