From 26e836ef11090568fde9ef1fdc21abd08f0178f5 Mon Sep 17 00:00:00 2001
From: John Gardiner Myers <jgmyers@proofpoint.com>
Date: Fri, 26 Nov 2021 16:06:32 -0800
Subject: [PATCH] Route NAT64 to NAT Gateway in IPv6 private topology

---
 pkg/model/awsmodel/network.go                        | 11 +++++++++++
 .../minimal-ipv6-private/kubernetes.tf               | 12 ++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/pkg/model/awsmodel/network.go b/pkg/model/awsmodel/network.go
index b58155a4cf..b63e140f53 100644
--- a/pkg/model/awsmodel/network.go
+++ b/pkg/model/awsmodel/network.go
@@ -498,6 +498,17 @@ func (b *NetworkModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(r)
 
 		if b.IsIPv6Only() {
+			// Route NAT64 well-known prefix to the NAT gateway
+			c.AddTask(&awstasks.Route{
+				Name:       fi.String("private-" + zone + "-64:ff9b::/96"),
+				Lifecycle:  b.Lifecycle,
+				IPv6CIDR:   fi.String("64:ff9b::/96"),
+				RouteTable: rt,
+				// Only one of these will be not nil
+				NatGateway:       ngw,
+				TransitGatewayID: tgwID,
+			})
+
 			// Route IPv6 to the Egress-only Internet Gateway.
 			c.AddTask(&awstasks.Route{
 				Name:                      fi.String("private-" + zone + "-::/0"),
diff --git a/tests/integration/update_cluster/minimal-ipv6-private/kubernetes.tf b/tests/integration/update_cluster/minimal-ipv6-private/kubernetes.tf
index 77a03c6ec1..d46aaae1df 100644
--- a/tests/integration/update_cluster/minimal-ipv6-private/kubernetes.tf
+++ b/tests/integration/update_cluster/minimal-ipv6-private/kubernetes.tf
@@ -596,6 +596,12 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" {
   route_table_id         = aws_route_table.private-us-test-1a-minimal-ipv6-example-com.id
 }
 
+resource "aws_route" "route-private-us-test-1a-64_ff9b__--96" {
+  destination_ipv6_cidr_block = "64:ff9b::/96"
+  nat_gateway_id              = aws_nat_gateway.us-test-1a-minimal-ipv6-example-com.id
+  route_table_id              = aws_route_table.private-us-test-1a-minimal-ipv6-example-com.id
+}
+
 resource "aws_route" "route-private-us-test-1a-__--0" {
   destination_ipv6_cidr_block = "::/0"
   egress_only_gateway_id      = aws_egress_only_internet_gateway.minimal-ipv6-example-com.id
@@ -608,6 +614,12 @@ resource "aws_route" "route-private-us-test-1b-0-0-0-0--0" {
   route_table_id         = aws_route_table.private-us-test-1b-minimal-ipv6-example-com.id
 }
 
+resource "aws_route" "route-private-us-test-1b-64_ff9b__--96" {
+  destination_ipv6_cidr_block = "64:ff9b::/96"
+  nat_gateway_id              = aws_nat_gateway.us-test-1b-minimal-ipv6-example-com.id
+  route_table_id              = aws_route_table.private-us-test-1b-minimal-ipv6-example-com.id
+}
+
 resource "aws_route" "route-private-us-test-1b-__--0" {
   destination_ipv6_cidr_block = "::/0"
   egress_only_gateway_id      = aws_egress_only_internet_gateway.minimal-ipv6-example-com.id