Public Ip
The presented resiliency recommendations in this guidance include Public Ip and associated Public Ip settings.
Summary of Recommendations
The below table shows the list of resiliency recommendations for Public Ip and associated resources.
| Recommendation | Category | Impact | State | ARG Query Available |
|---|---|---|---|---|
| PIP-1 - Use Zone-Redundant IPs when applicable | Availability | High | Preview | Yes |
| PIP-2 - Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion | Availability | Medium | Preview | Yes |
| PIP-3 - Upgrade Basic SKU public IP addresses to Standard SKU | Availability | Medium | Preview | Yes |
Recommendations Details
PIP-1 - Use Standard SKU and Zone-Redundant IPs when applicable
Category: Availability
Impact: High
Guidance
Public IP addresses with a standard SKU can be created as non-zonal, zonal, or zone-redundant in regions that support availability zones. A zone-redundant IP is created in all zones for a region and can survive any single zone failure. A zonal IP is tied to a specific availability zone, and shares fate with the health of the zone. A “non-zonal” public IP address is placed into a zone for you by Azure and doesn’t give a guarantee of redundancy. When utilizing a Public IP with resources that support zone resiliency (such as an Azure Load Balancer or Azure Firewall), it is recommended to use zone-redundant IPs in most cases.
Resources
Resource Graph Query
// Azure Resource Graph query
// List public IP addresses that are not Zone-Redundant
Resources
| where type =~ "Microsoft.Network/publicIPAddresses" and sku.tier =~ "Regional"
| where isempty(zones) or array_length(zones) <= 1
| extend az = case(isempty(zones), "Non-zonal", array_length(zones) <= 1, strcat("Zonal (", strcat_array(zones, ","), ")"), zones)
| project recommendationId = "pip-1", name, id, tags, param1 = strcat("sku: ", sku.name), param2 = strcat("availabilityZone: ", az)
PIP-2 - Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion
Category: Availability
Impact: Medium
Guidance
Prevent risk of connectivity failures due to SNAT port exhaustion by using NAT gateway for outbound traffic from your virtual networks. NAT gateway scales dynamically and provides secure connections for traffic headed to the internet.
Resources
Resource Graph Query
// Azure Resource Graph query
// Lists VMs with PIPs
resources
| where type =~ 'Microsoft.Network/publicIPAddresses'
| where tostring(properties.ipConfiguration.id) contains "microsoft.network/networkinterfaces"
| project recommendationid="pip-2", name, id, tags, param1=strcat("Migrate from instance IP to NAT Gateway")
PIP-3 - Upgrade Basic SKU public IP addresses to Standard SKU
Category: Availability
Impact: Medium
Guidance
On September 30, 2025, Basic SKU public IP addresses will be retired. If you are currently using Basic SKU public IP addresses, make sure to upgrade to Standard SKU public IP addresses prior to the retirement date.
Resources
- Upgrading a basic public IP address to Standard SKU - Guidance
- Upgrade to Standard SKU public IP addresses in Azure by 30 September 2025—Basic SKU will be retired
Resource Graph Query/Scripts
// Azure Resource Graph query
// List Basic SKU public IP addresses
Resources
| where type =~ "Microsoft.Network/publicIPAddresses"
| where sku.name =~ "Basic"
| project recommendationId = "pip-3", name, id, tags, param1 = strcat("sku: ", sku.name)