Azure VNet – IP Address Terms

Difficulty Level:    

The following terms/ definitions related to IP Address are very helpful for you to work with Azure Virtual Network.

No. Type Full Name Description
1 VIP Virtual IP Address A VIP is the public IP address associated with a VM. Every Azure VM has a VIP, with all the VMs in a cloud service having the same VIP.

The VIP is allocated at random from a pool of IP addresses managed by Microsoft. However, it is possible to reserve an IP address from the Microsoft pool and allocate that reserved IP address as a VIP. There is a limit of 5 reserved IPs for a subscription.

2 DIP Dynamic IP Address A DIP is an internal IP address associated with a VM. This IP address is associated automatically with the VM when it is created and remains associated with it while it is deployed. The DIP survives system reboots as well as service healing migration of the VM. If the VM is deleted or changed into a stopped/de-allocated state it loses its DIP, which may then be allocated to another VM.

Alternatively, the DIP can be a static IP address allocated to the VM on creation. This address comes from the range configured for the subnet the VM is deployed into. It is a good practice to use a distinct subnet for statically-allocated DIPs to avoid the possibility of collision between a dynamically and statically allocated DIP.

Azure supports the ability for a VM to have multiple virtual NICs, with each NIC being allocated a distinct DIP.

3 PIP Instance-level public IP Address A PIP is a public instance-level IP address associated with the VM in addition to the VIP.

Traffic to the PIP goes directly to the VM and is not routed through the Azure Load Balancer. Internet-bound traffic from a VM with a configured PIP is also sent over the PIP rather than going through the VIP.

Consequently, there is no need to configure an endpoint when using a PIP. The PIP must be appropriately firewalled to restrict traffic to only that desired.

A PIP is useful for workloads such as passive FTP that require a large number of ports to be opened, which is impractical when using the VIP which supports only a limited number of endpoints.

The following diagram represents 3 types of IP Address and the routings from networks to a given VM.

Azure VNet - How to connect to VM

Azure Load Balancer and IP Address

load-balancer-distribution

All inbound traffic to the VIP is routed through the Azure Load Balancer which firewalls and distributes it. The Azure Load Balancer only allows inbound traffic to reach a VM if there is a configured endpoint which maps some port on the VIP to a port on the DIP. The Azure Load Balancer supports only the TCP and UDP protocols, all other internet protocols are denied.

Internal Load Balancer and IP Address

ic744150

An Internal Load Balancer can be configured to port-forward or load-balance traffic inside a VNET or cloud service. The Internal Load Balancer supports only the TCP and UDP protocols, all other internet protocols are denied. The Internal Load Balancer associating a DIP/port combination on the load balancer with the DIP port/combination on a VM.


References

Son Nguyen

Son Nguyen

Son Nguyen is a Cloud Consultant working for FPT Software’s Cloud Innovation team. With deep knowledge in AWS and MS Azure, Son acts as a cloud consultant in various areas, ranging from assessment to architecture design, supporting customers from Japan, EU to US.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

*