Create, change, or delete a network interface
A network interface (NIC) enables an Azure virtual machine (VM) to communicate with internet, Azure, and on-premises resources. This article explains how to create, view and change settings for, and delete a NIC.
A VM you create in the Azure portal has one NIC with default settings. You can create NICs with custom settings instead, and add one or more NICs to a VM when or after you create it. You can also change settings for an existing NIC.
You need the following prerequisites:
- An Azure account with an active subscription. Create an account for free.
- An existing Azure virtual network. To create one, see Quickstart: Create a virtual network by using the Azure portal.
To run the procedures in this article, sign in to the Azure portal with your Azure account. You can replace the placeholders in the examples with your own values.
To work with NICs, your account must be assigned to the network contributor role or to a custom role that's assigned the appropriate actions from the following list:
Action | Name |
---|---|
Microsoft.Network/networkInterfaces/read | Get network interface |
Microsoft.Network/networkInterfaces/write | Create or update network interface |
Microsoft.Network/networkInterfaces/join/action | Attach a network interface to a virtual machine |
Microsoft.Network/networkInterfaces/delete | Delete network interface |
Microsoft.Network/networkInterfaces/joinViaPrivateIp/action | Join a resource to a network interface via private ip |
Microsoft.Network/networkInterfaces/effectiveRouteTable/action | Get network interface effective route table |
Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action | Get network interface effective security groups |
Microsoft.Network/networkInterfaces/loadBalancers/read | Get network interface load balancers |
Microsoft.Network/networkInterfaces/serviceAssociations/read | Get service association |
Microsoft.Network/networkInterfaces/serviceAssociations/write | Create or update a service association |
Microsoft.Network/networkInterfaces/serviceAssociations/delete | Delete service association |
Microsoft.Network/networkInterfaces/serviceAssociations/validate/action | Validate service association |
Microsoft.Network/networkInterfaces/ipconfigurations/read | Get network interface IP configuration |
You can create a NIC in the Azure portal or by using Azure CLI or Azure PowerShell.
The portal doesn't provide the option to assign a public IP address to a NIC when you create it. If you want to create a NIC with a public IP address, use Azure CLI or PowerShell. To add a public IP address to a NIC after you create it, see Configure IP addresses for an Azure network interface.
The portal does create a NIC with default settings and a public IP address when you create a VM. To create a NIC with custom settings and attach it to a VM, or to add a NIC to an existing VM, use PowerShell or Azure CLI.
The portal doesn't provide the option to assign a NIC to application security groups when you create the NIC, but Azure CLI and PowerShell do. However, if an existing NIC is attached to a VM, you can use the portal to assign that NIC to an application security group. For more information, see Add to or remove from application security groups.
To create a NIC, use the following procedure.
In the Azure portal, search for and select network interfaces.
On the Network interfaces page, select Create.
On the Create network interface screen, enter or select values for the NIC settings.
Select Review + create, and when validation passes, select Create.
You can configure the following settings for a NIC:
Setting | Value | Details |
---|---|---|
Subscription | Select your subscription. | You can assign a NIC only to a virtual network in the same subscription and location. |
Resource group | Select your resource group or create a new one. | A resource group is a logical container for grouping Azure resources. A NIC can exist in the same or a different resource group from the VM you attach it to or the virtual network you connect it to. |
Name | Enter a name for the NIC. | The name must be unique within the resource group. For information about creating a naming convention to make managing several NICs easier, see Resource naming. You can't change the name after you create the NIC. |
Region | Select your region. | The Azure region where you create the NIC. |
Virtual network | Select your virtual network. | You can assign a NIC only to a virtual network in the same subscription and location as the NIC. Once you create a NIC, you can't change the virtual network it's assigned to. The VM you add the NIC to must also be in the same location and subscription as the NIC. |
Subnet | Select a subnet within the virtual network you selected. | You can change the subnet the NIC is assigned to after you create the NIC. |
IP version | Select IPv4 or IPv4 and IPv6. |
You can choose to create the NIC with an IPv4 address or IPv4 and IPv6 addresses. To assign an IPv6 address, the network and subnet you use for the NIC must also have an IPv6 address space. An IPv6 configuration is assigned to a secondary IP configuration for the NIC. |
Private IP address assignment | Select Dynamic or Static. | The Azure DHCP server assigns the private IP address to the NIC in the VM's operating system. - If you select Dynamic, Azure automatically assigns the next available address from the address space of the subnet you selected. - If you select Static, you must manually assign an available IP address from within the address space of the subnet you selected. Static and dynamic addresses don't change until you change them or delete the NIC. You can change the assignment method after the NIC is created. |
Note
Azure assigns a MAC address to the NIC only after the NIC is attached to a VM and the VM starts for the first time. You can't specify the MAC address that Azure assigns to the NIC.
The MAC address remains assigned to the NIC until the NIC is deleted or the private IP address assigned to the primary IP configuration of the primary NIC changes. For more information, see Configure IP addresses for an Azure network interface.
Note
Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the backend pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.
The default outbound access IP is disabled when one of the following events happens:
- A public IP address is assigned to the VM.
- The VM is placed in the backend pool of a standard load balancer, with or without outbound rules.
- An Azure NAT Gateway resource is assigned to the subnet of the VM.
VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.
For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.
You can view most settings for a NIC after you create it. The portal doesn't display the DNS suffix or application security group membership for the NIC. You can use Azure PowerShell or Azure CLI to view the DNS suffix and application security group membership.
In the Azure portal, search for and select Network interfaces.
On the Network interfaces page, select the NIC you want to view.
On the Overview page for the NIC, view essential information such as IPv4 and IPv6 IP addresses and network security group (NSG) membership.
You can select Edit accelerated networking to set accelerated networking for NICs. For more information about accelerated networking, see What is Accelerated Networking?
Select IP configurations in the left navigation, and on the IP configurations page, view the IP forwarding, Subnet, and public and private IPv4 and IPv6 IP configurations. For more information about IP configurations and how to add and remove IP addresses, see Configure IP addresses for an Azure network interface.
Select DNS servers in the left navigation, and on the DNS servers page, view any DNS server that Azure DHCP assigns the NIC to. Also note whether the NIC inherits the setting from the virtual network or has a custom setting that overrides the virtual network setting.
Select Network security group from the left navigation, and on the Network security group page, see any NSG that's associated to the NIC. An NSG contains inbound and outbound rules to filter network traffic for the NIC.
Select Properties in the left navigation. On the Properties page, view settings for the NIC, such as the MAC address and subscription information. The MAC address is blank if the NIC isn't attached to a VM.
Select Effective security rules in the left navigation. The Effective security rules page lists security rules if the NIC is attached to a running VM and associated with an NSG. For more information about NSGs, see Network security groups.
Select Effective routes in the left navigation. The Effective routes page lists routes if the NIC is attached to a running VM.
The routes are a combination of the Azure default routes, any user-defined routes, and any Border Gateway Protocol (BGP) routes that exist for the subnet the NIC is assigned to. For more information about Azure default routes and user-defined routes, see Virtual network traffic routing.
You can change most settings for a NIC after you create it.
Azure DHCP assigns the DNS server to the NIC within the VM operating system. The NIC can inherit the settings from the virtual network, or use its own unique settings that override the setting for the virtual network. For more information about name resolution settings for a NIC, see Name resolution for virtual machines.
In the Azure portal, search for and select Network interfaces.
On the Network interfaces page, select the NIC you want to change from the list.
On the NIC's page, select DNS servers from the left navigation.
On the DNS servers page, select one of the following settings:
Inherit from virtual network: Choose this option to inherit the DNS server setting from the virtual network the NIC is assigned to. Either a custom DNS server or the Azure-provided DNS server is defined at the virtual network level.
The Azure-provided DNS server can resolve hostnames for resources assigned to the same virtual network. The fully qualified domain name (FQDN) must be used for resources assigned to different virtual networks.
Note
If a VM uses a NIC that's part of an availability set, the DNS servers for all NICs for all VMs that are part of the availability set are inherited.
Custom: You can configure your own DNS server to resolve names across multiple virtual networks. Enter the IP address of the server you want to use as a DNS server. The DNS server address you specify is assigned only to this NIC and overrides any DNS setting for the virtual network the NIC is assigned to.
Select Save.
IP forwarding enables a NIC attached to a VM to:
- Receive network traffic not destined for any of the IP addresses assigned in any of the NIC's IP configurations.
- Send network traffic with a different source IP address than is assigned in any of the NIC's IP configurations.
You must enable IP forwarding for every NIC attached to the VM that needs to forward traffic. A VM can forward traffic whether it has multiple NICs or a single NIC attached to it.
IP forwarding is typically used with user-defined routes. For more information, see User-defined routes.
While IP forwarding is an Azure setting, the VM must also run an application that's able to forward the traffic, such as a firewall, WAN optimization, or load balancing application. A VM that runs network applications is often called a network virtual appliance (NVA). You can view a list of ready-to-deploy NVAs in the Azure Marketplace.
- On the NIC's page, select IP configurations in the left navigation.
- On the IP configurations page, under IP forwarding settings, select Enabled or Disabled, the default, to change the setting.
- Select Save.
You can change the subnet, but not the virtual network, that a NIC is assigned to.
On the NIC's page, select IP configurations in the left navigation.
On the IP configurations page, under IP configurations, if any private IP addresses listed have (Static) next to them, change the IP address assignment method to dynamic. All private IP addresses must be assigned with the dynamic assignment method to change the subnet assignment for the NIC.
To change the assignment method to dynamic:
- Select the IP configuration you want to change from the list of IP configurations.
- On the IP configuration page, select Dynamic under Assignment.
- Select Save.
When all private IP addresses are set to Dynamic, under Subnet, select the subnet you want to move the NIC to.
Select Save. New dynamic addresses are assigned from the new subnet's address range.
After assigning the NIC to a new subnet, you can assign a static IPv4 address from the new subnet address range if you choose. For more information about adding, changing, and removing IP addresses for a NIC, see Configure IP addresses for an Azure network interface.
Warning
You can change the subnet of a primary network interface while the virtual machine is started. You can't change the subnet of a secondary network interface in the same manner. To change the subnet of a secondary network interface, you must first stop and de-allocate the virtual machine.
You can add NICs only to application security groups in the same virtual network and location as the NIC.
You can use the portal to add or remove a NIC for an application security group only if the NIC is attached to a VM. Otherwise, use PowerShell or Azure CLI. For more information, see Application security groups and How to create an application security group.
To add or remove a NIC for an application security group on a VM, follow this procedure:
In the Azure portal, search for and select virtual machines.
On the Virtual machines page, select the VM you want to configure from the list.
On the VM's page, select Networking from the left navigation.
On the Networking page, under the Application security groups tab, select Configure the application security groups.
Select the application security groups you want to add the NIC to, or deselect the application security groups you want to remove the NIC from.
Select Save.
- On the NIC's page, select Network security group in the left navigation.
- On the Network security group page, select the network security group you want to associate, or select None to dissociate the NSG.
- Select Save.
You can delete a NIC if it's not attached to a VM. If the NIC is attached to a VM, you must first stop and deallocate the VM, then detach the NIC.
To detach the NIC from the VM, complete the steps in Remove a network interface from a VM. A VM must always have at least one NIC attached to it, so you can't delete the only NIC from a VM.
To delete a NIC, on the Overview page for the NIC you want to delete, select Delete from the top menu bar, and then select Yes.
If you have communication problems with a VM, network security group rules or effective routes might be causing the problems. Use the following options to help resolve the issue.
The effective security rules for each NIC attached to a VM are a combination of the rules you created in an NSG and default security rules. Understanding the effective security rules for a NIC might help you determine why you're unable to communicate to or from a VM. You can view the effective rules for any NIC that's attached to a running VM.
- In the Azure portal, search for and select virtual machines.
- On the Virtual machines page, select the VM you want to view settings for.
- On the VM page, select Networking from the left navigation.
- On the Networking page, select the Network Interface.
- On the NIC's page, select Effective security rules under Help in the left navigation.
- Review the list of effective security rules to determine if the rules are correct for your required inbound and outbound communications. For more information about security rules, see Network security group overview.
The effective routes for the NIC or NICs attached to a VM are a combination of:
- Default routes
- User-defined routes
- Routes propagated from on-premises networks via BGP through an Azure virtual network gateway.
Understanding the effective routes for a NIC might help you determine why you can't communicate with a VM. You can view the effective routes for any NIC that's attached to a running VM.
- On the page for the NIC that's attached to the VM, select Effective routes under Help in the left navigation.
- Review the list of effective routes to see if the routes are correct for your required inbound and outbound communications. For more information about routing, see Routing overview.
The next hop feature of Azure Network Watcher can also help you determine if routes are preventing communication between a VM and an endpoint. For more information, see Tutorial: Diagnose a virtual machine network routing problem by using the Azure portal.
For other network interface tasks, see the following articles:
Task | Article |
---|---|
Add, change, or remove IP addresses for a network interface. | Configure IP addresses for an Azure network interface |
Add or remove network interfaces for VMs. | Add network interfaces to or remove network interfaces from virtual machines |
Create a VM with multiple NICs | - How to create a Linux virtual machine in Azure with multiple network interface cards - Create and manage a Windows virtual machine that has multiple NICs |
Create a single NIC VM with multiple IPv4 addresses. | - Assign multiple IP addresses to virtual machines by using the Azure CLI - Assign multiple IP addresses to virtual machines by using Azure PowerShell |
Create a single NIC VM with a private IPv6 address behind Azure Load Balancer. | - Create a public load balancer with IPv6 by using Azure CLI - Create an internet facing load balancer with IPv6 by using PowerShell - Deploy an internet-facing load-balancer solution with IPv6 by using a template |