Skip to content

Public IP addresses should use availability zones#

Reliability · Public IP address · Rule · 2021_12 · Important

Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.

Description#

Public IP addresses using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A zone redundant Public IP address can spread across multiple availability zones, which ensures the Public IP address will continue running even if another zone has gone down. Furthermore, this ensures Public Standard Load balancer frontend IPs using a zone-redundant Public IP address can survive zone failure.

Recommendation#

Consider using zone-redundant Public IP addresses deployed with Standard SKU.

Examples#

Configure with Azure template#

To configure zone-redundancy for a Public IP address.

  • Set sku.name to Standard.
  • Set zones to ["1", "2", "3"].

For example:

Azure Template snippet
{
  "type": "Microsoft.Network/publicIPAddresses",
  "apiVersion": "2023-05-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard",
    "tier": "Regional"
  },
  "properties": {
    "publicIPAddressVersion": "IPv4",
    "publicIPAllocationMethod": "Static",
    "idleTimeoutInMinutes": 4
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep#

To configure zone-redundancy for a Public IP address.

  • Set sku.name to Standard.
  • Set zones to ['1', '2', '3'].

For example:

Azure Bicep snippet
resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard'
    tier: 'Regional'
  }
  properties: {
    publicIPAddressVersion: 'IPv4'
    publicIPAllocationMethod: 'Static'
    idleTimeoutInMinutes: 4
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Notes#

This rule is not applicable for public IP addresses used for Azure Bastion. Azure Bastion does not currently support Availability Zones. Public IP addresses with the following tags are automatically excluded from this rule:

  • resource-usage tag set to azure-bastion.

This rule fails when "zones" is constrained to a single(zonal) zone, or set to null, [] when there are supported availability zones for the given region.

This rule passes if no zones exist for a given region or "zones" is set to ["1", "2", "3"].

Configure AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.Network and resource type publicIpAddresses.

# YAML: The default AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option
configuration:
  AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []

Comments