As a follow up to the GA announcement
, I wanted to write a post about scenarios, usage and other frequently asked questions about Instance-Level Public IP Address. A virtual machine running in Azure can now be associated with a direct and publicly accessible IP address that sticks to the VM for its lifetime. This ability is available for both IaaS Virtual machines and traditional Web/Worker (PaaS) role instances.
Use Case Scenarios
An Instance-Level Public IP Address (PIP) unlike the Virtual IP Address (VIP) is not load balanced. While the VIP is assigned to the cloud service and shared by all virtual machines and role instances in it, the PIP is associated only with a single instance. The PIP is particularly useful in multi instance deployments where each instance can be reachable independently from the Internet. The picture below illustrates the value of PIP and differentiates it from the VIP.
*Traffic sent on VIP can land on either DIP1 or DIP2. But traffic sent to PIP1 will always go to DIP1 and traffic sent to PIP2 will always go to DIP2.
*DIP (Data center IP) is the private IP address of the VM.
Typically, to be able to send traffic to an Azure VM from an external source, the destination port must be declared as an Endpoint in the VM, but with Instance-Level Public IPs this restriction is removed. An external source can send traffic to any port on the Instance-Level Public IP Address as long the firewall in the VM allows it. This is particularly useful when the VM needs to receive traffic on dynamic ports, a good use case being FTP servers implementing passive mode.
Instance-Level Public IP Addresses are also useful in scenarios where the individual VM participating in a load balanced set needs to be monitored from an external source. When connecting through the VIP, the traffic is always load balanced and could be directed to either of the VMs behind the load balancer, but when using the PIP, the traffic is guaranteed to reach the particular VM that is associated with.
Unique Outbound IP Address
Another benefit of Instance-Level Public IP Address is that it is used as the Outgoing IP address of the VM when connecting to external endpoints. Since a PIP uniquely identifies a VM the receiver can easily whitelist or identify the source of the traffic. For scenarios requiring large number of outbound connections such as Web crawler, it is recommended that the VMs uses Instance-Level public IPs so that it has dedicated outbound IP for Source Network Address Translation (SNAT)
As mentioned earlier, Instance-Level public IP address is available for both Virtual Machines (IaaS) as well as Web/Worker roles (PaaS). In the case of IaaS, the PIP is requested as part of the VM configuration, and in the case of PaaS it is requested as part of the role configuration and every instance of the role gets an Instance-Level public IP Address. The sections below provide the sample power shell cmd lets and/or service configuration files for either case.
*In the sample below I use a VirtualNetwork ‘VnetUSEast’ in my subscription that contains FrontEnd and Backend subnets
#Assign Public IP Address for a Virtual Machine during create
$images = Get-AzureVMImage
$ftp1 = New-AzureVMConfig -Name "instance1" -InstanceSize Small -ImageName $images.ImageName | Add-AzureProvisioningConfig -Windows -AdminUsername narayan -Password pass@word1 | Set-AzureSubnet FrontEndSubnet | Set-AzurePublicIP -PublicIPName "pip1"
New-AzureVM -ServiceName "MyFTPService" -VMs $ftp1 -Location "East US" -VNetName VNetUSEast
#Assign Public IP Address for a Virtual Machine through update
Get-AzureVM -ServiceName "MyFtpService" -Name "instance1" | Set-AzurePublicIP -PublicIPName "pip1" | Update-AzureVM
Get-AzureVM -ServiceName "MyFtpService" -Name "instance2" | Set-AzurePublicIP -PublicIPName "pip2" | Update-AzureVM
#Get the associated Public IP Name for a virtual machine
Get-AzureVM -ServiceName "MyFtpService" -Name "instance1" | Get-AzurePublicIP
#Get the assigned Public IP Address for a virtual machine
$instance1 = Get-AzureVM -ServiceName "MyFtpService" -Name "instance1"
#Remove Public IP Address from the Virtual machine
Get-AzureVM -ServiceName "MyFtpService" -Name "instance1" | Remove-AzurePublicIP | Update-AzureVM
To obtain a public IP address for a PaaS role instance, the definition should be in the service configuration file (cscfg)
#cscfg snippet (not the entire file)
<VirtualNetworkSite name="VNetUSEast" />
<Subnet name="BackEndSubnet" />
<PublicIP name="FtpIP" />
<Subnet name="FrontEndSubnet" />
#Get the Public Ips per role instance
$roles = Get-AzureRole -ServiceName PaaSFTPService -Slot Production -RoleName WorkerRole1 -InstanceDetails
#To disassociate public IP from the role instance, edit the public IP section from the role using a configuration update.
Limits and Billing
While Instance level public IP Address was in preview, the limit was restricted to 2 IP addresses, with the GA announcement the limits have been raised to 5 IP Addresses per subscription. There is also a nominal fee associated with Instance level public IP address, please refer to the pricing page
for more details
FAQ 1. Can I use both Virtual IP Address (load balanced) and Instance level public IP Address in my deployment?
Yes, the VIP is allocated by default to every cloud service. Instance level Public IP Address can be allocated on demand, to a specific virtual machine or role instance. 2. Why would I need a VIP and Instance level Public IP Address in my single instance Virtual machine?
Likely not, since the VIP is already exclusive to the single instance virtual machine, you would not need another public IP to point to the VM, however with Instance level public IP address all ports in the VM are reachable without having to declare endpoints. So this will be handy if your application needs to expose dynamic public ports. 3. Is the Instance level Public IP Address shown in the portal?
No, at this point it is not supported through the portal. It is exclusively available only through powershell cmd let and REST API. 4. Can I use Instance level Public Address on any deployment?
Instance level Public IP address is available to use on deployments: 5. Is the Instance-Level public IP shown in the IP configuration on the VM?
No, the public IP (PIP) is not shown inside the VM. The IP Address can be obtained by making a REST API or powershell cmd lets as shown above. 6. Is there a DNS name for the Instance-Level Public IP?
No, there is no DNS name at this point. This will be enabled in the future.