Edit

Custom IP address prefix (BYOIP)

  • Article
  • 3 minutes to read

A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. Microsoft is permitted to advertise the range. Addresses from a custom IP address prefix can be used in the same way as Azure owned public IP address prefixes. Addresses from a custom IP address prefix can be associated to Azure resources, interact with internal/private IPs and virtual networks, and reach external destinations outbound from the Azure Wide Area Network.

Benefits

  • Customers can retain their IP ranges (BYOIP) to maintain established reputation and continue to pass through externally controlled allowlists.

  • Public IP address prefixes and standard SKU public IPs can be derived from custom IP address prefixes. These IPs can be used in the same way as Azure owned public IPs.

Bring an IP prefix to Azure

It's a three phase process to bring an IP prefix to Azure:

  • Validation

  • Provision

  • Commission

Illustration of the custom IP prefix onboarding process.

Validation

A public IP address range that's brought to Azure must be owned by you and registered with a Routing Internet Registry such as ARIN or RIPE. When you bring an IP range to Azure, it remains under your ownership. You must authorize Microsoft to advertise the range. Your ownership of the range and its association with your Azure subscription are also verified. Some of these steps will be done outside of Azure.

Provision

After the previous steps are completed, the public IP range can complete the Provisioning phase. The range will be created as a custom IP prefix resource in your subscription. Public IP prefixes and public IPs can be derived from your range and associated to any Azure resource that supports Standard SKU Public IPs (IPs derived from a custom IP prefix can also be safeguarded with DDoS Protection. The IPs won't be advertised at this point and not reachable.

Commission

When ready, you can issue the command to have your range advertised from Azure and enter the Commissioning phase. The range will be advertised first from the Azure region where the custom IP prefix is located, and then by Microsoft's Wide Area Network (WAN) to the Internet. The specific region where the range was provisioned will be posted publicly on Microsoft's IP Range GeoLocation page.

Limitations

  • A custom IPv4 prefix must be associated with a single Azure region.

  • A custom IPv4 Prefix must be between /21 and /24; an global (parent) custom IPv6 prefix must be /48.

  • Custom IP prefixes do not currently support derivation of IPs with Internet Routing Preference or that use Global Tier (for cross-region load-balancing).

  • In regions with availability zones, a custom IPv4 prefix (or a regional custom prefix) must be specified as either zone-redundant or assigned to a specific zone. It can't be created with no zone specified in these regions. All IPs from the prefix must have the same zonal properties.

  • The advertisements of IPs from a custom IP prefix over an Azure ExpressRoute Microsoft peering isn't currently supported.

  • Once provisioned, custom IP prefix ranges can't be moved to another subscription. Custom IP address prefix ranges can't be moved within resource groups in a single subscription. It is possible to derive a public IP prefix from a custom IP prefix in another subscription with the proper permissions as described here.

  • IPs brought to Azure may have a delay of up to a week before they can be used for Windows Server Activation.

Important

There are several differences between how custom IPv4 and IPv6 prefixes are onboarded and utilized. Please see Differences between using BYOIPv4 and BYOIPv6 for more details.

Pricing

  • There is no charge to provision or use custom IP prefixes. There is no charge for any public IP prefixes and public IP addresses that are derived from custom IP prefixes.

  • All traffic destined to a custom IP prefix range is charged the internet egress rate. Customers traffic to a custom IP prefix address from within Azure are charged internet egress for the source region of their traffic. Egress traffic from a custom IP address prefix range is charged the equivalent rate as an Azure public IP from the same region.

Next steps