CONCEPT Cited by 1 source
IPv6 service mesh¶
IPv6 service mesh is the architectural stance of giving every workload (Pod, VM, function, micro-VM) a unique IPv6 address on an encrypted private overlay, then addressing services directly by those IPv6 addresses rather than by VPC-routable IPv4 + kube-proxy DNAT tricks. The mesh itself is the CNI replacement.
Mechanics¶
- Every workload comes up with an address on a provider-owned IPv6
prefix (Fly uses
fdaa:…, inside their IPv6 + WireGuard peering fabric). - Point-to-point links are WireGuard tunnels; all cross-host traffic is encrypted by default.
- Service records (ClusterIPs, DNS, private-network endpoints) return
IPv6 addresses directly — there's no
kube-proxyiptables / IPVS / eBPF rewrite layer in the dataplane. - The K8s
IP Family PolicyisSingleStack,IP Families: IPv6(observed in FKS Service objects).
Fly.io example under FKS¶
Per the FKS beta post:
Networking/CNI → Our internal WireGuard mesh connects your pods together
Service resolution evidence from the post:
IP Family Policy: SingleStack
IP Families: IPv6
IP: fdaa:0:48c8:0:1::1a
Endpoints: [fdaa:0:48c8:a7b:228:4b6d:6e20:2]:8080
Three access paths all terminate on IPv6 addresses:
- Direct:
http://[fdaa:0:48c8:0:1::1a]:8080. - flycast:
http://<svc>.svc.<app>.flycast:8080. - CoreDNS:
<svc>.<ns>.svc.cluster.local→fdaa:….
Trade-offs¶
- ✅ Eliminates the CNI plugin graph and the
kube-proxyiptables layer — smaller dataplane surface area. - ✅ Encryption-in-transit is the default, not an opt-in mesh sidecar.
- ✅ Simplified multi-region routing — the mesh spans regions natively.
- ❌ Clients, libraries, and observability tools have to handle IPv6 addresses everywhere (many legacy stacks don't, or default to IPv4 first).
- ❌ IPv4-only ingress has to be bridged at the edge (Fly handles this with its proxy + anycast surface).
- ❌ NetworkPolicy semantics are not a 1:1 fit with a WireGuard-mesh underlay; FKS ships no NetworkPolicy support at beta.
Seen in¶
- sources/2024-03-07-flyio-fly-kubernetes-does-more-now — FKS's pod network is the Fly IPv6 WireGuard mesh; ClusterIPs and endpoint addresses are all IPv6.