Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Microsoft Azure

What is Azure Public IP Address Prefix?

Public IP Addresses

You need some form of publicly addressable location for any service in Azure that will be available on the Internet. In Azure, this comes in the form of a public IP address, a low-cost option where you consume an address from Microsoft huge repositories – typically based on IPv4.

Public IP addresses, often referred to just as PIPs, are normally allocated on demand. For example, you might deploy a load balancer to NAT a number of virtual machines, and Azure will assign an address to you. You have no idea what that address will be until you get it. By default, the address is dynamic, but with resources such as load balancers or virtual machines, it’s usually best to configure the address with:

  • A static address at no extra cost, so that the address does not change when the associated resource(s) become deallocated.
  • A DNS prefix for a Microsoft-managed domain name.


Some organizations, particularly those with bureaucracies or slow-moving change control processes, will struggle with services that are being deployed publicly on the Internet. For example, let’s pretend that we work for a such an organization that is setting up a service in Azure that will have multiple PIPs. The firewalls of the organization need to be updated to allow inbound or outbound traffic to these PIPs.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

The typical experience is that we have to wait until the service is deployed before we can start to configure the on-premises firewall rules. I have visited in some organizations where a simple process such as setting up a user might take 2 weeks, a request to install Visio might take 6 weeks, or a getting a laptop for a new user might even take over 2 months! How long do you think it will take one of these organizations to allow outbound HTTPS access to a new service?

The process will be:

  1. Developers and cloud operations build a new service in Azure
  2. The record the PIPs and send a request to the network team and security officer
  3. The security officer hums and haws, and the Cisco people are grumpy because someone is able to do networking with a few mouse clicks
  4. A firewall rule is created to access the service weeks after the service was built and available

Cloud speed!

Pre-Determined IP Addresses

The idea of Public IP Address Prefix is that you can pre-request a range of sequential IP addresses from Azure in advance of their deployment. For example, I can request a /28, a /16, or a /8 (there are other ranges) of addresses. I will get a range of addresses from Azure. Note that until the prefix is assigned, there is no pre-determination what the address range will be – you find out what the actual addresses are when the prefix is created.

Once you have the addresses you can approach your network & security teams and pre-create rules to allow outbound (or inbound, if required) access.

A public IP address prefix in Azure [Image Credit: Aidan Finn]
A public IP address prefix in Azure [Image Credit: Aidan Finn]
Afterward, you can create PIPs from this address range; the PIP will get a pre-known address instead of a random address from the massive Microsoft IPv4 repository for that region. In my below screenshot, you can see that I have taken the first three addresses of as public IP addresses that can be allocated to Azure resources:

A sequence of 3 pre-known public IP addresses in Azure [Image Credit: Aidan Finn]
A sequence of 3 pre-known public IP addresses in Azure [Image Credit: Aidan Finn]


Public IP Address Prefix launched in Preview at Microsoft Ignite in a limited number of regions:

  • West Central US
  • West US
  • West US 2
  • Central US
  • North Europe
  • West Europe
  • Southeast Asia

More regions will be added over time. The preview currently requires that you use a special preview flight (version) of the Azure Portal – without it, you cannot create PIPS from the prefix allocation.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: