Manage public IP addresses

Learn about a public IP address and how to create, change, and delete one. A public IP address is a resource with its own configurable settings. Assigning a public IP address to an Azure resource that supports public IP addresses enables:

  • Inbound communication from the Internet to the resource, such as Azure Virtual Machines (VM), Azure Application Gateways, Azure Load Balancers, Azure VPN Gateways, and others. You can still communicate with some resources, such as VMs, from the Internet, if a VM doesn't have a public IP address assigned to it, as long as the VM is part of a load balancer back-end pool, and the load balancer is assigned a public IP address. To determine whether a resource for a specific Azure service can be assigned a public IP address, or whether it can be communicated with through the public IP address of a different Azure resource, see the documentation for the service.
  • Outbound connectivity to the Internet using a predictable IP address. For example, a virtual machine can communicate outbound to the Internet without a public IP address assigned to it, but its address is network address translated by Azure to an unpredictable public address, by default. Assigning a public IP address to a resource enables you to know which IP address is used for the outbound connection. Though predictable, the address can change, depending on the assignment method chosen. For more information, see Create a public IP address. To learn more about outbound connections from Azure resources, see Understand outbound connections.

Before you begin

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

Complete the following tasks before completing steps in any section of this article:

  • If you don't already have an Azure account, sign up for a free trial account.
  • If using the portal, open https://portal.azure.com, and log in with your Azure account.
  • If using PowerShell commands to complete tasks in this article, either run the commands in the Azure Cloud Shell, or by running PowerShell from your computer. The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. This tutorial requires the Azure PowerShell module version 1.0.0 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.
  • If using Azure Command-line interface (CLI) commands to complete tasks in this article, either run the commands in the Azure Cloud Shell, or by running the CLI from your computer. This tutorial requires the Azure CLI version 2.0.31 or later. Run az --version to find the installed version. If you need to install or upgrade, see Install Azure CLI. If you are running the Azure CLI locally, you also need to run az login to create a connection with Azure.

The account you log into, or connect to Azure with, must be assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in Permissions.

Public IP addresses have a nominal charge. To view the pricing, read the IP address pricing page.

Create a public IP address

For instructions on how to Create Public IP addresses using the Portal, PowerShell, or CLI -- please refer to the following pages:

Note

Though the portal provides the option to create two public IP address resources (one IPv4 and one IPv6), the PowerShell and CLI commands create one resource with an address for one IP version or the other. If you want two public IP address resources, one for each IP version, you must run the command twice, specifying different names and IP versions for the public IP address resources.

For additional detail on the specific attributes of a Public IP address during creation, see the table below.

Setting Required? Details
IP Version Yes Select IPv4 or IPv6 or Both. Selecting Both will result in 2 Public IP addresses being create- 1 IPv4 address and 1 IPv6 address. Learn more about IPv6 in Azure VNETs.
SKU Yes All public IP addresses created before the introduction of SKUs are Basic SKU public IP addresses. You cannot change the SKU after the public IP address is created. A standalone virtual machine, virtual machines within an availability set, or virtual machine scale sets can use Basic or Standard SKUs. Mixing SKUs between virtual machines within availability sets or scale sets or standalone VMs is not allowed. Basic SKU: If you are creating a public IP address in a region that supports availability zones, the Availability zone setting is set to None by default. Basic Public IPs do not support Availability zones. Standard SKU: A Standard SKU public IP can be associated to a virtual machine or a load balancer front end. If you're creating a public IP address in a region that supports availability zones, the Availability zone setting is set to Zone-redundant by default. For more information about availability zones, see the Availability zone setting. The standard SKU is required if you associate the address to a Standard load balancer. To learn more about standard load balancers, see Azure load balancer standard SKU. When you assign a standard SKU public IP address to a virtual machine’s network interface, you must explicitly allow the intended traffic with a network security group. Communication with the resource fails until you create and associate a network security group and explicitly allow the desired traffic.
Name Yes The name must be unique within the resource group you select.
IP address assignment Yes Dynamic: Dynamic addresses are assigned only after a public IP address is associated to an Azure resource, and the resource is started for the first time. Dynamic addresses can change if they're assigned to a resource, such as a virtual machine, and the virtual machine is stopped (deallocated), and then restarted. The address remains the same if a virtual machine is rebooted or stopped (but not deallocated). Dynamic addresses are released when a public IP address resource is dissociated from a resource it is associated to. Static: Static addresses are assigned when a public IP address is created. Static addresses are not released until a public IP address resource is deleted. If the address is not associated to a resource, you can change the assignment method after the address is created. If the address is associated to a resource, you may not be able to change the assignment method. If you select IPv6 for the IP version, the assignment method must be Dynamic for Basic SKU. Standard SKU addresses are Static for both IPv4 and IPv6.
Idle timeout (minutes) No How many minutes to keep a TCP or HTTP connection open without relying on clients to send keep-alive messages. If you select IPv6 for IP Version, this value can't be changed.
DNS name label No Must be unique within the Azure location you create the name in (across all subscriptions and all customers). Azure automatically registers the name and IP address in its DNS so you can connect to a resource with the name. Azure appends a default subnet such as location.cloudapp.azure.com (where location is the location you select) to the name you provide, to create the fully qualified DNS name. If you choose to create both address versions, the same DNS name is assigned to both the IPv4 and IPv6 addresses. Azure's default DNS contains both IPv4 A and IPv6 AAAA name records and responds with both records when the DNS name is looked up. The client chooses which address (IPv4 or IPv6) to communicate with. Instead of, or in addition to, using the DNS name label with the default suffix, you can use the Azure DNS service to configure a DNS name with a custom suffix that resolves to the public IP address. For more information, see Use Azure DNS with an Azure public IP address.
Name (Only visible if you select IP Version of Both) Yes, if you select IP Version of Both The name must be different than the name you enter for the first Name in this list. If you choose to create both an IPv4 and an IPv6 address, the portal creates two separate public IP address resources, one with each IP address version assigned to it.
IP address assignment (Only visible if you select IP Version of Both) Yes, if you select IP Version of Both Same restrictions as IP Address Assignment above
Subscription Yes Must exist in the same subscription as the resource to which you'll associate the Public IP's.
Resource group Yes Can exist in the same, or different, resource group as the resource to which you'll associate the Public IP's.
Location Yes Must exist in the same location, also referred to as region, as the resource to which you'll associate the Public IP's.
Availability zone No This setting only appears if you select a supported location. For a list of supported locations, see Availability zones overview. If you selected the Basic SKU, None is automatically selected for you. If you prefer to guarantee a specific zone, you may select a specific zone. Either choice is not zone-redundant. If you selected the Standard SKU: Zone-redundant is automatically selected for you and makes your data path resilient to zone failure. If you prefer to guarantee a specific zone, which is not resilient to zone failure, you may select a specific zone.

View, modify settings for, or delete a public IP address

  • View/List: To review settings for a Public IP, including the SKU, address, any applicable association (e.g. Virtual Machine NIC, Load Balancer Frontend).
  • Modify: To modify settings using the information in step 4 of create a public IP address, such as the idle timeout, DNS name label, or assignment method. (For the full process of upgrading a Public IP SKU from Basic to Standard, see Upgrade Azure public IP addresses.)

Warning

To change the assignment for a Public IP address from static to dynamic, you must first dissociate the address from any applicable IP configurations (see Delete section). Also note, when you change the assignment method from static to dynamic, you lose the IP address that was assigned to the public IP address. While the Azure public DNS servers maintain a mapping between static or dynamic addresses and any DNS name label (if you defined one), a dynamic IP address can change when the virtual machine is started after being in the stopped (deallocated) state. To prevent the address from changing, assign a static IP address.

Operation Azure portal Azure PowerShell Azure CLI
View In the Overview section of a Public IP Get-AzPublicIpAddress to retrieve a public IP address object and view its settings az network public-ip show to show settings
List Under the Public IP addresses category Get-AzPublicIpAddress to retrieve one or more public IP address objects and view its settings az network public-ip list to list public IP addresses
Modify For an IP that is dissociated, select Configuration to modify idle timeout, DNS name label, or change assignment of Basic IP from Static to Dynamic Set-AzPublicIpAddress to update settings az network public-ip update to update
  • Delete: Deletion of Public IPs requires that the Public IP object not be associated to any IP configuration or Virtual Machine NIC. See the table below for more details.
Resource Azure portal Azure PowerShell Azure CLI
Virtual Machine Select Dissociate to dissociate the IP address from the NIC configuration, then select Delete. Set-AzPublicIpAddress to dissociate the IP address from the NIC configuration; Remove-AzPublicIpAddress to delete az network public-ip update --remove to dissociate the IP address from the NIC configuration; az network public-ip delete to delete
Load Balancer Frontend Navigate to an unused Public IP address and select Associate and pick the Load Balancer with the relevant Front End IP Configuration to replace it (then the old IP can be deleted using same method as for VM) Set-AzLoadBalancerFrontendIpConfig to associate new Frontend IP config with Public Load Balancer; Remove-AzPublicIpAddress to delete; can also use Remove-AzLoadBalancerFrontendIpConfig to remove Frontend IP Config if there are more than one az network lb frontend-ip update to associate new Frontend IP config with Public Load Balancer; Remove-AzPublicIpAddress to delete; can also use az network lb frontend-ip delete to remove Frontend IP Config if there are more than one
Firewall N/A Deallocate() to deallocate firewall and remove all IP configurations az network firewall ip-config delete to remove IP (but must use PowerShell to deallocate first)

Virtual Machine Scale Sets

When using a virtual machine scale set with Public IPs, there are not separate Public IP objects associated with the individual virtual machine instances. However, a Public IP Prefix object can be used to generate the instance IPs.

To list the Public IPs on a virtual machine scale set, you can use PowerShell (Get-AzPublicIpAddress -VirtualMachineScaleSetName) or CLI (az vmss list-instance-public-ips).

For more information, see Networking for Azure virtual machine scale sets.

Assign a public IP address

Learn how to assign a public IP address to the following resources:

Permissions

To perform tasks on public IP addresses, your account must be assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in the following table:

Action Name
Microsoft.Network/publicIPAddresses/read Read a public IP address
Microsoft.Network/publicIPAddresses/write Create or update a public IP address
Microsoft.Network/publicIPAddresses/delete Delete a public IP address
Microsoft.Network/publicIPAddresses/join/action Associate a public IP address to a resource

Next steps