When should you use a static ip address in azure? Static IP addresses are the addresses which are permanently tied to any particular device. Despite the fact we use dynamic IP addresses so that it can be used for a certain timestamp and then return back to the address pool so that the other devices can have access to it.
In Azure we know that whenever a network interface is deleted the static IP addresses are released.
When should you use a static ip address in azure?
In my current project, we have a requirement that all Private Endpoint (PE) connections must use static IP addresses. All Private Endpoint IP addresses must be pre-allocated so that we can streamline the process of raising firewall requests to integrate with customer’s on-premises network. This post will show you how to create Private Endpoint with static IP addresses using Azure Bicep.
Static IP assignments for Private Endpoints is supported by the Azure Microsoft.Network resource provider since API version 2021-03-01. You can define the static IP in the ipConfigurations property for the Private Endpoint resource (reference). Most of the resources only require 1 IP address per Private Endpoint (for example, key vault, Azure SQL, etc.), some resources require multiple IP addresses per Private Endpoints (i.e. Azure Cosmos DB). You can define one or more static IP Addresses within the ipConfigurations property since it is an array.
I have created a sample Bicep template to create an Azure Storage Account, a Private Endpoint for the blob service, and another Private Endpoint for the Azure Data Lake (ADLS) Gen2 service. The Private Endpoints are configured with static IP addresses. The Bicep template can be found in my GitHub repo.
In this template, I have defined 2 separate Private Endpoint resources for the same Storage Account. The static IP addresses for each PE are passed in as parameters (as shown in the code sample below).
By using this approach, I was able to satisfy the requirement for most of the resources that I need to deploy. The only exception I have encountered so far is the Azure Recovery Services Vault (RSV). When creating Private Endpoints for RSVs, the RSV dynamically allocates IP addresses for the PE. In this case, I had to create a dedicated subnet for RSV Private Endpoints, so that I can pre-allocate the IP addresses for the RSVs.
What are webspaces?
In general, a webspace can be seen as a virtual grouping of application service plans (ASP). Whereas an ASP is basically a group of virtual machines running one or more websites. That’s the reason why ASPs internally are called serverFarms. App Services on the other hand are internally called sites.
In case a scale-out event happens (!= scale-up), additional virtual machines are added to the ASP.
Now this webspaces, or deployment units, can not be created by the user. They are managed for us by the Azure Resource Manager and are covered under the hood. The following diagram provides an overview.
Now what’s important to note here, is that all plans created with the same resource-group / region combination end up in the same webspace. And further, all public IP addresses are bound to this webspace. Let’s dive a little deeper.
Here I am making a low-level call to Azure Resource Manager, requesting details about my ASPs which are inside the resource group rg-app-services.
As you can see from the output below, I got two ASPs, one in region North Europe and one in region West Europe. Both belong to different webspaces, which are called rg-app-services-NorthEuropewebspace and rg-app-services-WestEuropewebspace.
This fact explains the table provided from above. If you delete and recreate an app service in a different resource group, it ends up in a different webspace having different public IP addresses attached to it!
Below I am querying Azure Resource Manager again, but this time for site details. It also carries a property called properties.webSpace, and some more details about possible inbound and outbound IP addresses.
Please note, there are simpler methods to get to the IPs, I made this low-level call to provide details about the underlying webspace, only.
Using a static outbound IP
Use Azure NAT Gateway
One way is to leverage a NAT Gateway for this purpose and you will end up with an architecture as depicted in the diagram.
- Configure regional virtual network integration from within your app service.
- Force all outbound traffic originating from that app to travel through the virtual network. This is done by setting WEBSITE_VNET_ROUTE_ALL=1 property in your web app configuration
- Create a public IP address.
- Add a NAT gateway, attach it to the subnet that contains the app service and make use of the public IP created in step 3.
There are a couple of restrictions worth mentioning. First, this approach requires an App Service Plan that supports virtual network integration (Standard or Premium). And second, the inbound IP could still change.
How to Assign Static local IP Addresses to Windows Azure Virtual Machines
With the advent of Microsoft Azure (formerly Windows Azure) in 2010, engineers and developers were given the ability to build virtual environments to suit their many needs, in a Microsoft hosted solution. Azure offered a dynamic environment for development and testing, while at the same time allowing for the effective management of costs.
In order to further contain the expense of working in Azure, developers will often stop or “de-allocate” a virtual machine when they have no more tasks involving it. Only when the virtual machine is required, will it be started again. This practice works well in applications that only require a single virtual machine, but what if you have the need to use several?
Multiple virtual machine environments are often created within an Azure Virtual Network and given their own subnet of IP addresses. The IP addresses are allocated dynamically, and as you well know, dynamic IP addresses in a development environment can, and most certainly will, wreak havoc. To circumvent this problem, Azure developers are forced to start each virtual machine in a specific order to ensure that IP addresses are allocated properly for the functionality of their projects.
Recently, the Windows Azure team has included the ability to assign static IP addresses for Azure virtual machines. Below, I detail the basic method to accomplish this, but there is a caveat. If an IP address you wish to assign as “static” has already been allocated or is currently in use, this method will fail. You must ensure that all static IP addresses are freely available.
Above is information about When should you use a static ip address in azure? that we have compiled. Hopefully, through the above content, you have a more detailed understanding of a static ip address in azure. Thank you for reading our post.