A network interface (NIC) enables an Azure virtual machine (VM) to communicate with internet, Azure, and on-premises resources. This article explains how to create, view and change settings for, and delete a NIC.
A VM you create in the Azure portal has one NIC with default settings. You can create NICs with custom settings instead, and add one or more NICs to a VM when or after you create it. You can also change settings for an existing NIC.
To run the procedures in this article, sign in to the Azure portal with your Azure account. You can replace the placeholders in the examples with your own values.
To run the commands in this article, you need the following prerequisites:
You can run the commands either in the Azure Cloud Shell or from Azure CLI on your computer.
Azure Cloud Shell is a free interactive shell that has common Azure tools preinstalled and configured to use with your account. To run the commands in the Cloud Shell, select Open Cloudshell at the upper-right corner of a code block. Select Copy to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
You can run the commands either in the Azure Cloud Shell or from PowerShell on your computer.
Azure Cloud Shell is a free interactive shell that has common Azure tools preinstalled and configured to use with your account. To run the commands in the Cloud Shell, select Open Cloudshell at the upper-right corner of a code block. Select Copy to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
Also make sure your Az.Network module is 4.3.0 or later. To verify the installed module, use Get-InstalledModule -Name "Az.Network". To update, use the command Update-Module -Name Az.Network.
In the following procedures, you can replace the example placeholder names with your own values.
Permissions
To work with NICs, your account must be assigned to the network contributor role or to a custom role that's assigned the appropriate actions from the following list:
You can create a NIC in the Azure portal or by using Azure CLI or Azure PowerShell.
The portal doesn't provide the option to assign a public IP address to a NIC when you create it. If you want to create a NIC with a public IP address, use Azure CLI or PowerShell. To add a public IP address to a NIC after you create it, see Configure IP addresses for an Azure network interface.
The portal does create a NIC with default settings and a public IP address when you create a VM. To create a NIC with custom settings and attach it to a VM, or to add a NIC to an existing VM, use PowerShell or Azure CLI.
The portal doesn't provide the option to assign a NIC to application security groups when you create the NIC, but Azure CLI and PowerShell do. However, if an existing NIC is attached to a VM, you can use the portal to assign that NIC to an application security group. For more information, see Add to or remove from application security groups.
Use az network nic create to create the NIC. To create a NIC without a public IP address, omit the --public-ip-address parameter for az network nic create.
## Place the virtual network into a variable. ##
$net = @{
Name = 'myVNet'
ResourceGroupName = 'myResourceGroup'
}
$vnet = Get-AzVirtualNetwork @net
## Place the primary public IP address into a variable. ##
$pub = @{
Name = 'myPublicIP'
ResourceGroupName = 'myResourceGroup'
}
$pubIP = Get-AzPublicIPAddress @pub
## Create primary configuration for NIC. ##
$IP1 = @{
Name = 'ipconfig1'
Subnet = $vnet.Subnets[0]
PrivateIpAddressVersion = 'IPv4'
PublicIPAddress = $pubIP
}
$IP1Config = New-AzNetworkInterfaceIpConfig @IP1 -Primary
## Command to create network interface for VM ##
$nic = @{
Name = 'myNIC'
ResourceGroupName = 'myResourceGroup'
Location = 'eastus2'
IpConfiguration = $IP1Config
}
New-AzNetworkInterface @nic
You can configure the following settings for a NIC:
Setting
Value
Details
Subscription
Select your subscription.
You can assign a NIC only to a virtual network in the same subscription and location.
Resource group
Select your resource group or create a new one.
A resource group is a logical container for grouping Azure resources. A NIC can exist in the same or a different resource group from the VM you attach it to or the virtual network you connect it to.
Name
Enter a name for the NIC.
The name must be unique within the resource group. For information about creating a naming convention to make managing several NICs easier, see Resource naming. You can't change the name after you create the NIC.
Region
Select your region.
The Azure region where you create the NIC.
Virtual network
Select your virtual network.
You can assign a NIC only to a virtual network in the same subscription and location as the NIC. Once you create a NIC, you can't change the virtual network it's assigned to. The VM you add the NIC to must also be in the same location and subscription as the NIC.
Subnet
Select a subnet within the virtual network you selected.
You can change the subnet the NIC is assigned to after you create the NIC.
IP version
Select IPv4 or IPv4 and IPv6.
You can choose to create the NIC with an IPv4 address or IPv4 and IPv6 addresses. To assign an IPv6 address, the network and subnet you use for the NIC must also have an IPv6 address space. An IPv6 configuration is assigned to a secondary IP configuration for the NIC.
Private IP address assignment
Select Dynamic or Static.
The Azure DHCP server assigns the private IP address to the NIC in the VM's operating system.
- If you select Dynamic, Azure automatically assigns the next available address from the address space of the subnet you selected.
- If you select Static, you must manually assign an available IP address from within the address space of the subnet you selected.
Static and dynamic addresses don't change until you change them or delete the NIC. You can change the assignment method after the NIC is created.
Note
Azure assigns a MAC address to the NIC only after the NIC is attached to a VM and the VM starts for the first time. You can't specify the MAC address that Azure assigns to the NIC.
The MAC address remains assigned to the NIC until the NIC is deleted or the private IP address assigned to the primary IP configuration of the primary NIC changes. For more information, see Configure IP addresses for an Azure network interface.
Note
Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the backend pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.
The default outbound access IP is disabled when one of the following events happens:
A public IP address is assigned to the VM.
The VM is placed in the backend pool of a standard load balancer, with or without outbound rules.
You can view most settings for a NIC after you create it. The portal doesn't display the DNS suffix or application security group membership for the NIC. You can use Azure PowerShell or Azure CLI to view the DNS suffix and application security group membership.
In the Azure portal, search for and select Network interfaces.
On the Network interfaces page, select the NIC you want to view.
On the Overview page for the NIC, view essential information such as IPv4 and IPv6 IP addresses and network security group (NSG) membership.
You can select Edit accelerated networking to set accelerated networking for NICs. For more information about accelerated networking, see What is Accelerated Networking?
Select IP configurations in the left navigation, and on the IP configurations page, view the IP forwarding, Subnet, and public and private IPv4 and IPv6 IP configurations. For more information about IP configurations and how to add and remove IP addresses, see Configure IP addresses for an Azure network interface.
Select DNS servers in the left navigation, and on the DNS servers page, view any DNS server that Azure DHCP assigns the NIC to. Also note whether the NIC inherits the setting from the virtual network or has a custom setting that overrides the virtual network setting.
Select Network security group from the left navigation, and on the Network security group page, see any NSG that's associated to the NIC. An NSG contains inbound and outbound rules to filter network traffic for the NIC.
Select Properties in the left navigation. On the Properties page, view settings for the NIC, such as the MAC address and subscription information. The MAC address is blank if the NIC isn't attached to a VM.
Select Effective security rules in the left navigation. The Effective security rules page lists security rules if the NIC is attached to a running VM and associated with an NSG. For more information about NSGs, see Network security groups.
Select Effective routes in the left navigation. The Effective routes page lists routes if the NIC is attached to a running VM.
The routes are a combination of the Azure default routes, any user-defined routes, and any Border Gateway Protocol (BGP) routes that exist for the subnet the NIC is assigned to. For more information about Azure default routes and user-defined routes, see Virtual network traffic routing.
You can change most settings for a NIC after you create it.
Add or change DNS servers
Azure DHCP assigns the DNS server to the NIC within the VM operating system. The NIC can inherit the settings from the virtual network, or use its own unique settings that override the setting for the virtual network. For more information about name resolution settings for a NIC, see Name resolution for virtual machines.
In the Azure portal, search for and select Network interfaces.
On the Network interfaces page, select the NIC you want to change from the list.
On the NIC's page, select DNS servers from the left navigation.
On the DNS servers page, select one of the following settings:
Inherit from virtual network: Choose this option to inherit the DNS server setting from the virtual network the NIC is assigned to. Either a custom DNS server or the Azure-provided DNS server is defined at the virtual network level.
The Azure-provided DNS server can resolve hostnames for resources assigned to the same virtual network. The fully qualified domain name (FQDN) must be used for resources assigned to different virtual networks.
Note
If a VM uses a NIC that's part of an availability set, the DNS servers for all NICs for all VMs that are part of the availability set are inherited.
Custom: You can configure your own DNS server to resolve names across multiple virtual networks. Enter the IP address of the server you want to use as a DNS server. The DNS server address you specify is assigned only to this NIC and overrides any DNS setting for the virtual network the NIC is assigned to.
Select Save.
Use az network nic update to change the DNS server setting from inherited to a custom setting. Replace the DNS server IP addresses with your custom IP addresses.
az network nic update \
--name myNIC \
--resource-group myResourceGroup \
--dns-servers 192.168.1.100 192.168.1.101
To remove the DNS servers and change the setting to virtual network setting inheritance, use the following command:
az network nic update \
--name myNIC \
--resource-group myResourceGroup \
--dns-servers null
Use Set-AzNetworkInterface to change the DNS server setting from inherited to a custom setting. Replace the DNS server IP addresses with your custom IP addresses.
## Place the network interface configuration into a variable. ##
$nic = Get-AzNetworkInterface -Name myNIC -ResourceGroupName myResourceGroup
## Add the DNS servers to the configuration. ##
$nic.DnsSettings.DnsServers.Add("192.168.1.100")
## Add a secondary DNS server if needed, otherwise set the configuration. ##
$nic.DnsSettings.DnsServers.Add("192.168.1.101")
## Apply the new configuration to the network interface. ##
$nic | Set-AzNetworkInterface
To remove the DNS servers and change the setting to inherit from the virtual network, use the following command. Replace the DNS server IP addresses with your custom IP addresses.
## Place the network interface configuration into a variable. ##
$nic = Get-AzNetworkInterface -Name myNIC -ResourceGroupName myResourceGroup
## Add the DNS servers to the configuration. ##
$nic.DnsSettings.DnsServers.Remove("192.168.1.100")
## Add a secondary DNS server if needed, otherwise set the configuration. ##
$nic.DnsSettings.DnsServers.Remove("192.168.1.101")
## Apply the new configuration to the network interface. ##
$nic | Set-AzNetworkInterface
Enable or disable IP forwarding
IP forwarding enables a NIC attached to a VM to:
Receive network traffic not destined for any of the IP addresses assigned in any of the NIC's IP configurations.
Send network traffic with a different source IP address than is assigned in any of the NIC's IP configurations.
You must enable IP forwarding for every NIC attached to the VM that needs to forward traffic. A VM can forward traffic whether it has multiple NICs or a single NIC attached to it.
IP forwarding is typically used with user-defined routes. For more information, see User-defined routes.
While IP forwarding is an Azure setting, the VM must also run an application that's able to forward the traffic, such as a firewall, WAN optimization, or load balancing application. A VM that runs network applications is often called a network virtual appliance (NVA). You can view a list of ready-to-deploy NVAs in the Azure Marketplace.
To enable IP forwarding, use the following command:
## Place the network interface configuration into a variable. ##
$nic = Get-AzNetworkInterface -Name myNIC -ResourceGroupName myResourceGroup
## Set the IP forwarding setting to enabled. ##
$nic.EnableIPForwarding = 1
## Apply the new configuration to the network interface. ##
$nic | Set-AzNetworkInterface
To disable IP forwarding, use the following command:
## Place the network interface configuration into a variable. ##
$nic = Get-AzNetworkInterface -Name myNIC -ResourceGroupName myResourceGroup
## Set the IP forwarding setting to disabled. ##
$nic.EnableIPForwarding = 0
## Apply the new configuration to the network interface. ##
$nic | Set-AzNetworkInterface
Change subnet assignment
You can change the subnet, but not the virtual network, that a NIC is assigned to.
On the NIC's page, select IP configurations in the left navigation.
On the IP configurations page, under IP configurations, if any private IP addresses listed have (Static) next to them, change the IP address assignment method to dynamic. All private IP addresses must be assigned with the dynamic assignment method to change the subnet assignment for the NIC.
To change the assignment method to dynamic:
Select the IP configuration you want to change from the list of IP configurations.
On the IP configuration page, select Dynamic under Assignment.
Select Save.
When all private IP addresses are set to Dynamic, under Subnet, select the subnet you want to move the NIC to.
Select Save. New dynamic addresses are assigned from the new subnet's address range.
After assigning the NIC to a new subnet, you can assign a static IPv4 address from the new subnet address range if you choose. For more information about adding, changing, and removing IP addresses for a NIC, see Configure IP addresses for an Azure network interface.
## Place the virtual network into a variable. ##
$net = @{
Name = 'myVNet'
ResourceGroupName = 'myResourceGroup'
}
$vnet = Get-AzVirtualNetwork @net
## Place the network interface configuration into a variable. ##
$nic = Get-AzNetworkInterface -Name myNIC -ResourceGroupName myResourceGroup
## Change the subnet in the IP configuration. Replace the subnet number with number of your subnet in your VNet. Your first listed subnet in your VNet is 0, next is 1, and so on. ##
$IP = @{
Name = 'ipv4config'
Subnet = $vnet.Subnets[1]
}
$nic | Set-AzNetworkInterfaceIpConfig @IP
## Apply the new configuration to the network interface. ##
$nic | Set-AzNetworkInterface
Warning
You can change the subnet of a primary network interface while the virtual machine is started. You can't change the subnet of a secondary network interface in the same manner. To change the subnet of a secondary network interface, you must first stop and de-allocate the virtual machine.
Add or remove from application security groups
You can add NICs only to application security groups in the same virtual network and location as the NIC.
## Place the virtual network into a variable. ##
$net = @{
Name = 'myVNet'
ResourceGroupName = 'myResourceGroup'
}
$vnet = Get-AzVirtualNetwork @net
## Place the subnet configuration into a variable. ##
$subnet = Get-AzVirtualNetworkSubnetConfig -Name mySubnet -VirtualNetwork $vnet
## Place the network interface configuration into a variable. ##
$nic = Get-AzNetworkInterface -Name myNIC -ResourceGroupName myResourceGroup
## Place the application security group configuration into a variable. ##
$asg = Get-AzApplicationSecurityGroup -Name myASG -ResourceGroupName myResourceGroup
## Add the application security group to the IP configuration. ##
$IP = @{
Name = 'ipv4config'
Subnet = $subnet
ApplicationSecurityGroup = $asg
}
$nic | Set-AzNetworkInterfaceIpConfig @IP
## Save the configuration to the network interface. ##
$nic | Set-AzNetworkInterface
## Place the network interface configuration into a variable. ##
$nic = Get-AzNetworkInterface -Name myNIC -ResourceGroupName myResourceGroup
## Place the network security group configuration into a variable. ##
$nsg = Get-AzNetworkSecurityGroup -Name myNSG -ResourceGroupName myResourceGroup
## Add the NSG to the NIC configuration. ##
$nic.NetworkSecurityGroup = $nsg
## Save the configuration to the network interface. ##
$nic | Set-AzNetworkInterface
Delete a network interface
You can delete a NIC if it's not attached to a VM. If the NIC is attached to a VM, you must first stop and deallocate the VM, then detach the NIC.
To detach the NIC from the VM, complete the steps in Remove a network interface from a VM. A VM must always have at least one NIC attached to it, so you can't delete the only NIC from a VM.
If you have communication problems with a VM, network security group rules or effective routes might be causing the problems. Use the following options to help resolve the issue.
View effective security rules
The effective security rules for each NIC attached to a VM are a combination of the rules you created in an NSG and default security rules. Understanding the effective security rules for a NIC might help you determine why you're unable to communicate to or from a VM. You can view the effective rules for any NIC that's attached to a running VM.
In the Azure portal, search for and select virtual machines.
On the Virtual machines page, select the VM you want to view settings for.
On the VM page, select Networking from the left navigation.
On the Networking page, select the Network Interface.
On the NIC's page, select Effective security rules under Help in the left navigation.
Review the list of effective security rules to determine if the rules are correct for your required inbound and outbound communications. For more information about security rules, see Network security group overview.
The effective routes for the NIC or NICs attached to a VM are a combination of:
Default routes
User-defined routes
Routes propagated from on-premises networks via BGP through an Azure virtual network gateway.
Understanding the effective routes for a NIC might help you determine why you can't communicate with a VM. You can view the effective routes for any NIC that's attached to a running VM.
On the page for the NIC that's attached to the VM, select Effective routes under Help in the left navigation.
Review the list of effective routes to see if the routes are correct for your required inbound and outbound communications. For more information about routing, see Routing overview.
Learn to regulate network traffic to your Azure resources by configuring and applying network security groups in the Azure portal, improving your network's security posture.