Unable to deploy using existing VPC with IPv6 Support

[challgren]

When using the template linux-bastion-entrypoint-existing-vpc.template.yaml and deploying into a VPC that has IPv6 enabled. The reason is AWS DNS servers resolve s3.{region}.amazonaws.com and cloudformation.{region}.amazonaws.com to IPv6 address that are not even running a HTTPS server on the address.

Contents of /etc/resolv.conf

; generated by /usr/sbin/dhclient-script
search ec2.internal
options timeout:2 attempts:5
nameserver 10.1.0.2

Cloudformation resolving to an IPv6 address

[root@ip-10-1-1-124 systemd]# host cloudformation.us-east-1.amazonaws.com
cloudformation.us-east-1.amazonaws.com has address 54.239.29.24
cloudformation.us-east-1.amazonaws.com has IPv6 address 64:ff9b::36ef:1cf7

Cloudformation resolving to only an IPv4 address

[root@ip-10-1-1-124 systemd]# host cloudformation.us-east-1.amazonaws.com 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases: 

cloudformation.us-east-1.amazonaws.com has address 54.239.29.24

S3 resolving to an IPv6 address

[root@ip-10-1-1-124 systemd]# host s3.us-east-1.amazonaws.com
s3.us-east-1.amazonaws.com has address 54.231.235.152
s3.us-east-1.amazonaws.com has address 52.216.36.88
s3.us-east-1.amazonaws.com has address 52.217.82.246
s3.us-east-1.amazonaws.com has address 54.231.193.8
s3.us-east-1.amazonaws.com has address 52.217.74.14
s3.us-east-1.amazonaws.com has address 54.231.171.224
s3.us-east-1.amazonaws.com has address 52.217.86.94
s3.us-east-1.amazonaws.com has address 52.217.230.88
s3.us-east-1.amazonaws.com has IPv6 address 64:ff9b::36e7:ac60
s3.us-east-1.amazonaws.com has IPv6 address 64:ff9b::34d9:a5f0
s3.us-east-1.amazonaws.com has IPv6 address 64:ff9b::36e7:c400
s3.us-east-1.amazonaws.com has IPv6 address 64:ff9b::34d8:fb66
s3.us-east-1.amazonaws.com has IPv6 address 64:ff9b::36e7:e748
s3.us-east-1.amazonaws.com has IPv6 address 64:ff9b::34d8:24e0
s3.us-east-1.amazonaws.com has IPv6 address 64:ff9b::34d8:1bbe
s3.us-east-1.amazonaws.com has IPv6 address 64:ff9b::34d8:2bd0

S3 resolving to only IPv4 when using 1.1.1.1

[root@ip-10-1-1-124 systemd]# host s3.us-east-1.amazonaws.com 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases: 

s3.us-east-1.amazonaws.com has address 52.216.106.5
s3.us-east-1.amazonaws.com has address 54.231.167.96
s3.us-east-1.amazonaws.com has address 52.217.132.160
s3.us-east-1.amazonaws.com has address 52.217.123.128
s3.us-east-1.amazonaws.com has address 52.217.40.22
s3.us-east-1.amazonaws.com has address 52.217.199.160
s3.us-east-1.amazonaws.com has address 52.217.228.72
s3.us-east-1.amazonaws.com has address 52.217.226.88

curl -6 -v https://cloudformation.us-east-1.amazonaws.com output

[root@ip-10-1-1-124 systemd]# curl -6 -v https://cloudformation.us-east-1.amazonaws.com
*   Trying [64:ff9b::36ef:1cf7]:443...
* connect to 64:ff9b::36ef:1cf7 port 443 failed: Connection timed out
* Failed to connect to cloudformation.us-east-1.amazonaws.com port 443 after 129400 ms: Couldn't connect to server
* Closing connection 0
curl: (28) Failed to connect to cloudformation.us-east-1.amazonaws.com port 443 after 129400 ms: Couldn't connect to server

curl -4 -v https://cloudformation.us-east-1.amazonaws.com output

[root@ip-10-1-1-124 systemd]# curl -4 -v https://cloudformation.us-east-1.amazonaws.com
*   Trying 54.239.28.223:443...
* Connected to cloudformation.us-east-1.amazonaws.com (54.239.28.223) port 443 (#0)
* ALPN: offers h2,http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=cloudformation.us-east-1.amazonaws.com
*  start date: Mar 16 00:00:00 2023 GMT
*  expire date: Dec 24 23:59:59 2023 GMT
*  subjectAltName: host "cloudformation.us-east-1.amazonaws.com" matched cert's "cloudformation.us-east-1.amazonaws.com"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
* using HTTP/1.1
> GET / HTTP/1.1
> Host: cloudformation.us-east-1.amazonaws.com
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< x-amzn-RequestId: 69733f3d-b4b7-4b55-ad1b-bc5b2001ed27
< Date: Tue, 04 Apr 2023 05:15:10 GMT
< Content-Type: text/plain
< Content-Length: 7
< 
* Connection #0 to host cloudformation.us-east-1.amazonaws.com left intact
*

Security Group and Network ACL is allowing all IPv4 and IPv6 traffic.

My only solution to get the Bastion box to trigger success was to overwrite the resolv.conf with nameserver 1.1.1.1 and then execute systemctl restart network my guess this really be related to Cloudformation not supporting IPv6 and AWS resolving, AWS services to addresses that don't have server running on IPv6.