Azure Virtual Network IP Addressing
Understanding IP addressing is fundamental to configuring and managing Azure Virtual Networks (VNets). This document provides an in-depth guide to how IP addresses are allocated and used within Azure VNets.
Core Concepts
Azure VNets utilize private IP address spaces, similar to on-premises networks. When you create a VNet, you define an address space, which is a contiguous range of IP addresses in CIDR notation. For example, 10.0.0.0/16.
Public vs. Private IP Addresses
- Private IP Addresses: These are non-routable on the internet and are used for communication within your VNet, between VNets, and to on-premises networks via VPN or ExpressRoute. Azure reserves specific IP address ranges for private use (RFC 1918):
10.0.0.0/8172.16.0.0/12192.168.0.0/16
- Public IP Addresses: These are routable on the internet and are assigned to resources like Virtual Machines, Load Balancers, and VPN Gateways to allow them to communicate with the internet or be accessed from the internet.
VNet Address Space and Subnets
The VNet address space is divided into subnets. Each subnet is a smaller range of IP addresses within the VNet's address space. Resources like Virtual Machines are deployed into subnets.
Important Note on Address Space Size
When defining a VNet address space, Azure reserves the first four and the last IP address in the CIDR block for protocol configuration. Therefore, if you have a /24 address space (256 addresses), you will have 251 usable IP addresses. Always plan your address spaces accordingly.
Subnet Allocation
When you create a subnet, you must specify an address range that is a subset of the VNet's address space. Azure reserves the first four IP addresses in each subnet:
x.x.x.0: Network addressx.x.x.1: Azure gateway for default routex.x.x.2,x.x.x.3: Reserved for future use.
The last IP address in each subnet is also reserved for the subnet's broadcast address.
IP Address Assignment
Azure provides two types of IP address assignments for resources within a VNet:
1. Dynamic IP Addressing
- This is the default assignment method for resources like Virtual Machines when they are created.
- When a VM is started, Azure dynamically assigns an available IP address from the subnet's range.
- The IP address is released back to the pool when the VM is stopped (deallocated). If the VM is restarted without being deallocated, it will retain its IP address.
- Dynamic private IP addresses are suitable for non-critical workloads where IP address persistence is not a requirement.
2. Static IP Addressing
- You can configure a static private IP address for a resource.
- When you select static assignment, you specify the exact IP address from the subnet's range that you want to assign.
- The IP address remains assigned to the resource until it is explicitly changed or the resource is deleted.
- Static IP addresses are crucial for resources that need a consistent IP address, such as domain controllers, SQL servers, or other critical services.
Tip for Static IP Allocation
When assigning a static IP address to a resource in a subnet, ensure that the chosen IP address is not one of the first four or the last IP address in the subnet's range to avoid conflicts.
Public IP Addresses
Public IP addresses in Azure allow resources to communicate with the internet and be accessed from the internet. They can also be assigned dynamically or statically.
Public IP Address SKUs
- Basic SKU: Offers standard functionality and is automatically assigned a dynamic IP address upon creation. Can be configured to static.
- Standard SKU: Offers enhanced features like Availability Zones support, security features (e.g., Network Security Group association mandatory), and can be configured as static or dynamic.
Assignment of Public IPs
Public IP addresses can be associated with various Azure resources:
- Virtual Machines (directly or via Load Balancer)
- Load Balancers
- Application Gateways
- VPN Gateways
- Firewalls
Best Practices
| Aspect | Recommendation |
|---|---|
| Address Space Planning | Plan your VNet and subnet address spaces carefully to accommodate future growth and avoid overlaps. Use RFC 1918 ranges. |
| Subnet Granularity | Create subnets to segment your network logically (e.g., by application tier, environment). This improves organization and security. |
| IP Assignment | Use dynamic IP addressing for non-critical workloads and resources that don't require a fixed IP. Use static IP addressing for critical services and resources that need to be consistently reachable. |
| Public IP Usage | Minimize the use of public IP addresses directly on VMs. Instead, use services like Load Balancers or Application Gateways for internet-facing applications. Use Standard SKU for production workloads. |
| Overlapping Addresses | Ensure that VNet address spaces and on-premises network address spaces do not overlap if you plan to establish connectivity between them. |
Security Alert
Directly exposing resources to the internet using public IP addresses without proper security controls (like Network Security Groups or Azure Firewall) can expose your environment to significant risks.
By understanding and applying these principles of Azure Virtual Network IP addressing, you can build robust, secure, and scalable cloud infrastructures.
Next Steps: Learn about configuring Subnets.