BYOIP on AWS: a PDS case study

This is a document detailing how I acquired an IPv6 block from APNIC, and then began hosting pds.lizthegrey.com off it. (Chances are a relay pulled this very essay via IPv6!)

I elected to not acquire an IPv4 block just for the purposes of my PDS, after an offer to purchase an IPv4 block at a discounted price fell through. At list rates of up to 20k AUD per /24, it's mostly not worth it to procure IPv4 blocks for hobby use, and you can only get them in units of 256 IPs corresponding to the minimum routable size.

Becoming a RIR member

In order to obtain internet resources of any kind, regardless of whether it's an IPv4 address, IPv6 address, or an autonomous system number (ASN) required to participate in BGP, you need to be a member in good standing of the pertinent Regional Internet Registry (RIR). In my case, because I live both in Australia and Canada, I had the choice of signing up for APNIC or ARIN. It happens that APNIC still has IPv4 blocks to assign, whereas ARIN is out and has a waitlist, so to preserve my options for the future in case I do want to request a new IPv4 allocation, I chose to sign up with APNIC as an associate member.

In order to become a member, you need to have proof that you are actively trading or carrying on a business, which I fortunately had as a result of registering for an Australian Business Number (ABN) in order to do IT consulting and advisory work. So I simply submitted my sole trader registration and some biographical details and it was off to the races.

Acquiring the IPv6 block

As a dues-paying associate member of APNIC, I was entitled to (upon presentation of proof of a realistic usage plan) a free IPv6 /48 for use within the APNIC service area included in my membership. So I submitted a bit more paperwork showing that I have an AWS account in good standing (paid for with AWS Hero service credits for experimentation & demoing), and said that I'd be hosting an ATProto PDS on the IP range, and potentially in future migrating my email servers, web hosting for lizthegrey.com, and so forth to it. I didn't have to articulate demand for use by anyone other than myself for a /48, because /48s are plentiful. If I'd requested a fresh /24, they'd have (hopefully?) vetted my use case a bit more carefully to make sure I'd actually use at least half of the 256 IPs within a short time window.

Within a few days, I had a response to my ticket allocating me a fresh /48 prefix from APNIC's available blocks.

Porting the block to AWS

Since I didn't have an ASN of my own to announce the blocks with, I turned to AWS to announce the blocks for me. The BYOIP feature is pretty well-documented, so I just had to add in the requisite RPKI entries and also add a signed attestation to my RDAP directory entry corresponding to a secret I previously shared with AWS. At that point, I could see the IP blocks inside of AWS as available to assign. Shortly afterwards, bgp.tools and IRR explorer lit up with the announcements as well.

It was a couple more steps to then subdivide the /48 into smaller units, for use as the public-facing IPs for each subnet. I assigned :0100, :0200, and so forth as IPs for each subnet, corresponding to a /56 each. And there were, of course, plenty left over because IPv6 is very very sparse, so I have room to assign Tailscale IPs in future for anything not within one of the AWS per-AZ subnets.

Assigning an IP to my instance

First, I had to think of a memorable IP address; it is legal to just use :: to elide a number of 0s in the middle of an address, but it's no fun to do that! I went looking for the longest words or phrases expressable with hexadecimal only, and found allocatables (or a110ca7ab1e5) seemed to be on point given it was a demo of IPv6 allocation, so I picked it!

I'd previously already migrated my VM with my PDS from AWS's us-east-1 to ap-southeast-2 (Sydney) region by using EBS snapshots and regional replication. So I didn't have to touch the VM itself, only run:

$ aws ec2 assign-ipv6-addresses \ 
    --network-interface-id eni-1234567890abcdef0 \
    --ipv6-addresses 2001:df5:fd40:100:a110:ca7a:b1e5:1

And just like that, because my VM was listening on all assigned IPv4 and IPv6 addresses, it was reachable over HTTPS and SSH, and I could traceroute6 it natively from both my Canadian and Australian residential connections which also support native IPv6.

Updating DNS records

The final step was going to my domain registrar & DNS provider to update the AAAA record for pds.lizthegrey.com with that IP address. Once that was done, traffic could flow to my PDS over my own IPv6 addresses!