Networking in Microsoft Azure: What is my public IP?

What is my public IP? And to be clear we are talking about IPv4. IPv6 would be a whole other conversation to have. It sounds very easy but when you think about it there are different possibilities based on your configuration. On premise you would easily discover your public IP using any of these methods:

  • Open your browser and search for “What is my IP” in google.
  • Open your terminal and run the following commands:
$ host myip.opendns.com resolver1.opendns.com
Using domain server:
Name: resolver1.opendns.com
Address: 208.67.222.222#53
Aliases:

myip.opendns.com has address 127.0.0.1

Or this one I found on the nixCraft website easy for scripting:

$ dig +short myip.opendns.com @resolver1.opendns.com
127.0.0.1

Getting started

In Azure, most start with a single server in a single vnet and subnet and the Azure Marketplace conveniently suggest a new VNET, subnet and public IP for your server. It even will apply, by default, a network security group and blocks all inbound ports by default unless you open them.

Don’t leave admin ports, like SSH (TCP/22), RDP (TCP/3389) open to the whole internet. After deploying this server within seconds these IP’s will be scanned by possible intruders. A good security practice is to limit the access based on time and/or source ip. You can use JIT access, NSG network security groups, Client 2 Site VPN or a third party network firewall.

A public IP in Azure

No public IP configured?

What happens when you have nu public IP configured? Can your server still access the internet? Yes, if you have a default ARM based setup in Azure a vm can still access the internet using a DHCP address given by Microsoft. Below is a screenshot of console of a Linux VM that has not public IP and still it is able to reach the internet and you can see the dig command retrieves it’s public IP used.

Serial console where we retrieve the public ip used
No public IP assigned to the network interface.

There are some exceptions that could cause traffic to be blocked along the way outbound.

  • Network security group (NSG) that blocks outbound traffic
  • The VM should not have another standard public IP linked to a secondary NIC or secondary private IP. By default standard IP’s do not support dynamic IP’s and require a NSG to be configured
  • The default route 0.0.0.0/0 points towards ‘Internet’ as a next hop. If that is adapted, overruled with a user defined route traffic might not find it’s way to the internet.

Basic Public IP

The basic public IP can be either a dynamic or static public IP. You also have extra options like IPv6 and a DNS name label. A Basic Public IP is the one that exists since Microsoft started with the Azure Resource Manager environment. All ports and protocols are open and useable towards the VM it is attached to. It can also be attached to a Azure Basic Load Balancer. More information can be found here.

You attach the public IP to the private IP in the network interface of the VM in Azure. If you send out a network packets for the internet this public IP will be used for outbound requests when this

Standard Public IP

The standard public IP was launched around 2017 when Microsoft released the Azure Standard Load Balancer. This load balancer and it’s public IP’s supports Availability Zones giving you a higher redundancy and SLA. These public IP’s are only available as static IP’s. By default these public IP’s are closed of and only using an NSG you can open all or some ports.

Azure Basic Public IP configuration

More information can be found here. There are limitations and different pricing for standard and basic public IP’s

Azure Load Balancer

Recently I reviewed the Load Balancer documentation again. It is always good to review azure documentation once in a while as things tend to change quickly in public cloud.

One of the new features I found where the outbound rules you can now define using the Standard Load Balancer. This will give use a lot more freedom to hosting services in the IAAS part of Microsoft Azure. We will go in-depth into this in part 2 of this post.

jvhoof Written by:

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.