Create, change, or delete an Azure public IP address
Learn about a public IP address and how to create, change, and delete one. A public IP address is a resource with configurable settings.
When you assign a public IP address to an Azure resource, you enable the following operations:
Inbound communication from the Internet to the resource, such as Azure Virtual Machines (VM), Azure Application Gateways, Azure Load Balancers, Azure VPN Gateways, and others.
Outbound connectivity to the Internet using a predictable IP address.
Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.
The default outbound access IP is disabled when a public IP address is assigned to the VM, the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules, or if an Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.
VMs that are created by virtual machine scale sets in flexible orchestration mode don't have default outbound access.
For more information about outbound connections in Azure, see Default outbound access in Azure and Use source network address translation (SNAT) for outbound connections.
Create a public IP address
For instructions on how to create public IP addresses using the Azure portal, PowerShell, CLI, or Resource Manager templates, refer to the following pages:
The portal provides the option to create an IPv4 and IPv6 address concurrently during resource deployment. The PowerShell and Azure CLI commands create one resource, either IPv4 or IPv6. If you want an IPv4 and a IPv6 address, execute the PowerShell or CLI command twice. Specify different names and IP versions for the public IP address resources.
For more detail on the specific attributes of a public IP address during creation, see the following table:
|IP Version||Yes||Select IPv4 or IPv6 or Both. Selection of Both results in two public IP addresses created, one IPv4 and one IPv6. For more information, Overview of IPv6 for Azure Virtual Network.|
|SKU||Yes||All public IP addresses created before the introduction of SKUs are Basic SKU public IP addresses. You can't change the SKU after the public IP address is created. A standalone virtual machine, virtual machines within an availability set, or Virtual Machine Scale Sets can use Basic or Standard SKUs. Mixing SKUs between virtual machines within availability sets or scale sets or standalone VMs isn't allowed. Basic: Basic public IP addresses don't support Availability zones. The Availability zone setting is set to None by default if the public IP address is created in a region that supports availability zones. Standard: Standard public IP addresses can be associated to Azure resources that support public IPs, such as virtual machines, load balancers, and Azure Firewall. The Availability zone setting is set to Zone-redundant by default if the IP address is created in a region that supports availability zones. For more information about availability zones, see the Availability zone setting. The standard SKU is required if you associate the address to a standard load balancer. For more information about standard load balancers, see Azure load balancer standard SKU. When you assign a standard SKU public IP address to a virtual machine's network interface, you must explicitly allow the intended traffic with a network security group. Communication with the resource fails until you create and associate a network security group and explicitly allow the desired traffic.|
|Tier||Yes||Indicates if the IP address is associated with a region (Regional) or is "anycast" from multiple regions (Global). A Global tier IP is preview functionality for Standard SKU IP addresses, and currently only utilized for the Cross-region Azure Load Balancer.|
|Name||Yes||The name must be unique within the resource group you select.|
|IP address assignment||Yes||Dynamic: Dynamic addresses are assigned after a public IP address is associated to an Azure resource and is started for the first time. Dynamic addresses can change if a resource such as a virtual machine is stopped (deallocated) and then restarted through Azure. The address remains the same if a virtual machine is rebooted or stopped from within the guest OS. When a public IP address resource is removed from a resource, the dynamic address is released.
Static: Static addresses are assigned when a public IP address is created. Static addresses aren't released until a public IP address resource is deleted.
If you select IPv6 for the IP version, the assignment method must be Dynamic for Basic SKU. Standard SKU addresses are Static for both IPv4 and IPv6.
|Routing preference||Yes||By default, the routing preference for public IP addresses is set to Microsoft network. The Microsoft network setting delivers traffic over Microsoft's global wide area network to the user. The selection of Internet minimizes travel on Microsoft's network. The Internet setting uses the transit ISP network to deliver traffic at a cost-optimized rate. A public IP addresses routing preference can’t be changed once created. For more information on routing preference, see What is routing preference (preview)?.|
|Idle timeout (minutes)||No||The number of minutes to keep a TCP or HTTP connection open without relying on clients to send keep-alive messages. If you select IPv6 for IP Version, this value is set to 4 minutes, and can't be changed.|
|DNS name label||No||Must be unique within the Azure location you create the name in across all subscriptions and all customers. Azure automatically registers the name and IP address in its DNS so you can connect to a resource with the name. Azure appends a default subnet such as location.cloudapp.azure.com to the name you provide to create the fully qualified DNS name. If you choose to create both address versions, the same DNS name is assigned to both the IPv4 and IPv6 addresses. Azure's default DNS contains both IPv4 A and IPv6 AAAA name records. The default DNS responds with both records during DNS lookup. The client chooses which address (IPv4 or IPv6) to communicate with. You can use the Azure DNS service to configure a DNS name with a custom suffix that resolves to the public IP address. For more information, see Use Azure DNS with an Azure public IP address.|
|Name (Only visible if you select IP Version of Both)||Yes, if you select IP Version of Both||The name must be different than the name you entered previously for Name in this list. If you create both an IPv4 and an IPv6 address, the portal creates two separate public IP address resources. The deployment creates one IPv4 address and one IPv6 address.|
|IP address assignment (Only visible if you select IP Version of Both)||Yes, if you select IP Version of Both||Same restrictions as IP address assignment above.|
|Subscription||Yes||Must exist in the same subscription as the resource to which you'll associate the public IPs.|
|Resource group||Yes||Can exist in the same, or different, resource group as the resource to which you'll associate the public IPs.|
|Location||Yes||Must exist in the same location, also referred to as region, as the resource to which you'll associate the public IPs.|
|Availability zone||No||This setting only appears if you select a supported location and IP address type. Basic SKU public IPs and Global Tier public IPs don't support Availability Zones. You can select no-zone (default option), a specific zone, or zone-redundant. The choice will depend on your specific domain failure requirements.For a list of supported locations and more information about Availability Zones, see Availability zones overview.|
View, modify settings for, or delete a public IP address
- View/List: Review settings for a public IP, including the SKU, address, and any association. Associations can be load balancer front-ends, virtual machines, and other Azure resources.
- Modify: Modify settings using the information in create a public IP address. Settings such as the idle timeout, DNS name label, or assignment method. For the full process of upgrading a public IP SKU from basic to standard, see Upgrade Azure public IP addresses.
Remove the address from any applicable IP configurations (see Delete section) to change assignment for a public IP from static to dynamic. When you change the assignment method from static to dynamic, you lose the IP address that was assigned to the public IP resource. While the Azure public DNS servers maintain a mapping between static or dynamic addresses and any DNS name label (if you defined one), a dynamic IP address can change when the virtual machine is started after being in the stopped (deallocated) state. To prevent the address from changing, assign a static IP address.
|Operation||Azure portal||Azure PowerShell||Azure CLI|
|View||In the Overview section of a Public IP||Get-AzPublicIpAddress to retrieve a public IP address object and view its settings||az network public-ip show to show settings|
|List||Under the Public IP addresses category||Get-AzPublicIpAddress to retrieve one or more public IP address objects and view its settings||az network public-ip list to list public IP addresses|
|Modify||For a disassociated IP, select Configuration to: Modify idle timeout. DNS name label. Change assignment of an IP from static to dynamic. Upgrade a basic IP to standard.||Set-AzPublicIpAddress to update settings||az network public-ip update to update|
- Delete: Deletion of public IPs requires that the public IP object isn't associated to any IP configuration or virtual machine network interface. For more information, see the following table.
|Resource||Azure portal||Azure PowerShell||Azure CLI|
|Virtual machine||Select Dissociate to dissociate the IP address from the NIC configuration, then select Delete.||Set-AzNetworkInterface to dissociate the IP address from the NIC configuration; Remove-AzPublicIpAddress to delete||az network public-ip update with the "--remove" parameter to remove the IP address from the NIC configuration. Use az network public-ip delete to delete the public IP.|
|Load balancer frontend||Browse to an unused public IP address and select Associate. Pick the load balancer with the relevant front-end IP configuration to replace the IP. The old IP can be deleted using the same method as a virtual machine.||Use Set-AzLoadBalancerFrontendIpConfig to associate a new front-end IP config with a public load balancer. UseRemove-AzPublicIpAddress to delete a public IP. You can also use Remove-AzLoadBalancerFrontendIpConfig to remove a frontend IP config if there are more than one.||Use az network lb frontend-ip update to associate a new frontend IP config with a public load balancer. Use Remove-AzPublicIpAddress to delete a public IP. You can also use az network lb frontend-ip delete to remove a frontend IP config if there are more than one.|
|Firewall||N/A||Deallocate to deallocate firewall and remove all IP configurations||Use az network firewall ip-config delete to remove IP. Use PowerShell to deallocate first.|
Virtual Machine Scale Sets
There aren't separate public IP objects associated with the individual virtual machine instances for a Virtual Machine Scale Set with public IPs. A public IP prefix object can be used to generate the instance IPs.
To list the Public IPs on a Virtual Machine Scale Set, you can use PowerShell (Get-AzPublicIpAddress -VirtualMachineScaleSetName) or CLI (az Virtual Machine Scale Set list-instance-public-ips).
For more information, see Networking for Azure Virtual Machine Scale Sets.
Assign a public IP address
Learn how to assign a public IP address to the following resources:
- A Windows or Linux Virtual Machine on creation. Add IP to an existing virtual machine.
- Virtual Machine Scale Set
- Public load balancer
- Cross-region load balancer
- Application Gateway
- Site-to-site connection using a VPN gateway
- NAT gateway
- Azure Bastion
- Azure Firewall
Azure Public IP is available in all regions for both Public and US Gov clouds. Azure Public IP doesn't move or store customer data out of the region it's deployed in.
To manage public IP addresses, your account must be assigned to the network contributor role. A custom role is also supported. The custom role must be assigned the appropriate actions listed in the following table:
|Microsoft.Network/publicIPAddresses/read||Read a public IP address|
|Microsoft.Network/publicIPAddresses/write||Create or update a public IP address|
|Microsoft.Network/publicIPAddresses/delete||Delete a public IP address|
|Microsoft.Network/publicIPAddresses/join/action||Associate a public IP address to a resource|
Public IP addresses have a nominal charge. To view the pricing, read the IP address pricing page.