Public IP Addresses in Azure

This document provides a comprehensive overview of public IP addresses in Azure, including their purpose, types, and management.

Tip: Public IP addresses are essential for communicating with resources in Azure over the internet.

What are Azure Public IP Addresses?

A public IP address is an IPv4 or IPv6 address that is configurable, routable over the internet, and assigned to a supported Azure resource. Azure provides public IP addresses to enable communication between an Azure resource and the internet, or between Azure resources and other internet-facing resources.

Key Features and Concepts

Internet Connectivity: Allows resources to be accessible from the internet.
Static vs. Dynamic: Public IPs can be static (remain assigned to a resource until explicitly unassigned) or dynamic (can change when the resource is stopped/started). For critical resources, static IPs are recommended.
SKUs: Azure offers two SKUs for public IP addresses: Basic and Standard. Standard SKU offers additional features and a defined service level agreement (SLA).
Zones: Public IP addresses can be zonal or global. Zonal IPs are tied to a specific availability zone, while global IPs can span multiple zones.
Association: Public IP addresses can be associated with various Azure resources, including Virtual Machines (VMs), Load Balancers, Application Gateways, VPN Gateways, and Azure Firewall.

Types of Public IP Addresses

Basic SKU Public IP Addresses

The Basic SKU is the default SKU for public IP addresses. It offers core functionality for internet connectivity but lacks some advanced features and a direct SLA. Resources with Basic SKU public IPs are not protected by default by Network Security Groups (NSGs), which can pose a security risk.

Standard SKU Public IP Addresses

The Standard SKU provides enhanced features, including better security through mandatory NSG association, zone redundancy options, and a dedicated SLA. Standard SKU public IPs are the recommended choice for production workloads.

Diagram illustrating Azure Public IP Address association

Conceptual diagram of Azure Public IP Address association with Azure resources.

Managing Public IP Addresses

Creating a Public IP Address

You can create a public IP address using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates. When creating, you'll specify:

SKU (Basic or Standard)
IP address version (IPv4 or IPv6)
Assignment (Dynamic or Static)
Name and Resource Group
Region
Zone redundancy (for Standard SKU)

Associating with Resources

Public IP addresses are associated with specific Azure resources. For example, when creating a VM, you can choose to create and associate a new public IP address or use an existing one.

Disassociating and Deleting

You can disassociate a public IP address from a resource, making it unassigned. This can be useful for troubleshooting or reassigning the IP. Deleting a public IP address releases the IP address back to Azure's pool of available addresses.

Use Cases

Virtual Machines: Providing direct internet access to VMs.
Load Balancers: Acting as the front-end IP address for inbound traffic.
Application Gateways: Serving as the entry point for web applications.
VPN Gateways: Establishing secure connections to on-premises networks.
Azure Firewall: Providing a centralized network security appliance.

Best Practices

Always use the Standard SKU for production workloads.
Associate Network Security Groups (NSGs) with all public IP addresses to control inbound and outbound traffic.
Use static IP assignments for resources that require a consistent public IP address.
Consider zone-redundant public IPs for high availability scenarios.
Regularly review and audit your public IP address assignments.

For detailed steps and advanced configurations, please refer to the official Azure documentation for creating and managing public IP addresses.