Compared: Public and Private IP Addresses in Azure

Azure VMs receive an internal and an external IP address by default.

The internal IP address allows all inbound and outbound traffic to use the local network by default. 

External IPs are assigned an external Dynamic Host Configuration Protocol-allocated IP address. The external Azure VM IP address comes with firewall rules for Remote Desktop Protocol (RDP) or Secure Shell rules that are configured to allow a connection from the outside world for management purposes.

Administrators must expose port 80 (HTTP) to connect a VM to external network traffic.

The Azure VM IP address can be retained across reboots with a static, reserved IP address. The administrator also can assign this IP address to alternate machines, which provides backup if the machine must be rebuilt. 

Reserve a static IP address if you need a fixed IP address that won't change — for example, if you need to create a DNS 'A' record or add the IP address to a safe list.

You can also create a fully qualified domain name (FQDN) for the IP address. You can then register a CNAME record in DNS that points to the FQDN.

VM must be in the same region as the reserved static IP address

NSGs are best thought of as firewall rules that can be assigned to Azure VMs, load balancers and networks.

The Azure internal load balancer accepts multiple front-end IP addresses

Comparison of the two types of IP addresses you can use in Azure:

Public IP addresses Private IP addresses
Purpose Used for communication with the Internet, including Azure public-facing services such as Azure Redis Cache, Azure Event Hubs, SQL databases, and Azure storage. Used for communication within an Azure virtual network (VNet), and your on-premises network when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure, without using an Internet-reachable IP address.
Azure resources that can be associated through IP address
  • Virtual machines (VM) 
  • Internet-facing load balancers 
  • VPN gateways 
  • Application gateways
  • VMs 
  • Internal load balancers (ILBs) 
  • Application gateways
Allocation method
You cannot specify the actual IP address assigned to the public IP resource. Instead, it gets allocated from a pool of available IP addresses in the Azure location the resource is created in.
A private IP address is allocated from the address range of the subnet to which the resource is attached. The address range of the subnet itself is a part of the VNet's address range.

Azure reserves the first four addresses in each subnet address range. The addresses can't be assigned to resources. For example, if the subnet's address range is 10.0.0.0/16, addresses 10.0.0.0-10.0.0.3 and 10.0.255.255 are unavailable. 
Default Limits (ARM) Public IP addresses (dynamic) - 60
Public IP addresses (Static) - 20
 Private IP Addresses per virtual network - 4096
Pricing The first 5 “static” public IP addresses in a region are free. This is applicable irrespective of the type of resource (VM or Load-balancer) to which the IP address is associated. All others are charged at $0.004/hr.

 Basic public IP address Standard public IP address
Static or dynamic allocation static or dynamic static only
Inbound or outbound traffic restriction open by default secure by default and closed to inbound traffic
Assigned to any Azure resource that can be assigned a public IP address, such as network interfaces, VPN Gateways, Application Gateways, and Internet-facing load balancers. network interfaces or public standard load balancers
Zone redundant? No Zone redundant by default thereby providing zone resiliency & high availability

Comments