Associate a public IP address to a virtual machine

In this article, you learn how to associate a public IP address to an existing virtual machine (VM). To do so, you associate the public IP address to an IP configuration of a network interface attached to a VM. You can use the Azure portal, the Azure CLI, or Azure PowerShell by selecting the tab for the method you want to use.

If you want to instead create a new VM with a public IP address, you can use the Azure portal, the Azure CLI, or Azure PowerShell.

Public IP addresses have a nominal fee. For details, see pricing. There's a limit to the number of public IP addresses that you can use per subscription. For details, see limits.

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the backend pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when one of the following events happens:

  • A public IP address is assigned to the VM.
  • The VM is placed in the backend pool of a standard load balancer, with or without outbound rules.
  • An Azure NAT Gateway resource is assigned to the subnet of the VM.

VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.

Prerequisites

  1. Sign in to the Azure portal.

  2. In the portal, search for and select the VM that you want to add the public IP address to.

  3. Under Settings in the left pane, select Networking, and then select the network interface you want to add the public IP address to.

    Screenshot showing how to select the network interface of a VM.

    Note

    Public IP addresses are associated to the network interfaces that are attached to a VM. In this screenshot, the VM has only one network interface. If the VM had multiple network interfaces, they would all appear, and you'd select the network interface you want to associate the public IP address to.

  4. From the Network interface window, under Settings, select IP configurations*, and then select an IP configuration from the list.

    Screenshot showing how to select the I P configuration of a network interface.

    Note

    Public IP addresses are associated to the IP configurations for a network interface. In this screenshot, the network interface has only one IP configuration. If the network interface had multiple IP configurations, they would all appear in the list, and you'd select the IP configuration that you want to associate the public IP address to.

  5. In the Edit IP configuration window, select Associate public IP address, then select Public IP address to choose an existing public IP address from the drop-down list. If no public IP addresses are listed, you need to create one. To learn how, see Create a public IP address.

    Screenshot showing how to select, create, and associate a new public IP address.

    Note

    The public IP addresses that appear in the drop-down list are those that exist in the same region as the VM. If you have multiple public IP addresses created in the region, all will appear here. Any address that's already associated to a different resource is grayed out.

  6. Select Save.

  7. In the IP Configurations window, view the public IP address assigned to the IP configuration. It might take a few seconds for a newly associated IP address to appear.

    Screenshot showing the newly assigned public I P.

    Note

    An IP address is assigned from the pool of public IP addresses reserved for an Azure region. For a list of the address pools used in each region, see Azure IP ranges and service tags. If you need the address to be assigned from a specific prefix, use a Public IP address prefix.

  8. Open the necessary ports in your security groups by adjusting the security rules in the network security groups. For information, see Allow network traffic to the VM.

Note

To share a VM with an external user, you must add a public IP address to the VM. Alternatively, external users can connect to VM's private IP address through Azure Bastion.

Allow network traffic to the VM

Before you can connect to a public IP address from the internet, you must open the necessary ports in your security groups. These ports must be open in any network security group that you might have associated to the network interface, the subnet of the network interface, or both. Although security groups filter traffic to the private IP address of the network interface, after inbound internet traffic arrives at the public IP address, Azure translates the public address to the private IP address. Therefore, if a network security group prevents the traffic flow, the communication with the public IP address fails.

You can view the effective security rules for a network interface and its subnet for the Azure portal, the Azure CLI, or Azure PowerShell.

Next steps

In this article, you learned how to associate a public IP address to a VM using the Azure portal, Azure CLI, or Azure PowerShell.