Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

publicIPAddresses

Summary

RecommendationImpactCategoryAutomation AvailablePG Verified
Use Standard SKU and Zone-Redundant IPs when applicableHighHigh AvailabilityYesVerified
Use NAT gateway for outbound connectivity to avoid SNAT ExhaustionMediumHigh AvailabilityYesVerified
Upgrade Basic SKU public IP addresses to Standard SKUMediumHigh AvailabilityYesVerified
Public IP addresses should have DDoS protection enabledMediumSecurityYesVerified

Details


Use Standard SKU and Zone-Redundant IPs when applicable

Impact:  High Category:  High Availability PG Verified:  Verified

APRL GUID:  c63b81fb-7afc-894c-a840-91bb8a8dcfaf

Description:

Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience.

Potential Benefits:

Enhanced resilience with zone redundancy
Learn More:
Public IP addresses - Availability Zones
Upgrading a basic public IP address to Standard SKU

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph query
// List public IP addresses that are not Zone-Redundant
Resources
| where type =~ "Microsoft.Network/publicIPAddresses" and sku.tier =~ "Regional"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where isempty(zones) or array_length(zones) <= 1
| extend az = case(isempty(zones), "Non-zonal", array_length(zones) <= 1, strcat("Zonal (", strcat_array(zones, ","), ")"), zones)
| project recommendationId = "c63b81fb-7afc-894c-a840-91bb8a8dcfaf", name, id, tags, param1 = strcat("sku: ", sku.name), param2 = strcat("availabilityZone: ", az)



Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion

Impact:  Medium Category:  High Availability PG Verified:  Verified

APRL GUID:  1adba190-5c4c-e646-8527-dd1b2a6d8b15

Description:

Prevent connectivity failures due to SNAT port exhaustion by employing NAT gateway for outbound traffic from virtual networks, ensuring dynamic scaling and secure internet connections.

Potential Benefits:

Avoids SNAT port exhaustion risks
Learn More:
Use NAT GW for outbound connectivity
TCP and SNAT Ports

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph query
// Lists VMs with PIPs
resources
| where type =~ 'Microsoft.Network/publicIPAddresses'
| where tostring(properties.ipConfiguration.id) contains "microsoft.network/networkinterfaces"
| project recommendationId="1adba190-5c4c-e646-8527-dd1b2a6d8b15", name, id, tags, param1=strcat("Migrate from instance IP to NAT Gateway")



Upgrade Basic SKU public IP addresses to Standard SKU

Impact:  Medium Category:  High Availability PG Verified:  Verified

APRL GUID:  5cea1501-6fe4-4ec4-ac8f-f72320eb18d3

Description:

Basic SKU public IP addresses will be retired on September 30, 2025. Users are advised to upgrade to Standard SKU public IP addresses before this date to avoid service disruptions.

Potential Benefits:

Avoids service disruption
Learn More:
Upgrading a basic public IP address to Standard SKU - Guidance
Upgrade to Standard SKU public IP addresses in Azure by 30 September 2025 as Basic SKU will be retired

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph query
// List Basic SKU public IP addresses
Resources
| where type =~ "Microsoft.Network/publicIPAddresses"
| where sku.name =~ "Basic"
| project recommendationId = "5cea1501-6fe4-4ec4-ac8f-f72320eb18d3", name, id, tags, param1 = strcat("sku: ", sku.name)



Public IP addresses should have DDoS protection enabled

Impact:  Medium Category:  Security PG Verified:  Verified

APRL GUID:  c4254c66-b8a5-47aa-82f6-e7d7fb418f47

Description:

DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

Potential Benefits:

Avoids service disruption
Learn More:
Azure DDoS Protection

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph query
// Public IP addresses should have DDoS protection enabled
resources
| where type =~ 'Microsoft.Network/publicIPAddresses'
| where properties.ddosSettings.protectionMode !in~ ("Enabled", "VirtualNetworkInherited")
| project recommendationId="c4254c66-b8a5-47aa-82f6-e7d7fb418f47", name, id, tags, param1=strcat("Apply either DDoS Network protection or DDoS IP Protrection to the public IP address.")