Azure Basic Public IP will be retired

Question

I've noticed this warning message in the Azure user interface while attempting to provision a new Basic Public IP address.

This is alarming. Today we use Basic Public IP addresses and the "Associate public IP address" mechanism to support connectivity to our entire Azure datacenter footprint. The IP association pipes our Basic public IP into the private vnet IP of the WAN interface of an Azure based FortiGate firewall.

When attempting to use a Standard Public IP for this purpose I am getting the following error. So it appears that Microsoft is deprecating Basic public IP addresses and has disabled Standard addresses for our purposes. Effectively removing our ability to use our tenant as of September 2025.

Is this error indicating that ALL Public addresses need to be Standard or Basic? Like you can't mix and match? If so, what is the process for upgrading a Basic IP without losing your static and access to our FortiGate appliance? I did find an upgrade button in the Basic public IP interface and got this message.

Last but not least, when creating a Standard Public IP, you get this new option. For our purposes this WAN IP will be associated with our perimeter firewall handling outbound WAN NAT for internal Azure VMs as well as site-to-site VPNs to other offices and client VPN. which option is recommended in this case?

Answer 1

@AdamTyler-3590

Thank you for reaching out.

Yes On 30 September 2025, Basic SKU public IP addresses will be retired in Azure. This is official announcement

Based on your questions above.

Is this error indicating that ALL Public addresses need to be Standard or Basic? Like you can't mix and match? If so, what is the process for upgrading a Basic IP without losing your static and access to our FortiGate appliance?

As the NIC already contains a basic Public IP address a Standard Public IP address cannot be associated with it.

Yes, the process to upgrade a Basic IP address to Standard IP is documented here but there will be a downtime here as you will to have dissassociate the Public IP from the NIC.

You can implement this script to upgrade IP address. Please make sure the Public IP Address allocation method is set to static before being disassociated from the VM.

Because the Public IP allocation is set to 'Static' before detaching from the VM, the IP address won't change during the upgrade process, even in the event of a script failure. The module double-checks that the Public IP allocation method is 'Static' prior to detaching the Public IP from the VM.

Last but not least, when creating a Standard Public IP, you get this new option. For our purposes this WAN IP will be associated with our perimeter firewall handling outbound WAN NAT for internal Azure VMs as well as site-to-site VPNs to other offices and client VPN. which option is recommended in this case?

Azure routing preference enables you to choose how your traffic routes between Azure and the Internet. You can choose to route traffic either via the Microsoft network, or, via the ISP network (public internet). These options are also referred to as cold potato routing and hot potato routing respectively.

Basically, it will not affect your connectivity above but just the path it takes over the internet. You can make an informed decision by following the documentation here.

Hope this helps! Please let me know if you have any additional questions. Thank you!

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.