Public IP Addresses
You need some form of publicly addressable location for any service in Azure that will be available on the Internet. In Azure, this comes in the form of a public IP address, a low-cost option where you consume an address from Microsoft huge repositories – typically based on IPv4.
Public IP addresses, often referred to just as PIPs, are normally allocated on demand. For example, you might deploy a load balancer to NAT a number of virtual machines, and Azure will assign an address to you. You have no idea what that address will be until you get it. By default, the address is dynamic, but with resources such as load balancers or virtual machines, it’s usually best to configure the address with:
- A static address at no extra cost, so that the address does not change when the associated resource(s) become deallocated.
- A DNS prefix for a Microsoft-managed domain name.
Some organizations, particularly those with bureaucracies or slow-moving change control processes, will struggle with services that are being deployed publicly on the Internet. For example, let’s pretend that we work for a such an organization that is setting up a service in Azure that will have multiple PIPs. The firewalls of the organization need to be updated to allow inbound or outbound traffic to these PIPs.
The typical experience is that we have to wait until the service is deployed before we can start to configure the on-premises firewall rules. I have visited in some organizations where a simple process such as setting up a user might take 2 weeks, a request to install Visio might take 6 weeks, or a getting a laptop for a new user might even take over 2 months! How long do you think it will take one of these organizations to allow outbound HTTPS access to a new service?
The process will be:
- Developers and cloud operations build a new service in Azure
- The record the PIPs and send a request to the network team and security officer
- The security officer hums and haws, and the Cisco people are grumpy because someone is able to do networking with a few mouse clicks
- A firewall rule is created to access the service weeks after the service was built and available
Pre-Determined IP Addresses
The idea of Public IP Address Prefix is that you can pre-request a range of sequential IP addresses from Azure in advance of their deployment. For example, I can request a /28, a /16, or a /8 (there are other ranges) of addresses. I will get a range of addresses from Azure. Note that until the prefix is assigned, there is no pre-determination what the address range will be – you find out what the actual addresses are when the prefix is created.
Once you have the addresses you can approach your network & security teams and pre-create rules to allow outbound (or inbound, if required) access.
Afterward, you can create PIPs from this address range; the PIP will get a pre-known address instead of a random address from the massive Microsoft IPv4 repository for that region. In my below screenshot, you can see that I have taken the first three addresses of 18.104.22.168/29 as public IP addresses that can be allocated to Azure resources:
Public IP Address Prefix launched in Preview at Microsoft Ignite in a limited number of regions:
- West Central US
- West US
- West US 2
- Central US
- North Europe
- West Europe
- Southeast Asia
More regions will be added over time. The preview currently requires that you use a special preview flight (version) of the Azure Portal – without it, you cannot create PIPS from the prefix allocation.