Found answer in documentation - https://learn.microsoft.com/en-us/azure/iot-edge/production-checklist#whitelist-connections
IoT Edge communication with IoT Hub from behind Firewall
I'm building an IoT platform that connects to medical devices behind very restrictive firewalls. We have to whitelist specific IP addresses for inbound communication. I've got two questions about this in relation to IoT Hub and Edge.
It says in IoT hub documentation that the IP address of IoT Hub will occasionally change. How often does that IP address change? Can I pay extra to have it stay the same? If not, how do customers get around this issue normally? We're deploying these to hundreds of sites and don't want our clients to have to switch around their firewall very ofter (if at all)
Also, one of the attractive features of IoT Hub and Edge for us is deploying modules after deployment. Will those modules be sent to our Edge Devices from the IP address of our IoT hub or from the private container registries where they're contained?