What is my public IP? And to be clear we are talking about IPv4. IPv6 would be a whole other conversation to have. It sounds very easy but when you think about it there are different possibilities based on your configuration. On premise you would easily discover your public IP using any of these methods:
- Open your browser and search for “What is my IP” in google.
- Open your terminal and run the following commands:
$ host myip.opendns.com resolver1.opendns.com Using domain server: Name: resolver1.opendns.com Address: 126.96.36.199#53 Aliases: myip.opendns.com has address 127.0.0.1
Or this one I found on the nixCraft website easy for scripting:
$ dig +short myip.opendns.com @resolver1.opendns.com 127.0.0.1
In Azure, most start with a single server in a single vnet and subnet and the Azure Marketplace conveniently suggest a new VNET, subnet and public IP for your server. It even will apply, by default, a network security group and blocks all inbound ports by default unless you open them.
Don’t leave admin ports, like SSH (TCP/22), RDP (TCP/3389) open to the whole internet. After deploying this server within seconds these IP’s will be scanned by possible intruders. A good security practice is to limit the access based on time and/or source ip. You can use JIT access, NSG network security groups, Client 2 Site VPN or a third party network firewall.
A public IP in Azure
No public IP configured?
What happens when you have nu public IP configured? Can your server still access the internet? Yes, if you have a default ARM based setup in Azure a vm can still access the internet using a DHCP address given by Microsoft. Below is a screenshot of console of a Linux VM that has not public IP and still it is able to reach the internet and you can see the dig command retrieves it’s public IP used.
There are some exceptions that could cause traffic to be blocked along the way outbound.
- Network security group (NSG) that blocks outbound traffic
- The VM should not have another standard public IP linked to a secondary NIC or secondary private IP. By default standard IP’s do not support dynamic IP’s and require a NSG to be configured
- The default route 0.0.0.0/0 points towards ‘Internet’ as a next hop. If that is adapted, overruled with a user defined route traffic might not find it’s way to the internet.
Basic Public IP
The basic public IP can be either a dynamic or static public IP. You also have extra options like IPv6 and a DNS name label. A Basic Public IP is the one that exists since Microsoft started with the Azure Resource Manager environment. All ports and protocols are open and useable towards the VM it is attached to. It can also be attached to a Azure Basic Load Balancer. More information can be found here.
You attach the public IP to the private IP in the network interface of the VM in Azure. If you send out a network packets for the internet this public IP will be used for outbound requests when this
Standard Public IP
The standard public IP was launched around 2017 when Microsoft released the Azure Standard Load Balancer. This load balancer and it’s public IP’s supports Availability Zones giving you a higher redundancy and SLA. These public IP’s are only available as static IP’s. By default these public IP’s are closed of and only using an NSG you can open all or some ports.
Azure Load Balancer
Recently I reviewed the Load Balancer documentation again. It is always good to review azure documentation once in a while as things tend to change quickly in public cloud.
One of the new features I found where the outbound rules you can now define using the Standard Load Balancer. This will give use a lot more freedom to hosting services in the IAAS part of Microsoft Azure. We will go in-depth into this in part 2 of this post.