Private IP addresses

Private IPs allow communication between resources in Azure.

Resources can be:

  • Azure services such as:

    • Virtual machine network interfaces

    • Internal load balancers (ILBs)

    • Application gateways

  • In a virtual network.

  • On-premises network through a VPN gateway or ExpressRoute circuit.

Private IPs allow communication to these resources without the use of a public IP address.

Allocation method

Azure assigns private IP addresses to resources from the address range of the virtual network subnet where the resource is.

Azure reserves the first four addresses in each subnet address range. The addresses can't be assigned to resources. For example, if the subnet's address range is 10.0.0.0/16, addresses 10.0.0.0-10.0.0.3 and 10.0.255.255 are unavailable. IP addresses within the subnet's address range can only be assigned to one resource at a time.

There are two methods in which a private IP address is given:

Dynamic allocation

Azure assigns the next available unassigned or unreserved IP address in the subnet's address range. While this is normally the next sequentially available address, there's no guarantee that the address will be the next one in the range. For example, if addresses 10.0.0.4-10.0.0.9 are already assigned to other resources, the next IP address assigned is most likely 10.0.0.10. However, it could be any address between 10.0.0.10 and 10.0.0.254. If a specific Private IP address is required for a resource, you should use a static private IP address.

Dynamic is the default allocation method. Once assigned, dynamic IP addresses are released if a network interface is:

  • Deleted

  • Reassigned to a different subnet within the same virtual network.

  • The allocation method is changed to static, and a different IP address is specified.

By default, Azure assigns the previous dynamically assigned address as the static address when you change the allocation method from dynamic to static.

Static allocation

With static allocation, you select and assign any unassigned or unreserved IP address in the subnet's address range.

For example, a subnet's address range is 10.0.0.0/16 and addresses 10.0.0.4-10.0.0.9 are assigned to other resources. You can assign any address between 10.0.0.10 - 10.0.255.254. Static addresses are only released if a network interface is deleted.

Azure assigns the static IP as the dynamic IP when the allocation method is changed. The reassignment occurs even if the address isn't the next available in the subnet. The address changes when the network interface is assigned to a different subnet.

To assign the network interface to a different subnet, you change the allocation method from static to dynamic. Assign the network interface to a different subnet, then change the allocation method back to static. Assign an IP address from the new subnet's address range.

Note

When requesting a private IP address, the allocation is not deterministic or sequential. There are no guarantees the next allocated IP address will utilize the next sequential IP address or use previously deallocated addresses. If a specific Private IP address is required for a resource, you should consider using a static private IP address.

Virtual machines

One or more private IP addresses are assigned to one or more network interfaces. The network interfaces are assigned to a Windows or Linux virtual machine. You can specify the allocation method as either dynamic or static for each private IP address.

Internal DNS hostname resolution (for virtual machines)

Azure virtual machines are configured with Azure-managed DNS servers by default. You can explicitly configure custom DNS servers. These DNS servers provide internal name resolution for virtual machines that are within the same virtual network.

A mapping for the hostname to a virtual machine's private IP address is added to the Azure-managed DNS servers.

A hostname is mapped to the primary IP of the main network interface when a VM has:

  • Multiple network interfaces

  • Multiple IP addresses

  • Both

VMs configured with Azure-managed DNS resolve the hostnames within the same virtual network. Use a custom DNS server to resolve host names of VMs in connected virtual networks.

Internal load balancers (ILB) & Application gateways

You can assign a private IP address to the front-end configuration of an:

This private IP address serves as an internal endpoint. The internal endpoint is accessible only to the resources within its virtual network and the remote networks connected to it. A dynamic or static IP can be assigned.

At-a-glance

The following table shows the property through which a private IP can be associated to a resource.

The possible allocation methods that can be used are also displayed:

  • Dynamic

  • Static

Top-level resource IP address association Dynamic Static
Virtual machine Network interface Yes Yes
Load balancer Front-end configuration Yes Yes
Application gateway Front-end configuration Yes Yes

Limits

The limits on IP addressing are found in the full set of limits for networking in Azure. The limits are per region and per subscription. Contact support to increase the default limits up to the maximum limits based on your business needs.

Next steps