DEV Community

Owen Wong
Owen Wong

Posted on

Bite-sized Azure Networking – Public IP

#azure #cloud

Introduction

Unlike many other cloud service providers, Azure virtual machines reside in a virtual network without explicit outbound connectivity setting are assigned a default outbound public IP address. This IP address enables outbound connectivity from the VM to the Internet. This may beg the question – why do we still need to have additional configuration like what we are used to in AWS?

Benefits

From both security and operational standpoint, it is always suggested to have an explicit outbound connectivity setup because of the:

  1. Zero trust principle: Prohibit the virtual network from accessing the internet by default
  2. Better control of traffic: With the combination of NSG (Network Security Group), network administrators can explicitly allow/deny a certain resource to access the internet
  3. Persistent public IP: As the default outbound public IP is not owned by the subscription, the IP may change from time to time and could cause dependency issue (e.g., a third-party provider whitelisted your traffic with a public IP, and the connection is corrupted due to the IP change)
  4. Default outbound access IP does not support fragmented packets

Examples of explicit outbound connectivity:

  • Route traffic to the internet through a NAT Gateway (suggested way)
  • Use a load balancer with outbound rules
  • Attach a public IP to the NIC of the VM

Deployment

  1. Provision a NAT gateway
  2. Attach public IP/public IP prefix to the NAT gateway
  3. Associate it to a subnet (usually public subnet)

Behind the scenes of how multiple VMs can co-use a single public IP

Source Network Address Translation (SNAT) is used to translate the source of a flow to originate from a different IP address and/or port. NAT gateway uses SNAT to translate the private IP address and port of a virtual machine to a static public IP address and port. Traffic is translated before leaving the virtual network for the Internet. Each new connection to the same destination endpoint uses a different SNAT port so that connections can be distinguished from one another.

Limitation

If multiple public IPs are attached to a NAT gateway, it is currently not possible to explicitly configure a private IP/ IP range to have SNAT to a specific public IP

Top comments (0)

Read next

wajahataliabid profile image

Enable ContainerLogV2 on AKS

Wajahat Ali Abid -

thenjdevopsguy profile image

Stormforge And Karpenter For AKS

Michael Levan -

willvelida profile image

Managing Secrets in Azure Container Apps

Will Velida -

dazfuller profile image

Kotlin and Azure Functions - Automating the deployment

Darren Fuller -