Public IP addresses
Public IP addresses allow Internet resources to communicate inbound to Azure resources. Public IP addresses enable Azure resources to communicate to Internet and public-facing Azure services. The address is dedicated to the resource, until it's unassigned by you. A resource without a public IP assigned can communicate outbound. Azure dynamically assigns an available IP address that isn't dedicated to the resource. For more information about outbound connections in Azure, see Understand outbound connections.
In Azure Resource Manager, a public IP address is a resource that has its own properties.
The following resources can be associated with a public IP address:
Virtual machine network interfaces
Virtual Machine Scale Sets
Public Load Balancers
Virtual Network Gateways (VPN/ER)
For Virtual Machine Scale Sets, use Public IP Prefixes.
The following table shows the property a public IP can be associated to a resource and the allocation methods. Public IPv6 support isn't available for all resource types at this time.
|Top-level resource||IP Address association||Dynamic IPv4||Static IPv4||Dynamic IPv6||Static IPv6|
|Virtual machine||Network interface||Yes||Yes||Yes||Yes|
|Public Load balancer||Front-end configuration||Yes||Yes||Yes||Yes|
|Virtual Network gateway (VPN)||Gateway IP configuration||Yes (non-AZ only)||Yes||No||No|
|Virtual Network gateway (ER)||Gateway IP configuration||Yes||Yes||Yes (preview)||No|
|NAT gateway||Gateway IP configuration||No||Yes||No||No|
|Application Gateway||Front-end configuration||Yes (V1 only)||Yes (V2 only)||No||No|
|Azure Firewall||Front-end configuration||No||Yes||No||No|
|Bastion Host||Public IP configuration||No||Yes||No||No|
IP address version
Public IP addresses can be created with an IPv4 or IPv6 address. You may be given the option to create a dual-stack deployment with a IPv4 and IPv6 address.
Public IP addresses are created with one of the following SKUs:
|Public IP address||Standard||Basic|
|Allocation method||Static||For IPv4: Dynamic or Static; For IPv6: Dynamic.|
|Idle Timeout||Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.||Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.|
|Security||Secure by default model and be closed to inbound traffic when used as a frontend. Allow traffic with network security group (NSG) is required (for example, on the NIC of a virtual machine with a Standard SKU Public IP attached).||Open by default. Network security groups are recommended but optional for restricting inbound or outbound traffic.|
|Availability zones||Supported. Standard IPs can be non-zonal, zonal, or zone-redundant. Zone redundant IPs can only be created in regions where 3 availability zones are live. IPs created before zones are live won't be zone redundant.||Not supported.|
Basic SKU IPv4 addresses can be upgraded after creation to Standard SKU. To learn about SKU upgrade, refer to Public IP upgrade.
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of basic SKU resources and standard SKU resources. You can't attach standalone virtual machines, virtual machines in an availability set resource, or a virtual machine scale set resources to both SKUs simultaneously. New designs should consider using Standard SKU resources. For more information about a standard load balancer, see Standard Load Balancer.
IP address assignment
Public IPs have two types of assignments:
Static - The resource is assigned an IP address at the time it's created. The IP address is released when the resource is deleted.
Dynamic - The IP address isn't given to the resource at the time of creation when selecting dynamic. The IP is assigned when you associate the public IP address with a resource. The IP address is released when you stop, or delete the resource.
Static public IP addresses are commonly used in the following scenarios:
When you must update firewall rules to communicate with your Azure resources.
DNS name resolution, where a change in IP address would require updating A records.
Your Azure resources communicate with other apps or services that use an IP address-based security model.
You use TLS/SSL certificates linked to an IP address.
Even when you set the allocation method to static, you cannot specify the actual IP address assigned to the public IP address resource. Azure assigns the IP address from a pool of available IP addresses in the Azure location the resource is created in.
Basic public IP addresses are commonly used for when there's no dependency on the IP address.
For example, a public IP resource is released from a resource named Resource A. Resource A receives a different IP on start-up if the public IP resource is reassigned. Any associated IP address is released if the allocation method is changed from static to dynamic. Any associated IP address is unchanged if the allocation method is changed from dynamic to static. Set the allocation method to static to ensure the IP address remains the same.
|Standard public IPv4||✅||x|
|Standard public IPv6||✅||x|
|Basic public IPv4||✅||✅|
|Basic public IPv6||x||✅|
DNS Name Label
Select this option to specify a DNS label for a public IP resource. This functionality works for both IPv4 addresses (32-bit A records) and IPv6 addresses (128-bit AAAA records). This selection creates a mapping for domainnamelabel.location.cloudapp.chinacloudapi.cn to the public IP in the Azure-managed DNS.
For instance, creation of a public IP with the following settings:
contoso as a domainnamelabel
China North 3 Azure location
The fully qualified domain name (FQDN) contoso.chinanorth3.cloudapp.chinacloudapi.cn resolves to the public IP address of the resource.
Each domain name label created must be unique within its Azure location.
If a custom domain is desired for services that use a public IP, you can use Azure DNS or an external DNS provider for your DNS Record.
Public IP addresses with a standard SKU can be created as non-zonal, zonal, or zone-redundant in regions that support availability zones.
A zone-redundant IP is created in all zones for a region and can survive any single zone failure. A zonal IP is tied to a specific availability zone, and shares fate with the health of the zone. A "non-zonal" public IP addresses are placed into a zone for you by Azure and doesn't give a guarantee of redundancy.
In regions without availability zones, all public IP addresses are created as non-zonal. Public IP addresses created in a region that is later upgraded to have availability zones remain non-zonal. A public IP's availability zone can't be changed after the public IP's creation.
All basic SKU public IP addresses are created as non-zonal. Any IP that is upgraded from a basic SKU to standard SKU remains non-zonal.
Other public IP address features
Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.
The default outbound access IP is disabled when a public IP address is assigned to the VM, the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules, or if an Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.
For more information about outbound connections in Azure, see Default outbound access in Azure and Use source network address translation (SNAT) for outbound connections.
The limits for IP addressing are listed in the full set of limits for networking in Azure. The limits are per region and per subscription.
Contact support to increase above the default limits based on your business needs.
Public IPv4 addresses have a nominal charge; Public IPv6 addresses have no charge.
To learn more about IP address pricing in Azure, review the IP address pricing page.
Limitations for IPv6
VPN gateways can't be used in a virtual network with IPv6 enabled, either directly or peered with "UseRemoteGateway".
Public IPv6 addresses are locked at an idle timeout of 4 minutes.
Azure doesn't support IPv6 communication for containers.
Use of IPv6-only virtual machines or virtual machines scale sets aren't supported. Each NIC must include at least one IPv4 IP configuration (dual-stack).
IPv6 ranges can't be added to a virtual network with existing resource navigation links when adding IPv6 to existing IPv4 deployments.
Forward DNS for IPv6 is supported for Azure public DNS. Reverse DNS isn't supported.
For more information on IPv6 in Azure, see here.