Add, change, or remove IP addresses for an Azure network interface

Learn how to add, change, and remove public and private IP addresses for a network interface. Private IP addresses assigned to a network interface enable a virtual machine to communicate with other resources in an Azure virtual network and connected networks. A private IP address also enables outbound communication to the Internet using an unpredictable IP address. A Public IP address assigned to a network interface enables inbound communication to a virtual machine from the Internet. The address also enables outbound communication from the virtual machine to the Internet using a predictable IP address. For details, see Understanding outbound connections in Azure.

If you need to create, change, or delete a network interface, read the Manage a network interface article. If you need to add network interfaces to or remove network interfaces from a virtual machine, read the Add or remove network interfaces article.

Before you begin

Complete the following tasks before completing steps in any section of this article:

  • If you don't already have an Azure account, sign up for a free trial account.
  • If using the portal, open https://portal.azure.com, and log in with your Azure account.
  • If using PowerShell commands to complete tasks in this article, either run the commands in the Azure Cloud Shell, or by running PowerShell from your computer. The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. This tutorial requires the Azure PowerShell module version 5.7.0 or later. Run Get-Module -ListAvailable AzureRM to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run Login-AzureRmAccount to create a connection with Azure.
  • If using Azure Command-line interface (CLI) commands to complete tasks in this article, either run the commands in the Azure Cloud Shell, or by running the CLI from your computer. This tutorial requires the Azure CLI version 2.0.31 or later. Run az --version to find the installed version. If you need to install or upgrade, see Install Azure CLI 2.0. If you are running the Azure CLI locally, you also need to run az login to create a connection with Azure.

The account you log into, or connect to Azure with, must be assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in Network interface permissions.

Add IP addresses

You can add as many private and public IPv4 addresses as necessary to a network interface, within the limits listed in the Azure limits article. You cannot use the portal to add an IPv6 address to an existing network interface (though you can use the portal to add a private IPv6 address to a network interface when you create the network interface). You can use PowerShell or the CLI to add a private IPv6 address to one secondary IP configuration (as long as there are no existing secondary IP configurations) for an existing network interface that is not attached to a virtual machine. You cannot use any tool to add a public IPv6 address to a network interface. See IPv6 for details about using IPv6 addresses.

  1. In the box that contains the text Search resources at the top of the Azure portal, type network interfaces. When network interfaces appear in the search results, select it.
  2. Select the network interface you want to add an IPv4 address for from the list.
  3. Under SETTINGS, select IP configurations.
  4. Under IP configurations, select + Add.
  5. Specify the following, then select OK:

    Setting Required? Details
    Name Yes Must be unique for the network interface
    Type Yes Since you're adding an IP configuration to an existing network interface, and each network interface must have a primary IP configuration, your only option is Secondary.
    Private IP address assignment method Yes Dynamic: Azure assigns the next available address for the subnet address range the network interface is deployed in. Static: You assign an unused address for the subnet address range the network interface is deployed in.
    Public IP address No Disabled: No public IP address resource is currently associated to the IP configuration. Enabled: Select an existing IPv4 Public IP address, or create a new one. To learn how to create a public IP address, read the Public IP addresses article.
  6. Manually add secondary private IP addresses to the virtual machine operating system by completing the instructions in the Assign multiple IP addresses to virtual machine operating systems article. See private IP addresses for special considerations before manually adding IP addresses to a virtual machine operating system. Do not add any public IP addresses to the virtual machine operating system.

Commands

Tool Command
CLI az network nic ip-config create
PowerShell Add-AzureRmNetworkInterfaceIpConfig

Change IP address settings

You may need to change the assignment method of an IPv4 address, change the static IPv4 address, or change the public IP address assigned to a network interface. If you're changing the private IPv4 address of a secondary IP configuration associated with a secondary network interface in a virtual machine (learn more about primary and secondary network interfaces), place the virtual machine into the stopped (deallocated) state before completing the following steps:

  1. In the box that contains the text Search resources at the top of the Azure portal, type network interfaces. When network interfaces appear in the search results, select it.
  2. Select the network interface that you want to view or change IP address settings for from the list.
  3. Under SETTINGS, select IP configurations.
  4. Select the IP configuration you want to modify from the list.
  5. Change the settings, as desired, using the information about the settings in step 5 of Add an IP configuration.
  6. Select Save.

Note

If the primary network interface has multiple IP configurations and you change the private IP address of the primary IP configuration, you must manually reassign the primary and secondary IP addresses to the network interface within Windows (not required for Linux). To manually assign IP addresses to a network interface within an operating system, see Assign multiple IP addresses to virtual machines. For special considerations before manually adding IP addresses to a virtual machine operating system, see private IP addresses. Do not add any public IP addresses to the virtual machine operating system.

Commands

Tool Command
CLI az network nic ip-config update
PowerShell Set-AzureRMNetworkInterfaceIpConfig

Remove IP addresses

You can remove private and public IP addresses from a network interface, but a network interface must always have at least one private IPv4 address assigned to it.

  1. In the box that contains the text Search resources at the top of the Azure portal, type network interfaces. When network interfaces appear in the search results, select it.
  2. Select the network interface that you want to remove IP addresses from the list.
  3. Under SETTINGS, select IP configurations.
  4. Right-select a secondary IP configuration (you cannot delete the primary configuration) that you want to delete, select Delete, then select Yes, to confirm the deletion. If the configuration had a public IP address resource associated to it, the resource is dissociated from the IP configuration, but the resource is not deleted.

Commands

Tool Command
CLI az network nic ip-config delete
PowerShell Remove-AzureRmNetworkInterfaceIpConfig

IP configurations

Private and (optionally) public IP addresses are assigned to one or more IP configurations assigned to a network interface. There are two types of IP configurations:

Primary

Each network interface is assigned one primary IP configuration. A primary IP configuration:

  • Has a private IPv4 address assigned to it. You cannot assign a private IPv6 address to a primary IP configuration.
  • May also have a public IPv4 address assigned to it. You cannot assign a public IPv6 address to a primary or secondary IP configuration. You can however, assign a public IPv6 address to an Azure load balancer, which can load balance traffic to a virtual machine's private IPv6 address. For more information, see details and limitations for IPv6.

Secondary

In addition to a primary IP configuration, a network interface may have zero or more secondary IP configurations assigned to it. A secondary IP configuration:

  • Must have a private IPv4 or IPv6 address assigned to it. If the address is IPv6, the network interface can only have one secondary IP configuration. If the address is IPv4, the network interface may have multiple secondary IP configurations assigned to it. To learn more about how many private and public IPv4 addresses can be assigned to a network interface, see the Azure limits article.
  • May also have a public IPv4 address assigned to it, if the private IP address is IPv4. If the private IP address is IPv6, you cannot assign a public IPv4 or IPv6 address to the IP configuration. Assigning multiple IP addresses to a network interface is helpful in scenarios such as:
    • Hosting multiple websites or services with different IP addresses and SSL certificates on a single server.
    • A virtual machine serving as a network virtual appliance, such as a firewall or load balancer.
    • The ability to add any of the private IPv4 addresses for any of the network interfaces to an Azure Load Balancer back-end pool. In the past, only the primary IPv4 address for the primary network interface could be added to a back-end pool. To learn more about how to load balance multiple IPv4 configurations, see the Load balancing multiple IP configurations article.
    • The ability to load balance one IPv6 address assigned to a network interface. To learn more about how to load balance to a private IPv6 address, see the Load balance IPv6 addresses article.

Address types

You can assign the following types of IP addresses to an IP configuration:

Private

Private IPv4 addresses enable a virtual machine to communicate with other resources in a virtual network or other connected networks. A virtual machine cannot be communicated inbound to, nor can the virtual machine communicate outbound with a private IPv6 address, with one exception. A virtual machine can communicate with the Azure load balancer using an IPv6 address. For more information, see details and limitations for IPv6.

By default, the Azure DHCP servers assign the private IPv4 address for the primary IP configuration of the Azure network interface to the network interface within the virtual machine operating system. Unless necessary, you should never manually set the IP address of a network interface within the virtual machine's operating system.

Warning

If the IPv4 address set as the primary IP address of a network interface within a virtual machine's operating system is ever different than the private IPv4 address assigned to the primary IP configuration of the primary network interface attached to a virtual machine within Azure, you lose connectivity to the virtual machine.

There are scenarios where it's necessary to manually set the IP address of a network interface within the virtual machine's operating system. For example, you must manually set the primary and secondary IP addresses of a Windows operating system when adding multiple IP addresses to an Azure virtual machine. For a Linux virtual machine, you may only need to manually set the secondary IP addresses. See Add IP addresses to a VM operating system for details. If you ever need to change the address assigned to an IP configuration, it's recommended that you:

  1. Ensure that the virtual machine is receiving an address from the Azure DHCP servers. Once you have, change the assignment of the IP address back to DHCP within the operating system and restart the virtual machine.
  2. Stop (deallocate) the virtual machine.
  3. Change the IP address for the IP configuration within Azure.
  4. Start the virtual machine.
  5. Manually configure the secondary IP addresses within the operating system (and also the primary IP address within Windows) to match what you set within Azure.

By following the previous steps, the private IP address assigned to the network interface within Azure, and within a virtual machine's operating system, remain the same. To keep track of which virtual machines within your subscription that you've manually set IP addresses within an operating system for, consider adding an Azure tag to the virtual machines. You might use "IP address assignment: Static", for example. This way, you can easily find the virtual machines within your subscription that you've manually set the IP address for within the operating system.

In addition to enabling a virtual machine to communicate with other resources within the same, or connected virtual networks, a private IP address also enables a virtual machine to communicate outbound to the Internet. Outbound connections are source network address translated by Azure to an unpredictable public IP address. To learn more about Azure outbound Internet connectivity, read the Azure outbound Internet connectivity article. You cannot communicate inbound to a virtual machine's private IP address from the Internet. If your outbound connections require a predictable public IP address, associate a public IP address resource to a network interface.

Public

Public IP addresses assigned through a public IP address resource enable inbound connectivity to a virtual machine from the Internet. Outbound connections to the Internet use a predictable IP address. See Understanding outbound connections in Azure for details. You may assign a public IP address to an IP configuration, but aren't required to. If you don't assign a public IP address to a virtual machine by associating a public IP address resource, the virtual machine can still communicate outbound to the Internet. In this case, the private IP address is source network address translated by Azure to an unpredictable public IP address. To learn more about public IP address resources, see Public IP address resource.

There are limits to the number of private and public IP addresses that you can assign to a network interface. For details, read the Azure limits article.

Note

Azure translates a virtual machine's private IP address to a public IP address. As a result, a virtual machine's operating system is unaware of any public IP address assigned to it, so there is no need to ever manually assign a public IP address within the operating system.

Assignment methods

Public and private IP addresses are assigned using one of the following assignment methods:

Dynamic

Dynamic private IPv4 and IPv6 (optionally) addresses are assigned by default.

  • Public only: Azure assigns the address from a range unique to each Azure region. To learn which ranges are assigned to each region, see Microsoft Azure Datacenter IP Ranges. The address can change when a virtual machine is stopped (deallocated), then started again. You cannot assign a public IPv6 address to an IP configuration using either assignment method.
  • Private only: Azure reserves the first four addresses in each subnet address range, and doesn't assign the addresses. Azure assigns the next available address to a resource from the subnet address range. For example, if the subnet's address range is 10.0.0.0/16, and addresses 10.0.0.0.4-10.0.0.14 are already assigned (.0-.3 are reserved), Azure assigns 10.0.0.15 to the resource. Dynamic is the default allocation method. Once assigned, dynamic IP addresses are only released if a network interface is deleted, assigned to a different subnet within the same virtual network, or the allocation method is changed to static, and a different IP address is specified. By default, Azure assigns the previous dynamically assigned address as the static address when you change the allocation method from dynamic to static. You can only assign a private IPv6 address using the dynamic assignment method.

Static

You can (optionally) assign a public or private static IPv4 address to an IP configuration. You cannot assign a static public or private IPv6 address to an IP configuration. To learn more about how Azure assigns static public IPv4 addresses, see the Public IP address article.

  • Public only: Azure assigns the address from a range unique to each Azure region. To learn which ranges are assigned to each region, see Microsoft Azure Datacenter IP Ranges. The address doesn't change until the public IP address resource it's assigned to is deleted, or the assignment method is changed to dynamic. If the public IP address resource is associated to an IP configuration, it must be dissociated from the IP configuration before changing its assignment method.
  • Private only: You select and assign an address from the subnet's address range. The address you assign can be any address within the subnet address range that is not one of the first four addresses in the subnet's address range and is not currently assigned to any other resource in the subnet. Static addresses are only released if a network interface is deleted. If you change the allocation method to static, Azure dynamically assigns the previously assigned static IP address as the dynamic address, even if the address isn't the next available address in the subnet's address range. The address also changes if the network interface is assigned to a different subnet within the same virtual network, but to assign the network interface to a different subnet, you must first change the allocation method from static to dynamic. Once you've assigned the network interface to a different subnet, you can change the allocation method back to static, and assign an IP address from the new subnet's address range.

IP address versions

You can specify the following versions when assigning addresses:

IPv4

Each network interface must have one primary IP configuration with an assigned private IPv4 address. You can add one or more secondary IP configurations that each have an IPv4 private and (optionally) an IPv4 public IP address.

IPv6

You can assign zero or one private IPv6 address to one secondary IP configuration of a network interface. The network interface cannot have any existing secondary IP configurations. You cannot add an IP configuration with an IPv6 address using the portal. Use PowerShell or the CLI to add an IP configuration with a private IPv6 address to an existing network interface. The network interface cannot be attached to an existing VM.

Note

Though you can create a network interface with an IPv6 address using the portal, you can't add an existing network interface to a new, or existing virtual machine, using the portal. Use PowerShell or the Azure CLI 2.0 to create a network interface with a private IPv6 address, then attach the network interface when creating a virtual machine. You cannot attach a network interface with a private IPv6 address assigned to it to an existing virtual machine. You cannot add a private IPv6 address to an IP configuration for any network interface attached to a virtual machine using any tools (portal, CLI, or PowerShell).

You can't assign a public IPv6 address to a primary or secondary IP configuration.

SKUs

A public IP address is created with the basic or standard SKU. For more information about SKU differences, see Manage public IP addresses.

Note

When you assign a standard SKU public IP address to a virtual machine’s network interface, you must explicitly allow the intended traffic with a network security group. Communication with the resource fails until you create and associate a network security group and explicitly allow the desired traffic.

Next steps

To create a virtual machine with different IP configurations, read the following articles:

Task Tool
Create a VM with multiple network interfaces CLI, PowerShell
Create a single NIC VM with multiple IPv4 addresses CLI, PowerShell
Create a single NIC VM with a private IPv6 address (behind an Azure Load Balancer) CLI, PowerShell, Azure Resource Manager template