Determine firewall settings for Azure Lab Services

This article covers how to find the specific public IP address used by a lab in Azure Lab Services. You can use these IP addresses to configure your firewall settings and specify inbound and outbound rules to enable lab users to connect to their lab virtual machines.

Each organization or school configures their own network in a way that best fits their needs. Sometimes that includes setting firewall rules that block Remote Desktop Protocol (RDP) or Secure Shell (SSH) connections to machines outside their own network. Because Azure Lab Services runs in the public cloud, some extra configuration maybe needed to allow lab users to access their VM when connecting from the local network.

Each lab uses a single public IP address and multiple ports. The public IP address for each lab is different. All VMs, both the template VM and lab VMs, use this public IP address. The public IP address doesn't change for a lab. Each VM is assigned a different port number. The port ranges for SSH connections are 4980-4989 and 5000-6999. The port ranges for RDP connections are 4990-4999 and 7000-8999. The combination of public IP address and port number is used to connect lab creators and lab users to the correct VM.

If you're using lab accounts, see Firewall settings for labs when using lab accounts.


If your organization needs to perform content filtering, such as for compliance with the Children's Internet Protection Act (CIPA), you need to use 3rd party software. For more information, read guidance on content filtering with Lab Services.

Find public IP for a lab

If you're using a customizable lab, then you can get the public IP address anytime after the lab is created. If you're using a non-customizable lab, the lab must be published and have capacity of at least 1 to be able to get the public IP address for the lab.

You can use the Az.LabServices PowerShell module to get the public IP address for a lab.

$ResourceGroupName = "MyResourceGroup"
$LabName = "MyLab"
$LabPublicIP = $null

$lab =  Get-AzLabServicesLab -Name $LabName -ResourceGroupName $ResourceGroupName
if (-not $lab){
    Write-Error "Could find lab $($LabName) in resource group $($ResourceGroupName)."

    #Lab is using advance networking
    # Get public IP from networking properties
    $LabPublicIP = Get-AzResource -ResourceId $lab.NetworkProfilePublicIPId | Get-AzPublicIpAddress | Select-Object -expand IpAddress
    #Get first VM from lab
    # If customizable lab, this is the template VM
    # If non-customizable lab, this is the first VM published.
    $vm =  $lab | Get-AzLabServicesVM | Select -First 1

    if ($vm){
            $connectionAuthority = $vm.ConnectionProfileSshAuthority.Split(":")[0]
            $connectionAuthority = $vm.ConnectionProfileRdpAuthority.Split(":")[0]
        $LabPublicIP = [System.Net.DNS]::GetHostByName($connectionAuthority).AddressList.IPAddressToString | Where-Object {$_} | Select -First 1


if ($LabPublicIP){
    Write-Output "Public IP for $($lab.Name) is $LabPublicIP."
    Write-Error "Lab must be published to get public IP address."

For more examples of using the Az.LabServices PowerShell module and how to use it, see Quickstart: Create a lab plan using PowerShell and the Azure modules and Quickstart: Create a lab using PowerShell and the Azure module. For more information about cmdlets available in the Az.LabServices PowerShell module, see Az.LabServices reference.


You can now determine the public IP address for a lab. You can create inbound and outbound rules for the organization's firewall for the public IP address and the port ranges 4980-4989, 5000-6999, and 7000-8999. Once the rules are updated, lab users can then access their VMs without the network firewall blocking access.