Understanding IP Addressing in Microsoft Azure
Confused by DIPs, VIPs and PIPs? In today’s Ask the Admin, I’ll give you a run down on the different kinds of IP addresses available in Microsoft Azure.
There are three different kinds of IP address that can be assigned to virtual machines (VMs) in Microsoft Azure:
- Dynamic IP address (DIP)
- Virtual IP address (VIP)
- Instance-level public IP address (PIP)
Internal IP addressing
Dynamic IP addresses are the internal addresses assigned to VMs, and either come from a private pool assigned by Azure, or if you configure an Azure virtual network (VNET), you can define your own private IP addresses ranges and subnets.
When a VM is provisioned for the first time, it is associated with a DIP, which stays with the VM until it is deleted or deallocated from the Azure fabric. While DIPs survive OS reboots and service healing migration events, if you want to stop a VM so you’re not charged for Azure compute resources, it might be assigned a different DIP when re-provisioned.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
DIPs are assigned automatically by DHCP in order, so for example if you define a subnet 192.168.0.0/24, the first available DIP to be assigned to a VM will be 192.168.0.4, as the first three addresses are always reserved for system use.
Assigning DIPs to virtual machines
IP addresses in Azure are always assigned using DHCP, and setting static IP addresses in the network settings of a server’s network interface card (NIC) isn’t supported. Nevertheless, there are some applications, such as Active Directory domain controllers (DCs), that require static IP addresses, and Azure handles this by providing the ability to assign DIPs to VMs using the Set-AzureStaticVNetIP PowerShell cmdlet. For more information on assigning DIPs to VMs, see How to Easily Assign a Static IP Address in Microsoft Azure on the Petri IT Knowledgebase.
It’s important to remember that DIP assignments are not the same as DHCP reservations. While a DIP can be assigned to a VM, if that VM is deallocated from the Azure fabric, its DIP is released and can still be assigned to other VMs. So if it’s critical that one or more VMs in a subnet receive an assigned IP address when re-provisioned, you should set DIPs on all VMs in the subnet using the Set-AzureStaticVNetIP cmdlet, regardless of whether they need the same IP address when re-provisioned. You might therefore consider using one subnet for DCs, and another for member servers that don’t require assigned DIPs.
Multi-NIC virtual machines
Azure VMs can have one or more NICs, and you can assign NICs DIPs in the same or different subnets, which is useful for separating network traffic. Only some VM sizes support multiple NICs, and you can see a list of instance types supporting multiple NICs here. Note that instance-level public IP addresses (PIPs) are not supported on VMs with multiple NICs, and virtual IP addresses (VIPS) are only supported on a VM’s default NIC.
External IP addressing
Azure randomly assigns cloud services a virtual IP address (VIP) from a pool of public IP addresses owned by Microsoft, and are released when all VMs in a cloud service are deallocated (stopped). All VMs in a cloud service share the same VIP, so if each VM needs to have its own VIP, you’ll need to assign only one VM per cloud service. Network traffic headed for the Internet has the VIP as its source IP address, unless the VM has been assigned a PIP.
Internet traffic bound for a VIP is routed via the Azure Load Balancer, which controls what traffic is allowed to pass to the VNET, using endpoints configured to direct traffic to given DIPs and TCP/UDP ports. Endpoint Access Control Lists (ACLs) can optionally be configured to define IP address ranges that are allowed access.
For more sophisticated control, Network Security Groups (NSGs) can be associated with a subnet or VM NIC, and also allow for control of outbound traffic. Endpoint ACLs cannot be used with Network Security Groups. For more information on NSGs, see Configuring Network Security Groups in Microsoft Azure on the Petri IT Knowledgebase.
Microsoft allows you to reserve up to five VIPs in an Azure subscription, and can be assigned using the New-AzureVM cmdlet’s –ReservedIPName parameter. The New-AzureReservedIP cmdlet allows you to give a VIP reservation a name, and associate it with a location. But unlike assigning DIPs to VMs, you can’t choose the actual VIP that will be reserved.
Reserved VIPs are free as long as they are in use, and you can contact Microsoft directly if you need more than five reserved VIPs. For more information on reserving VIPs, see How to Reserve Public Virtual IP Addresses in Microsoft Azure on Petri.
Instance-level public IP addresses
VIPs are assigned to cloud services, and network traffic directed to DIPs via the Azure Load Balancer. PIPs are assigned to a VMs default NIC, and are exposed directly to the Internet, so traffic should be controlled using the Windows Firewall.
The Set-AzurePublicIP cmdlet is used to assign PIPs to VMs, and like VIPs require a reservation created using the New-AzureReservedIP cmdlet. The following code creates a reservation and assigns it as a PIP to a VM (CONTOSOSRV1):