Create a VM with a static public IP address using the Azure CLI 2.0

You can create virtual machines (VMs) in Azure and expose them to the public Internet by using a public IP address. By default, Public IPs are dynamic and the address associated to them may change when the VM is deleted. To guarantee that the VM always uses the same public IP address, you need to create a static Public IP.

Before you can implement static Public IPs in VMs, it is necessary to understand when you can use static Public IPs, and how they are used. Read the IP addressing overview to learn more about IP addressing in Azure.

Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This article covers using the Resource Manager deployment model, which Microsoft recommends for most new deployments instead of the classic deployment model.


This document will walk through a deployment that uses a static public IP address allocated to a virtual machine (VM). In this scenario, you have a single VM with its own static public IP address. The VM is part of a subnet named FrontEnd and also has a static private IP address ( in that subnet.

You may need a static IP address for web servers that require SSL connections in which the SSL certificate is linked to an IP address.


You can follow the steps below to deploy the environment shown in the figure above.

Create the VM

You can complete this task using the Azure CLI 2.0 (this article) or the Azure CLI 1.0. The values in "" for the variables in the steps that follow create resources with settings from the scenario. Change the values, as appropriate, for your environment.

  1. Install the Azure CLI 2.0 if you don't already have it installed.
  2. Create an SSH public and private key pair for Linux VMs by completing the steps in the Create an SSH public and private key pair for Linux VMs.
  3. From a command shell, login with the command az login.
  4. Create the VM by executing the script that follows on a Linux or Mac computer. The Azure public IP address, virtual network, network interface, and VM resources must all exist in the same location. Though the resources don't all have to exist in the same resource group, in the following script they do.

# Create a resource group.

az group create \
--name $RgName \
--location $Location

# Create a public IP address resource with a static IP address using the --allocation-method Static option.
# If you do not specify this option, the address is allocated dynamically. The address is assigned to the
# resource from a pool of IP adresses unique to each Azure region. The DnsName must be unique within the
# Azure location it's created in. Download and view the file from
# that lists the ranges for each region.

az network public-ip create \
--name $PipName \
--resource-group $RgName \
--location $Location \
--allocation-method Static \
--dns-name $DnsName

# Create a virtual network with one subnet

az network vnet create \
--name $VnetName \
--resource-group $RgName \
--location $Location \
--address-prefix $VnetPrefix \
--subnet-name $SubnetName \
--subnet-prefix $SubnetPrefix

# Create a network interface connected to the VNet with a static private IP address and associate the public IP address
# resource to the NIC.

az network nic create \
--name $NicName \
--resource-group $RgName \
--location $Location \
--subnet $SubnetName \
--vnet-name $VnetName \
--private-ip-address $PrivateIpAddress \
--public-ip-address $PipName

# Create a new VM with the NIC


# Replace the value for the VmSize variable with a value from the
# article.

# Replace the value for the OsImage variable with a value for *urn* from the output returned by entering
# the `az vm image list` command. 


# Replace the following value with the path to your public key file.

az vm create \
--name $VmName \
--resource-group $RgName \
--image $OsImage \
--location $Location \
--size $VmSize \
--nics $NicName \
--admin-username $Username \
--ssh-key-value $SshKeyValue
# If creating a Windows VM, remove the previous line and you'll be prompted for the password you want to configure for the VM.

In addition to creating a VM, the script creates:

  • A single premium managed disk by default, but you have other options for the disk type you can create. Read the Create a Linux VM using the Azure CLI 2.0 article for details.
  • Virtual network, subnet, NIC, and public IP address resources. Alternatively, you can use existing virtual network, subnet, NIC, or public IP address resources. To learn how to use existing network resources rather than creating additional resources, enter az vm create -h.

Validate VM creation and public IP address

  1. Enter the command az resource list --resouce-group IaaSStory --output table to see a list of the resources created by the script. There should be five resources in the returned output: network interface, disk, public IP address, virtual network, and a virtual machine.
  2. Enter the command az network public-ip show --name PIPWEB1 --resource-group IaaSStory --output table. In the returned output, note the value of IpAddress and that the value of PublicIpAllocationMethod is Static.
  3. Before executing the following command, remove the <>, replace Username with the name you used for the Username variable in the script, and replace ipAddress with the ipAddress from the previous step. Run the following command to connect to the VM: ssh -i ~/.ssh/azure_id_rsa <Username>@<ipAddress>.

Remove the VM and associated resources

It's recommended that you delete the resources created in this exercise if you won't use them in production. VM, public IP address, and disk resources incur charges, as long as they're provisioned. To remove the resources created during this exercise, complete the following steps:

  1. To view the resources in the resource group, run the az resource list --resource-group IaaSStory command.
  2. Confirm there are no resources in the resource group, other than the resources created by the script in this article.
  3. To delete all resources created in this exercise, run the az group delete -n IaaSStory command. The command deletes the resource group and all the resources it contains.

Next steps

Any network traffic can flow to and from the VM created in this article. You can define inbound and outbound rules within an NSG that limit the traffic that can flow to and from the network interface, the subnet, or both. To learn more about NSGs, read the NSG overview article.