IP address types and allocation methods in Azure

You can assign IP addresses to Azure resources to communicate with other Azure resources, your on-premises network, and the Internet. There are two types of IP addresses you can use in Azure:

  • Public IP addresses: Used for communication with the Internet, including Azure public-facing services.
  • Private IP addresses: Used for communication within an Azure virtual network (VNet), and your on-premises network when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure.
Note

Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This article covers using the Resource Manager deployment model, which Microsoft recommends for most new deployments instead of the classic deployment model.

If you are familiar with the classic deployment model, check the differences in IP addressing between classic and Resource Manager.

Public IP addresses

Public IP addresses allow Azure resources to communicate with Internet and Azure public-facing services such as Azure Redis Cache, Azure Event Hubs, SQL databases, and Azure storage.

In Azure Resource Manager, a public IP address is a resource that has its own properties. Some of the resources you can associate a public IP address resource with are:

  • Virtual machine network interfaces
  • Internet-facing load balancers
  • VPN gateways
  • Application gateways

IP address version

Public IP addresses are created with an IPv4 or IPv6 address. Public IPv6 addresses can only be assigned to Internet-facing load balancers.

SKU

Public IP addresses are created with one of the following SKUs:

Basic

All public IP addresses created before the introduction of SKUs are Basic SKU public IP addresses. With the introduction of SKUs, you have the option to specify which SKU you would like the public IP address to be. Basic SKU addresses are:

  • Assigned with the static or dynamic allocation method.
  • Assigned to any Azure resource that can be assigned a public IP address, such as network interfaces, VPN Gateways, Application Gateways, and Internet-facing load balancers.
  • Can be assigned to a specific zone.
  • Not zone redundant. To learn more about availability zones, see Availability zones overview.

Standard

Standard SKU public IP addresses are:

  • Assigned with the static allocation method only.
  • Assigned to network interfaces or Standard Internet-facing load balancers. For more information about Azure load balancer SKUs, see Azure load balancer standard SKU.
  • Zone redundant by default. Can be created zonal and guaranteed in a specific availability zone. To learn more about availability zones, see Availability zones overview.
Note

When you assign a standard SKU public IP address to a virtual machine’s network interface, you must explicitly allow the intended traffic with a network security group. Communication with the resource fails until you create and associate a network security group and explicitly allow the desired traffic.

The standard SKU is in preview release. Before creating a Standard SKU public IP address, you must first register for the preview, and create the address in a supported location. To register for the preview, see register for the standard SKU preview. For a list of supported locations (regions), see Region availability and monitor the Azure Virtual Network updates page for additional region support.

Allocation method

There are two methods in which an IP address is allocated to a public IP address resource - dynamic or static. The default allocation method is dynamic, where an IP address is not allocated at the time of its creation. Instead, the public IP address is allocated when you start (or create) the associated resource (like a VM or load balancer). The IP address is released when you stop (or delete) the resource. After being released from resource A, for example, the IP address can be assigned to a different resource. If the IP address is assigned to a different resource while resource A is stopped, when you restart resource A, a different IP address is assigned.

To ensure the IP address for the associated resource remains the same, you can set the allocation method explicitly to static. A static IP address is assigned immediately. The address is released only when you delete the resource or change its allocation method to dynamic.

Note

Even when you set the allocation method to static, you cannot specify the actual IP address assigned to the public IP address resource. Azure assigns the IP address from a pool of available IP addresses in the Azure location the resource is created in.

Static public IP addresses are commonly used in the following scenarios:

  • When you must update firewall rules to communicate with your Azure resources.
  • DNS name resolution, where a change in IP address would require updating A records.
  • Your Azure resources communicate with other apps or services that use an IP address-based security model.
  • You use SSL certificates linked to an IP address.
Note

Azure allocates public IP addresses from a range unique to each Azure region. For details, see Azure Datacenter IP ranges.

DNS hostname resolution

You can specify a DNS domain name label for a public IP resource, which creates a mapping for domainnamelabel.location.cloudapp.azure.com to the public IP address in the Azure-managed DNS servers. For instance, if you create a public IP resource with contoso as a domainnamelabel in the West US Azure location, the fully-qualified domain name (FQDN) contoso.westus.cloudapp.azure.com resolves to the public IP address of the resource. You can use the FQDN to create a custom domain CNAME record pointing to the public IP address in Azure.

Important

Each domain name label created must be unique within its Azure location.

Virtual machines

You can associate a public IP address with a Windows or Linux virtual machine by assigning it to its network interface. You can assign either a dynamic or a static public IP address to a virtual machine. Learn more about assigning IP addresses to network interfaces.

Internet-facing load balancers

You can associate a public IP address created with either SKU with an Azure Load Balancer, by assigning it to the load balancer frontend configuration. The public IP address serves as a load-balanced virtual IP address (VIP). You can assign either a dynamic or a static public IP address to a load balancer front end. You can also assign multiple public IP addresses to a load balancer front end, which enables multi-VIP scenarios like a multi-tenant environment with SSL-based websites. For more information about Azure load balancer SKUs, see Azure load balancer standard SKU.

VPN gateways

An Azure VPN Gateway connects an Azure virtual network to other Azure virtual networks, or to an on-premises network. A public IP address is assigned to the VPN Gateway to enable it to communicate with the remote network. You can only assign a dynamic public IP address to a VPN gateway.

Application gateways

You can associate a public IP address with an Azure Application Gateway, by assigning it to the gateway's frontend configuration. This public IP address serves as a load-balanced VIP. You can only assign a dynamic public IP address to an application gateway frontend configuration.

At-a-glance

The following table shows the specific property through which a public IP address can be associated to a top-level resource, and the possible allocation methods (dynamic or static) that can be used.

Top-level resource IP Address association Dynamic Static
Virtual machine Network interface Yes Yes
Internet-facing Load balancer Front-end configuration Yes Yes
VPN gateway Gateway IP configuration Yes No
Application gateway Front end configuration Yes No

Private IP addresses

Private IP addresses allow Azure resources to communicate with other resources in a virtual network or an on-premises network through a VPN gateway or ExpressRoute circuit, without using an Internet-reachable IP address.

In the Azure Resource Manager deployment model, a private IP address is associated to the following types of Azure resources:

  • Virtual machine network interfaces
  • Internal load balancers (ILBs)
  • Application gateways

IP address version

Private IP addresses are created with an IPv4 or IPv6 address. Private IPv6 addresses can only be assigned with the dynamic allocation method. You cannot communicate between private IPv6 addresses on a virtual network. You can communicate inbound to a private IPv6 address from the Internet, through an Internet-facing load balancer. See Create an Internet-facing load balancer with IPv6 for details.

Allocation method

A private IP address is allocated from the address range of the subnet to which the resource is attached. The address range of the subnet itself is a part of the virtual network's address range.

There are two methods in which a private IP address is allocated: dynamic or static. The default allocation method is dynamic, where the IP address is automatically allocated from the resource's subnet (using DHCP). This IP address can change when you stop and start the resource.

You can set the allocation method to static to ensure the IP address remains the same. When you specify static, you specify a valid IP address that is part of the resource's subnet.

Static private IP addresses are commonly used for:

  • Virtual machines that act as domain controllers or DNS servers.
  • Resources that require firewall rules using IP addresses.
  • Resources accessed by other apps/resources through an IP address.

Virtual machines

A private IP address is assigned to the network interface of a Windows or Linux virtual machine. If the virtual machine has multiple network interfaces, a private IP address is assigned to each network interface. You can specify the allocation method as either dynamic or static for a network interface.

Internal DNS hostname resolution (for virtual machines)

All Azure virtual machines are configured with Azure-managed DNS servers by default, unless you explicitly configure custom DNS servers. These DNS servers provide internal name resolution for virtual machines that reside within the same virtual network.

When you create a virtual machine, a mapping for the hostname to its private IP address is added to the Azure-managed DNS servers. If a virtual machine has multiple network interfaces, the hostname is mapped to the private IP address of the primary network interface.

Virtual machines configured with Azure-managed DNS servers are able to resolve the hostnames of all virtual machines within the same virtual network to their private IP addresses.

Internal load balancers (ILB) & Application gateways

You can assign a private IP address to the front end configuration of an Azure Internal Load Balancer (ILB) or an Azure Application Gateway. This private IP address serves as an internal endpoint, accessible only to the resources within its virtual network and the remote networks connected to the virtual network. You can assign either a dynamic or static private IP address to the front-end configuration.

At-a-glance

The following table shows the specific property through which a private IP address can be associated to a top-level resource, and the possible allocation methods (dynamic or static) that can be used.

Top-level resource IP address association Dynamic Static
Virtual machine Network interface Yes Yes
Load balancer Front end configuration Yes Yes
Application gateway Front end configuration Yes Yes

Limits

The limits imposed on IP addressing are indicated in the full set of limits for networking in Azure. The limits are per region and per subscription. You can contact support to increase the default limits up to the maximum limits based on your business needs.

Pricing

Public IP addresses may have a nominal charge. To learn more about IP address pricing in Azure, review the IP address pricing page.

Next steps