Create, change, or delete a network interface

Learn how to create, change settings for, and delete a network interface. A network interface enables an Azure Virtual Machine to communicate with internet, Azure, and on-premises resources. A virtual machine created with the Azure portal, has one network interface with default settings. You may instead choose to create network interfaces with custom settings and add one or more network interfaces to a virtual machine when you create it. You may also want to change default network interface settings for an existing network interface.

This article explains how to create a network interface with custom settings and change the following existing settings:

If you need to add, change, or remove IP addresses for a network interface, see Manage IP addresses. If you need to add network interfaces to, or remove network interfaces from virtual machines, see Add or remove network interfaces.

Prerequisites

  • An Azure account with an active subscription. Create an account for free.

  • An existing Azure Virtual Network. For information about creating an Azure Virtual Network, see Quickstart: Create a virtual network using the Azure portal.

    • The example virtual network used in this article is named myVNet. Replace the example value with the name of your virtual network.

    • The example subnet used in this article is named myBackendSubnet. Replace the example value with the name of your subnet.

    • The example network interface name used in this article is myNIC. Replace the example value with the name of your network interface.

  • This how-to article requires version 2.31.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

  • Azure PowerShell installed locally or Azure Cloud Shell.

  • Sign in to Azure PowerShell and ensure you've selected the subscription with which you want to use this feature. For more information, see Sign in with Azure PowerShell.

  • Ensure your Az.Network module is 4.3.0 or later. To verify the installed module, use the command Get-InstalledModule -Name "Az.Network". If the module requires an update, use the command Update-Module -Name Az.Network if necessary.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

Your account must be assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in Permissions.

Create a network interface

A virtual machine created with the Azure portal is created with a network interface with default settings. To create a network interface with custom settings and attach to a virtual machine, use PowerShell or the Azure CLI. You can also create a network interface and add it to an existing virtual machine with PowerShell or the Azure CLI.

For more information on how to create a virtual machine with an existing network interface or how to add or remove from an existing virtual machine, see Add or remove network interfaces.

  1. Sign-in to the Azure portal.

  2. In the search box at the top of the portal, enter Network interface. Select Network interfaces in the search results.

  3. Select + Create.

  4. Enter or select the following information in Create network interface.

Setting Value Details
Project details
Subscription Select your subscription. You can only assign a network interface to a virtual network that exists in the same subscription and location as the network interface.
Resource group Select your resource group or create a new one. The example used in this article is myResourceGroup. A resource group is a logical container for grouping Azure resources. A network interface can exist in the same, or different resource group, than the virtual machine you attach it to, or the virtual network you connect it to.
Instance details
Name Enter myNIC. The name must be unique within the resource group you select. Over time, you'll likely have several network interfaces in your Azure subscription. For suggestions when creating a naming convention to make managing several network interfaces easier, see Naming conventions. The name can't be changed after the network interface is created.
Region Select your region. The example used in this article is East US 2. The Azure region where the network interface is created.
Virtual network Select myVNet or your virtual network. You can only assign a network interface to a virtual network that exists in the same subscription and location as the network interface. Once a network interface is created, you can't change the virtual network it's assigned to. The virtual machine you add the network interface to must also exist in the same location and subscription as the network interface.
Subnet Select myBackendSubnet. A subnet within the virtual network you selected. You can change the subnet the network interface is assigned to after it's created.
IP Version Select IPv4 or IPv4 and IPv6. You can choose to create the network interface with an IPv4 address or an IPv4 and IPv6 address. The network and subnet used for the virtual network must also have an IPv6 and IPv6 subnet for the IPv6 address to be assigned. An IPv6 configuration is assigned to a secondary IP configuration for the network interface. To learn more about IP configurations, see View network interface settings.
Private IP address assignment Select Dynamic or Static. Dynamic: If dynamic is selected, Azure automatically assigns the next available address from the address space of the subnet you selected.
Static: When selecting this option, you must manually assign an available IP address from within the address space of the subnet you selected. Static and dynamic addresses don't change until you change them or the network interface is deleted. You can change the assignment method after the network interface is created. The Azure DHCP server assigns this address to the network interface within the operating system of the virtual machine.

Screenshot of create network interface in Azure portal.

  1. Select Review + create.

  2. Select Create.

The portal doesn't provide the option to assign a public IP address to the network interface when you create it. The portal does create a public IP address and assign it to a network interface when you create a virtual machine in the portal. To learn how to add a public IP address to the network interface after creating it, see Manage IP addresses. If you want to create a network interface with a public IP address, you must use the Azure CLI, or PowerShell to create the network interface.

The portal doesn't provide the option to assign the network interface to application security groups when creating a network interface, but the Azure CLI and PowerShell do. You can assign an existing network interface to an application security group using the portal however, as long as the network interface is attached to a virtual machine. To learn how to assign a network interface to an application security group, see Add to or remove from application security groups.

Note

Azure assigns a MAC address to the network interface only after the network interface is attached to a virtual machine and the virtual machine is started the first time. You cannot specify the MAC address that Azure assigns to the network interface. The MAC address remains assigned to the network interface until the network interface is deleted or the private IP address assigned to the primary IP configuration of the primary network interface is changed. To learn more about IP addresses and IP configurations, see Manage IP addresses

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when a public IP address is assigned to the VM, the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules, or if an Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.

VMs that are created by virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use source network address translation (SNAT) for outbound connections.

View network interface settings

You can view and change most settings for a network interface after it's created. The portal doesn't display the DNS suffix or application security group membership for the network interface. You can use Azure PowerShell or Azure CLI to view the DNS suffix and application security group membership.

  1. Sign-in to the Azure portal.

  2. In the search box at the top of the portal, enter Network interface. Select Network interfaces in the search results.

  3. Select the network interface you want to view or change settings for from the list.

  4. The following items are listed for the network interface you selected:

    • Overview: The overview provides essential information about the network interface. IP addresses for IPv4 and IPv6 and network security group membership are displayed. The accelerated networking feature for network interfaces can be set in the overview. For more information about accelerated networking, see What is Accelerated Networking?

    The following screenshot displays the overview settings for a network interface named myNIC:

    Screenshot of network interface overview.

    Screenshot of network interface IP configurations.

    • DNS servers: You can specify which DNS server a network interface is assigned by the Azure DHCP servers. The network interface can inherit the setting from the virtual network or have a custom setting that overrides the setting for the virtual network it's assigned to. To modify what's displayed, see Change DNS servers.

    Screenshot of DNS server configuration.

    • Network security group (NSG): Displays which NSG is associated to the network interface. An NSG contains inbound and outbound rules to filter network traffic for the network interface. If an NSG is associated to the network interface, the name of the associated NSG is displayed. To modify what's displayed, see Associate or dissociate a network security group.

    Screenshot of network security group configuration.

    • Properties: Displays settings about the network interface, MAC address, and the subscription it exists in. The MAC address is blank if the network interface isn't attached to a virtual machine.

    Screenshot of network interface properties.

    • Effective security rules: Security rules are listed if the network interface is attached to a running virtual machine and associated with a network security group. The network security group can be assigned to the subnet the network interface is assigned to, or both. To learn more about what's displayed, see View effective security rules. To learn more about NSGs, see Network security groups.

    Screenshot of effective security rules.

    • Effective routes: Routes are listed if the network interface is attached to a running virtual machine. The routes are a combination of the Azure default routes, any user-defined routes, and any BGP routes that may exist for the subnet the network interface is assigned to. To learn more about what's displayed, see View effective routes. To learn more about Azure default routes and user-defined routes, see Routing overview.

    Screenshot of effective routes.

Change DNS servers

The DNS server is assigned by the Azure DHCP server to the network interface within the virtual machine operating system. To learn more about name resolution settings for a network interface, see Name resolution for virtual machines. The network interface can inherit the settings from the virtual network, or use its own unique settings that override the setting for the virtual network.

  1. Sign-in to the Azure portal.

  2. In the search box at the top of the portal, enter Network interface. Select Network interfaces in the search results.

  3. Select the network interface you want to view or change settings for from the list.

  4. In Settings, select DNS servers.

  5. Select either:

    • Inherit from virtual network: Choose this option to inherit the DNS server setting defined for the virtual network the network interface is assigned to. At the virtual network level, either a custom DNS server or the Azure-provided DNS server is defined. The Azure-provided DNS server can resolve hostnames for resources assigned to the same virtual network. FQDN must be used to resolve for resources assigned to different virtual networks.

    • Custom: You can configure your own DNS server to resolve names across multiple virtual networks. Enter the IP address of the server you want to use as a DNS server. The DNS server address you specify is assigned only to this network interface and overrides any DNS setting for the virtual network the network interface is assigned to.

    Note

    If the VM uses a NIC that's part of an availability set, all the DNS servers that are specified for each of the VMs from all NICs that are part of the availability set are inherited.

  6. Select Save.

Enable or disable IP forwarding

IP forwarding enables the virtual machine network interface to:

  • Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.

  • Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.

The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it. While IP forwarding is an Azure setting, the virtual machine must also run an application able to forward the traffic, such as firewall, WAN optimization, and load balancing applications.

When a virtual machine is running network applications, the virtual machine is often referred to as a network virtual appliance. You can view a list of ready to deploy network virtual appliances in the Azure Marketplace. IP forwarding is typically used with user-defined routes. To learn more about user-defined routes, see User-defined routes.

  1. Sign-in to the Azure portal.

  2. In the search box at the top of the portal, enter Network interface. Select Network interfaces in the search results.

  3. Select the network interface you want to view or change settings for from the list.

  4. In Settings, select IP configurations.

  5. Select Enabled or Disabled (default setting) to change the setting.

  6. Select Save.

Change subnet assignment

You can change the subnet, but not the virtual network, that a network interface is assigned to.

  1. Sign-in to the Azure portal.

  2. In the search box at the top of the portal, enter Network interface. Select Network interfaces in the search results.

  3. Select the network interface you want to view or change settings for from the list.

  4. In Settings, select IP configurations.

  5. If any private IP addresses for any IP configurations listed have (Static) next to them, you must change the IP address assignment method to dynamic. All private IP addresses must be assigned with the dynamic assignment method to change the subnet assignment for the network interface. Skip to step 6 if your private IPs are set to dynamic.

    Complete the following steps to change the assignment method to dynamic:

    • Select the IP configuration you want to change the IPv4 address assignment method for from the list of IP configurations.

    • Select Dynamic for the private IP address in Assignment.

    • Select Save.

  6. Select the subnet you want to move the network interface to from the Subnet drop-down list.

  7. Select Save.

New dynamic addresses are assigned from the subnet address range for the new subnet. After assigning the network interface to a new subnet, you can assign a static IPv4 address from the new subnet address range if you choose. To learn more about adding, changing, and removing IP addresses for a network interface, see Manage IP addresses.

Add or remove from application security groups

You can only add a network interface, or remove a network interface from an application security group using the portal if the network interface is attached to a virtual machine.

You can use PowerShell or the Azure CLI to add a network interface to, or remove a network interface from an application security group regardless of virtual machine configuration. Learn more about Application security groups and how to create an application security group.

  1. Sign-in to the Azure portal.

  2. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  3. Select the virtual machine you want to view or change settings for from the list.

  4. In Settings, select Networking.

  5. Select the Application security groups tab.

  6. Select Configure the application security groups.

    Screenshot of application security group configuration.

  7. Select the application security groups that you want to add the network interface to, or unselect the application security groups that you want to remove the network interface from.

  8. Select Save.

Only network interfaces that exist in the same virtual network can be added to the same application security group. The application security group must exist in the same location as the network interface.

Associate or dissociate a network security group

  1. Sign-in to the Azure portal.

  2. In the search box at the top of the portal, enter Network interface. Select Network interfaces in the search results.

  3. Select the network interface you want to view or change settings for from the list.

  4. In Settings, select Network security group.

  5. Select the network security group in the pull-down box.

  6. Select Save.

Delete a network interface

You can delete a network interface if it't not attached to a virtual machine. If a network interface is attached to a virtual machine, you must first place the virtual machine in the stopped (deallocated) state, then detach the network interface from the virtual machine.

To detach a network interface from a virtual machine, complete the steps in Detach a network interface from a virtual machine. You can't detach a network interface from a virtual machine if it's the only network interface attached to the virtual machine however. A virtual machine must always have at least one network interface attached to it.

  1. Sign-in to the Azure portal.

  2. In the search box at the top of the portal, enter Network interface. Select Network interfaces in the search results.

  3. Select the network interface you want to view or change settings for from the list.

  4. In Overview, select Delete.

Resolve connectivity issues

If you're experiencing communication problems with a virtual machine, network security group rules or effective routes may be causing the problem. You have the following options to help resolve the issue:

View effective security rules

The effective security rules for each network interface attached to a virtual machine are a combination of the rules you've created in a network security group and default security rules. Understanding the effective security rules for a network interface may help you determine why you're unable to communicate to or from a virtual machine. You can view the effective rules for any network interface that is attached to a running virtual machine.

  1. Sign-in to the Azure portal.

  2. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  3. Select the virtual machine you want to view or change settings for from the list.

  4. In Settings, select Networking.

  5. Select the name of the network interface.

  6. Select Effective security rules.

  7. Review the list of effective security rules to determine if the correct rules exist for your required inbound and outbound communication. For more information about security rules, see Network security group overview.

View effective routes

The effective routes for the network interface or interfaces attached to a virtual machine are a combination of:

  • Default routes

  • User created routes

  • Routes propagated from on-premises networks via BGP through an Azure virtual network gateway.

Understanding the effective routes for a network interface may help you determine why you're unable to communicate to or from a virtual machine. You can view the effective routes for any network interface that is attached to a running virtual machine.

  1. Sign-in to the Azure portal.

  2. In the search box at the top of the portal, enter Network interface. Select Network interfaces in the search results.

  3. Select the network interface you want to view or change settings for from the list.

  4. In Help, select Effective routes.

  5. Review the list of effective routes to determine if the correct routes exist for your required inbound and outbound communication. For more information about routing, see Routing overview.

The next hop feature of Azure Network Watcher can also help you determine if routes are preventing communication between a virtual machine and an endpoint. To learn more, see Next hop.

Permissions

To perform tasks on network interfaces, your account must be assigned to the network contributor role or to a custom role that is assigned the appropriate permissions listed in the following table:

Action Name
Microsoft.Network/networkInterfaces/read Get network interface
Microsoft.Network/networkInterfaces/write Create or update network interface
Microsoft.Network/networkInterfaces/join/action Attach a network interface to a virtual machine
Microsoft.Network/networkInterfaces/delete Delete network interface
Microsoft.Network/networkInterfaces/joinViaPrivateIp/action Join a resource to a network interface via private ip
Microsoft.Network/networkInterfaces/effectiveRouteTable/action Get network interface effective route table
Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action Get network interface effective security groups
Microsoft.Network/networkInterfaces/loadBalancers/read Get network interface load balancers
Microsoft.Network/networkInterfaces/serviceAssociations/read Get service association
Microsoft.Network/networkInterfaces/serviceAssociations/write Create or update a service association
Microsoft.Network/networkInterfaces/serviceAssociations/delete Delete service association
Microsoft.Network/networkInterfaces/serviceAssociations/validate/action Validate service association
Microsoft.Network/networkInterfaces/ipconfigurations/read Get network interface IP configuration

Next steps