Reserved IP Address Options in Microsoft Azure

by [Published on 25 Nov. 2014 / Last Updated on 25 Nov. 2014]

This article looks at the reserved IP Address options in Microsoft Azure.

Introduction

When building out an infrastructure in the Microsoft Azure public cloud, often there are times that assigning a static IP address to a resource is necessary. This is quite commonplace with on-premises infrastructure, but it presents some unique challenges in the cloud. You might ask “if it’s a Windows or Linux virtual machine running in Azure, why can’t I just assign a static IP address the way I do for on-premises machines?” The reason is that IP addressing is handled somewhat differently in Azure. IP addresses allocated to virtual machines are assigned dynamically. Although they have a long lease duration and will persist as long as the virtual machine is running or stopped, the IP address can and often will be reassigned to other machines if the original VM is stopped and deallocated. This can be potentially problematic for a variety of reasons. For example, you may want to assign a static IP address to a machine so that you can restrict access to the host using firewall ACLs. Azure also uses dynamic public IP address assignment and in those cases where you need to refer to your application or service by a unique name hosted in your own DNS (as opposed to the default name used in Azure) then having a static IP address can be very helpful.

Static IP Addresses for Virtual Machines

One of the more common instances where static IP addresses are required is at the virtual machine level. For example, if you have an SQL server virtual machine running in an Azure virtual network and want to restrict access to the SQL service only to administrators and the application that utilizes it, creating firewall access rules to control this access will be necessary. Obviously if the IP address of the SQL server changes at some point in the future, the service will be unavailable until the firewall rules are updated. As this is less than an ideal situation, we’ll assign a static IP address to the virtual machine.

Static IP address assignments in Azure are configured exclusively using PowerShell. For details on using PowerShell with Microsoft Azure, click here. Before assigning the IP address, it’s a good idea to test to see if the address we want to assign is actually available and not in use. To do this, execute the following PowerShell command.

Test-AzureStaticVNetIP -VNetName <azure_vnet_name> -IPAddress <proposed_ip_address>

Image
Figure 1

If the property of IsAvailable is True, then the IP address is not currently in use and is available to assign to our virtual machine. To assign a static IP address to an Azure virtual machine, execute the following PowerShell command.

Get-AzureVM -ServiceName <cloud_service_name> -Name <azure_vm_name> | Set-AzureStaticVNetIP -IPAddress <ip_address> | Update-AzureVM

Image
Figure 2

Once the task is finished and the virtual machine has been updated, you’ll see the new static IP address in the Azure management portal.

Image
Figure 3

It’s important to note that when you look at the network interface configuration in Windows in the virtual machine, you’ll see that it is still set to Obtain an IP address automatically.

Image
Figure 4

This is by design and you should not, under any circumstance, change this setting. Static IP address assignments in Azure work essentially like DHCP address reservations. When you configure a static IP address for a virtual machine in Azure, the IP address you choose is reserved for this VM for its lifetime. The IP address will not change if the virtual machine is restarted, turned off, or even deallocated.

Static IP Addresses for Cloud Services

In some cases it may be desirable to assign a static IP address at the cloud service level. Each cloud service you create in Azure is assigned, dynamically, a public IP address that is resolved from the FQDN of the cloud service name, such as example.cloudapp.net. All virtual machines in the cloud service are accessible from the public Internet via endpoints (for more information on Azure endpoints, click here.). The IP address assigned to the cloud service comes from Microsoft’s pool of public IP address space, so unlike in the previous example, you can only reserve an IP address instead of specifying one. However, this does solve problems where using a CNAME DNS record won’t work or, again, where you need consistent IP addressing to support firewall access control.

Unlike assigning a static IP address to an Azure virtual machine, you must reserve a public IP address before creating the cloud service. This means that you cannot reserve a static public IP address for an existing cloud service. To reserve a public static IP address, execute the following PowerShell command.

New-AzureReservedIP -ReservedIPName <name> -Label <label> -Location <region>

Image
Figure 5

Once you've successfully reserved a public IP address, create a new virtual machine and cloud service and then associate the IP address reservation with the cloud service using the following PowerShell command.

New-AzureVMConfig -Name <azure_vm_name> -InstanceSize <size> -ImageName <vm_image_name> | Add-AzureProvisioningConfig -Windows -AdminUsername <username> -Password <password> | New-AzureVM -ServiceName <cloud_service_name> –ReservedIPName <reserved_ip_name> -Location <region>

Image
Figure 6

Once complete, you can shut down and deallocate all virtual machines in this cloud service without the public IP address being released.

Summary

Assigning static IP addresses has long been a standard practice for administrators deploying network hosts and devices on premises. Assigning static IP addresses in the Microsoft Azure public cloud is a little different, with Azure technically using “reserved” addresses as opposed to truly static addresses, but the end result is the same. A virtual machine or cloud service will not receive a new IP address dynamically at some point in the future, which makes connecting to Azure VMs and cloud services by IP address or controlling access with firewalls to Azure services much less problematic. As you can see, at the time of this writing the only way to assign static IP addresses in Azure is to use PowerShell. Often this is cumbersome and time consuming, so hopefully in the future Microsoft will include these configuration options as settings exposed in the Azure management portal GUI. Don’t get me wrong, I’m not opposed to PowerShell in the least. PowerShell enables powerful scripting and automation scenarios that are necessary for large scale cloud deployments, but sometimes we need the basic simplicity of point and click. Regardless, if you have a requirement for static IP addresses for your virtual machines or cloud services hosted in Azure, I’m sure you’ll find the details above helpful.

See Also


The Author — Richard Hicks

Richard Hicks avatar

Richard M. Hicks (MCP, MCSE, MCTS, MCITP:EA, MCSA, MVP) is a network and information security expert specializing in Microsoft technologies. He is the founder and principal consultant of Richard M. Hicks Consulting and is focused on helping organizations large and small implement DirectAccess, VPN, and cloud networking solutions on Microsoft Platforms.

Advertisement

Featured Links