Private and Public IP addresses in Azure – Features and Use-cases

In Azure, IP addresses play a crucial role in the configuration and communication of resources within the cloud.

Azure provides two types of IP addresses — private IP addresses and public IP addresses — each serving different functions.

Understanding their features, use cases, and best practices is essential for designing and managing an efficient network infrastructure in Azure.

Private IP Addresses in Azure

Features of Private IP Addresses

1. Internal Communication:

Private IP addresses are used for communication between Azure resources within the same Virtual Network (VNet) or across peered VNets.

These IPs are not exposed to the public internet and are used for internal traffic within Azure.

2. Range of IPs:

Azure private IP addresses are assigned from reserved address ranges defined by RFC 1918.

These ranges are:

• 10.0.0.0/8 (10.0.0.0 to 10.255.255.255)

• 172.16.0.0/12 (172.16.0.0 to 172.31.255.255)

• 192.168.0.0/16 (192.168.0.0 to 192.168.255.255)

Private IP addresses can be either dynamic (assigned automatically) or static (manually assigned and fixed).

3. Virtual Network:

Private IPs are essential for Virtual Networks (VNets) in Azure.

Resources like Virtual Machines (VMs), Azure Kubernetes Service (AKS) nodes, databases, and services can all use private IP addresses for internal communication.

4. No Internet Access:

Private IP addresses cannot be used to access the public internet directly.

For internet connectivity, resources with private IPs need a NAT Gateway or Azure Load Balancer to route outbound traffic.

5. Subnet Level Configuration:

Each subnet within an Azure VNet has its own IP address range.

Resources within a subnet are assigned private IPs from the defined range.

These IPs can be either static or dynamic depending on how the resources are configured.

6. Private DNS Resolution:

Private IPs can be used with Private DNS Zones to provide name resolution for Azure services and applications that are accessed privately within a VNet, enhancing security by keeping the traffic internal.

Use Cases for Private IP Addresses

1. Internal Resource Communication:

Private IPs are used to allow Azure resources (e.g., VMs, containers, databases) within a VNet to communicate securely without exposing their traffic to the public internet.

For example:

VMs that form part of a multi-tier application (front-end, back-end, database) can use private IPs for communication between tiers.

2. Service Integration:

Private IPs are used to integrate Azure services like Azure Storage, Azure SQL Database, or Azure Kubernetes Service (AKS) with internal resources through Private Link or Service Endpoints.

This ensures that traffic stays within Azure's backbone network, reducing exposure to the public internet.

3. Hybrid Connectivity:

When connecting your on-premises network to Azure via a VPN Gateway or ExpressRoute, private IPs are used to ensure secure and private communication between on-premises and cloud resources.

4. Network Segmentation and Isolation:

Private IPs are used in scenarios where network isolation is required, such as in backend services (e.g., databases or app servers) that should not be exposed to external access.

These resources can be placed in private subnets, while public-facing services (e.g., web servers) can reside in public subnets.

5. Internal Load Balancing:

Internal Load Balancer (ILB) uses private IP addresses to distribute traffic between backend services within a VNet.

The traffic is kept within the VNet, and there is no exposure to the internet.

Public IP Addresses in Azure

Features of Public IP Addresses

1. Internet Connectivity:

Public IP addresses are used to allow Azure resources to communicate over the internet.

Public IPs are required for any Azure resource that needs to be exposed to external traffic, such as web servers, load balancers, VPN Gateways, etc.

2. Dynamic or Static:

• Dynamic Public IP Address:

The address is assigned when a resource is created and can change when the resource is stopped and started.

• Static Public IP Address:

The address is fixed and does not change, even if the resource is stopped and restarted.

Static IPs are typically used for critical applications where a fixed address is required, such as DNS records for web servers.

3. Public IP Assignment:

Public IPs are assigned to resources such as:

• Azure Load Balancer (for distributing inbound internet traffic).

• Virtual Machines (for directly exposing services to the internet).

• Azure Application Gateway (for web application traffic management).

• VPN Gateway (for site-to-site or point-to-site connectivity).

• Azure Firewall (for controlling traffic between subnets and internet).

4. IP Allocation Types:

Public IPs in Azure can be IPv4 or IPv6 addresses.

IPv6 support is available in most regions, and you can assign both IPv4 and IPv6 public IPs to resources depending on your network architecture.

5. Global or Regional Availability:

Regional Public IPs are tied to the region in which they are deployed.

Global Public IPs are available for services like Azure Front Door, where global reachability is needed for applications.

6. DNS Resolution:

You can assign a DNS name to a Public IP in Azure, making it easier to reference and access your resources via a domain name (e.g., myapp.eastus.cloudapp.azure.com).

Use Cases for Public IP Addresses

1. Web Applications:

Public IPs are assigned to web servers, API servers, or load balancers to allow external users to access applications over the internet.

For example:

• A web server hosting a public-facing website needs a public IP to allow visitors to access the site.

• Azure Application Gateway requires a public IP to route internet traffic to the backend servers.

2. Load Balancing for Internet Traffic:

Azure Load Balancer (Public) uses public IP addresses to distribute incoming internet traffic across multiple backend services.

This ensures high availability and reliable traffic distribution for internet-facing applications.

A Public Load Balancer can be used for highly available and scalable applications that require external traffic distribution.

3. VPN Gateway:

A VPN Gateway is used to establish secure connections between on-premises networks and Azure VNets.

A public IP address is required for the VPN gateway to provide internet-based connections for site-to-site or point-to-site VPNs.

4. Azure Firewall:

Azure Firewall uses public IP addresses to control outbound traffic from private subnets to the internet, ensuring that traffic is inspected and filtered before being allowed to pass through to the internet.

A public IP address is used for services requiring outbound connectivity to the internet.

5. Domain Name Services (DNS):

Public IPs are used in DNS setups where services need to be accessed via user-friendly domain names rather than raw IP addresses.

This is essential for websites, email servers, or public APIs.

6. Azure Bastion:

Azure Bastion is a fully managed service that provides secure and seamless RDP and SSH connectivity to VMs over TLS (instead of exposing VMs directly to the internet).

It requires a public IP to establish the connection and ensure security.

7. Azure Front Door:

Azure Front Door is a global, scalable entry point that provides fast and secure access to your applications.

A global public IP is assigned to route traffic to the nearest available backend based on the user's location, providing high performance and low latency.

8. IoT and External Services:

Public IPs are often needed for IoT devices that require direct access to cloud-based services over the internet or for integrating with external APIs and services.

Best Practices for Private and Public IP Addresses

Private IP Addresses:

1. Use for Internal Communication:

Always use private IPs for communication between resources within the same VNet or between peered VNets.

2. Leverage Subnet Isolation:

Use private IPs to isolate sensitive resources (e.g., databases or back-end services) in private subnets.

3. DNS Resolution:

Use Private DNS Zones for resources that need to be accessed by private IP addresses for name resolution.

4. Avoid Public Exposure:

Never assign private IPs to publicly accessible services, unless you use a load balancer or gateway to manage traffic securely.

Public IP Addresses:

1. Assign to Public-Facing Resources:

Use public IPs only for resources that require direct exposure to the internet (e.g., web servers, load balancers).

2. Use Static IPs for Critical Services:

When a fixed address is required (e.g., DNS records, critical applications), assign a static public IP.

3. Implement Security Best Practices:

Ensure that public-facing resources are properly protected using NSGs, Azure Firewall, and other security mechanisms to reduce exposure to threats.

4. Optimize IP Allocation:

Use Azure IP Prefixes or Global IPs to manage large-scale deployments that require multiple public IPs.

Conclusion

In Azure, the decision to use private or public IP addresses depends on the required level of accessibility, security, and the type of resource being deployed.

Private IP addresses are best suited for internal communications and security, while public IP addresses enable external access to applications and services over the internet.

By understanding the features, use cases, and best practices for each type of IP address, you can design a secure, scalable, and efficient network infrastructure in Azure.