publicIPAddresses
Summary
Details
Use Standard SKU and Zone-Redundant IPs when applicable
Impact: High Category: High Availability PG Verified: Verified
APRL GUID: c63b81fb-7afc-894c-a840-91bb8a8dcfaf
Description:
Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience.
Potential Benefits:
Enhanced resilience with zone redundancy
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph query
// List public IP addresses that are not Zone-Redundant
Resources
| where type =~ "Microsoft.Network/publicIPAddresses" and sku.tier =~ "Regional"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where isempty(zones) or array_length(zones) <= 1
| extend az = case(isempty(zones), "Non-zonal", array_length(zones) <= 1, strcat("Zonal (", strcat_array(zones, ","), ")"), zones)
| project recommendationId = "c63b81fb-7afc-894c-a840-91bb8a8dcfaf", name, id, tags, param1 = strcat("sku: ", sku.name), param2 = strcat("availabilityZone: ", az)
Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion
Impact: Medium Category: High Availability PG Verified: Verified
APRL GUID: 1adba190-5c4c-e646-8527-dd1b2a6d8b15
Description:
Prevent connectivity failures due to SNAT port exhaustion by employing NAT gateway for outbound traffic from virtual networks, ensuring dynamic scaling and secure internet connections.
Potential Benefits:
Avoids SNAT port exhaustion risks
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph query
// Lists VMs with PIPs
resources
| where type =~ 'Microsoft.Network/publicIPAddresses'
| where tostring(properties.ipConfiguration.id) contains "microsoft.network/networkinterfaces"
| project recommendationId="1adba190-5c4c-e646-8527-dd1b2a6d8b15", name, id, tags, param1=strcat("Migrate from instance IP to NAT Gateway")
Upgrade Basic SKU public IP addresses to Standard SKU
Impact: Medium Category: High Availability PG Verified: Verified
APRL GUID: 5cea1501-6fe4-4ec4-ac8f-f72320eb18d3
Description:
Basic SKU public IP addresses will be retired on September 30, 2025. Users are advised to upgrade to Standard SKU public IP addresses before this date to avoid service disruptions.
Potential Benefits:
Avoids service disruption
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph query
// List Basic SKU public IP addresses
Resources
| where type =~ "Microsoft.Network/publicIPAddresses"
| where sku.name =~ "Basic"
| project recommendationId = "5cea1501-6fe4-4ec4-ac8f-f72320eb18d3", name, id, tags, param1 = strcat("sku: ", sku.name)
Public IP addresses should have DDoS protection enabled
Impact: Medium Category: Security PG Verified: Verified
APRL GUID: c4254c66-b8a5-47aa-82f6-e7d7fb418f47
Description:
DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.
Potential Benefits:
Avoids service disruption
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph query
// Public IP addresses should have DDoS protection enabled
resources
| where type =~ 'Microsoft.Network/publicIPAddresses'
| where properties.ddosSettings.protectionMode !in~ ("Enabled", "VirtualNetworkInherited")
| project recommendationId="c4254c66-b8a5-47aa-82f6-e7d7fb418f47", name, id, tags, param1=strcat("Apply either DDoS Network protection or DDoS IP Protrection to the public IP address.")