Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. Microsoft is permitted to advertise the range. Addresses from a custom IP address prefix can be used in the same way as Azure owned public IP address prefixes. Addresses from a custom IP address prefix can be associated to Azure resources, interact with internal/private IPs and virtual networks, and reach external destinations outbound from the Azure Wide Area Network.
Benefits
Customers can retain their IP ranges (BYOIP) to maintain established reputation and continue to pass through externally controlled allowlists.
Public IP address prefixes and standard SKU public IPs can be derived from custom IP address prefixes. These IPs can be used in the same way as Azure owned public IPs.
Bring an IP prefix to Azure
It's a three phase process to bring an IP prefix to Azure:
Validation
Provision
Commission
Validation
You must own and register a public IP address range that you bring to Azure with a Routing Internet Registry such as ARIN or RIPE. When you bring an IP range to Azure, it remains under your ownership. You must authorize Microsoft to advertise the range. Your ownership of the range and its association with your Azure subscription are also verified. Some of these steps are done outside of Azure.
Provision
After the previous steps are completed, the public IP range can complete the Provisioning phase. The range is created as a custom IP prefix resource in your subscription. Public IP prefixes and public IPs can be derived from your range and associated to any Azure resource that supports Standard SKU Public IPs (IPs derived from a custom IP prefix can also be safeguarded with DDoS Protection. The IPs aren't advertised at this point and aren't reachable.
Commission
When ready, you can issue the command to have your range advertised from Azure and enter the Commissioning phase. The range is advertised first from the Azure region where the custom IP prefix is located, and then by Microsoft's Wide Area Network (WAN) to the Internet. The specific region where the range was provisioned is posted publicly on Microsoft's IP Range GeoLocation page.
Limitations
By default, you can bring a maximum of five custom IP prefixes per region to Azure. This limit can be increased upon request.
By default:
- A unified custom IPv4 Prefix must be between /21 and /24.
- A global (parent) custom IPv4 prefix must be between /21 and /24, a regional (child) custom IPv4 prefix must be between /22 and /26 (dependent on the size of their respective parent range, which they must be at least one level smaller than)
- A global (parent) custom IPv6 prefix must be /48, a regional (child) custom IPv6 prefix must be /64
Custom IP prefixes don't currently support derivation of IPs with Internet Routing Preference or that use Global Tier (for cross-region load-balancing).
In regions with availability zones, a custom IPv4 prefix (or a regional custom prefix) must be specified as either zone-redundant or assigned to a specific zone. It can't be created with no zone specified in these regions. All IPs from the prefix must have the same zonal properties.
The advertisements of IPs from a custom IP prefix over an Azure ExpressRoute Microsoft peering isn't currently supported.
Custom IP prefixes don't support Reverse DNS lookup using Azure-owned zones; customers must onboard their own Reverse Zones to Azure DNS.
Once provisioned, custom IP prefix ranges can't be moved to another subscription. Custom IP address prefix ranges can't be moved within resource groups in a single subscription. It's possible to derive a public IP prefix from a custom IP prefix in another subscription with the proper permissions as described here.
IPs brought to Azure may have a delay of up to a week before they can be used for Windows Server Activation.
Important
There are several differences between how custom IPv4 and IPv6 prefixes are onboarded and utilized. For more information, see Differences between using BYOIPv4 and BYOIPv6.
Pricing
There's no charge to provision or use custom IP prefixes. There's no charge for any public IP prefixes and public IP addresses that are derived from custom IP prefixes.
All traffic destined to a custom IP prefix range is charged the internet egress rate. Customers traffic to a custom IP prefix address from within Azure are charged internet egress for the source region of their traffic. The system charges egress traffic from a custom IP address prefix range at the same rate as an Azure public IP from the same region.
Next steps
To create a custom IPv4 address prefix using the Azure portal, see Create custom IPv4 address prefix using the Azure portal.
To create a custom IPv4 address prefix using PowerShell, see Create a custom IPv4 address prefix using Azure PowerShell.
For more information about the management of a custom IP address prefix, see Manage a custom IP address prefix.