subnets: only enable DNS64 for IPv6-only subnets

tthvo · tthvo · commit 78cb9d450804 · 2025-10-20T14:02:13.000-07:00
NAT64/DNS64 is meant to be enabled for IPv6-only subnets, in which instances do not have IPv4 [0]. If we enable DNS64 for dualstack subnets, instances will receive both A/AAAA records for IPv4-only services. In most cases, OS-level settings will prefer IPv6, leading to traffic to flow via NAT gateway instead of using IPv4 directly. Reference [0] https://aws.amazon.com/blogs/networking-and-content-delivery/dual-stack-architectures-for-aws-and-hybrid-networks-part-2/
diff --git a/pkg/cloud/services/network/routetables.go b/pkg/cloud/services/network/routetables.go
@@ -422,7 +422,11 @@ func (s *Service) getRoutesToPrivateSubnet(sn *infrav1.SubnetSpec) (routes []*ec
 
 	routes = append(routes, s.getNatGatewayPrivateRoute(natGatewayID))
 	if sn.IsIPv6 {
-		routes = append(routes, s.getNat64PrivateRoute(natGatewayID))
+		// We add the NAT64 route only if DNS64 is enabled for the subnet
+		// That is when the subnet is private and IPv6-only.
+		if sn.CidrBlock == "" {
+			routes = append(routes, s.getNat64PrivateRoute(natGatewayID))
+		}
 		if !s.scope.VPC().IsIPv6Enabled() {
 			// Safety net because EgressOnlyInternetGateway needs the ID from the ipv6 block.
 			// if, for whatever reason by this point that is not available, we don't want to
diff --git a/pkg/cloud/services/network/subnets.go b/pkg/cloud/services/network/subnets.go
@@ -641,8 +641,8 @@ func (s *Service) createSubnet(sn *infrav1.SubnetSpec) (*infrav1.SubnetSpec, err
 		// Enable DNS64 so that the Route 53 Resolver returns DNS records for IPv4-only services
 		// containing a synthesized IPv6 address prefixed 64:ff9b::/96.
 		// This is needed alongside NAT64 to allow IPv6-only workloads to reach IPv4-only services.
-		// We only need to enable on private subnets.
-		if !sn.IsPublic {
+		// We only need to enable on IPv6-only private subnets as dualstack nodes can use communicate over IPv4.
+		if !sn.IsPublic && sn.CidrBlock == "" {
 			if err := wait.WaitForWithRetryable(wait.NewBackoff(), func() (bool, error) {
 				if _, err := s.EC2Client.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
 					SubnetId: out.Subnet.SubnetId,
diff --git a/pkg/cloud/services/network/subnets_test.go b/pkg/cloud/services/network/subnets_test.go
@@ -1865,14 +1865,6 @@ func TestReconcileSubnets(t *testing.T) {
 				}).Return(&ec2.ModifySubnetAttributeOutput{}, nil).
 					After(secondSubnet)
 
-				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
-					EnableDns64: &types.AttributeBooleanValue{
-						Value: aws.Bool(true),
-					},
-					SubnetId: aws.String("subnet-2"),
-				}).Return(&ec2.ModifySubnetAttributeOutput{}, nil).
-					After(secondSubnet)
-
 				m.DescribeAvailabilityZones(context.TODO(), gomock.Any()).
 					Return(&ec2.DescribeAvailabilityZonesOutput{
 						AvailabilityZones: []types.AvailabilityZone{
@@ -3748,14 +3740,6 @@ func TestReconcileSubnets(t *testing.T) {
 				}).Return(&ec2.ModifySubnetAttributeOutput{}, nil).
 					After(secondSubnet)
 
-				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
-					EnableDns64: &types.AttributeBooleanValue{
-						Value: aws.Bool(true),
-					},
-					SubnetId: aws.String("subnet-2"),
-				}).Return(&ec2.ModifySubnetAttributeOutput{}, nil).
-					After(secondSubnet)
-
 				m.DescribeAvailabilityZones(context.TODO(), gomock.Any()).
 					Return(&ec2.DescribeAvailabilityZonesOutput{
 						AvailabilityZones: []types.AvailabilityZone{
@@ -4003,15 +3987,6 @@ func TestReconcileSubnets(t *testing.T) {
 					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
 					After(zone1PrivateSubnet)
 
-				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
-					EnableDns64: &types.AttributeBooleanValue{
-						Value: aws.Bool(true),
-					},
-					SubnetId: aws.String("subnet-2"),
-				}).
-					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
-					After(zone1PrivateSubnet)
-
 				// zone 2
 				m.DescribeAvailabilityZones(context.TODO(), &ec2.DescribeAvailabilityZonesInput{
 					ZoneNames: []string{"us-east-1c"},
@@ -4185,15 +4160,6 @@ func TestReconcileSubnets(t *testing.T) {
 				}).
 					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
 					After(zone2PrivateSubnet)
-
-				m.ModifySubnetAttribute(context.TODO(), &ec2.ModifySubnetAttributeInput{
-					EnableDns64: &types.AttributeBooleanValue{
-						Value: aws.Bool(true),
-					},
-					SubnetId: aws.String("subnet-2"),
-				}).
-					Return(&ec2.ModifySubnetAttributeOutput{}, nil).
-					After(zone2PrivateSubnet)
 			},
 		},
 	}
