Multiple Public IP Support for VM-Series on Microsoft Azure

by mkeil a week ago - edited Tuesday by (221 Views)

 

Details

Multiple public IP support in Microsoft Azure is currently in public preview, the last step towards general availability. Any Microsoft Azure customer can directly sign up to access this upcoming feature by following steps provided in the following link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-powersh...

 

As a reminder, multiple public IP support allows you to assign one/more public IP(s) to any interface (NIC) of the VM-Series instance in Azure, eliminating the current need for a NAT VM for some deployment scenarios.

 

Note:

  • To sign up for the public preview access, you will need to use Azure PowerShell, which is different from PowerShell found on Windows. 
  • The steps in the link above also provides access to Azure Load Balancer enhancements that will allows traffic to be distributed across any IP address of any interface of the VM-Series, (i.e. Azure Load Balancer does not target eth0 only any longer). For more details on how to scale out security to protect web applications using VM-Series and Application Gateway: https://github.com/PaloAltoNetworks/azure-applicationgateway>

  • Multiple public IP and Azure Load Balancer enhancements are currently being rolled out as a generally available (GA) feature from Azure. For details on availability by Azure region see here: https://azure.microsoft.com/en-us/updates/public-preview-multiple-ips-per-nic/
  • For each public IP assigned to an interface, Azure also assigns a private IP to the VM-Series interface. When the first public IP (i.e. primary public IP) is configured on the interface, the firewall gets the equivalent private IP via DHCP. Any additional, i.e. secondary, public IP (or private IP) assigned to a VM-Series interface must be manually configured inside VM-Series on the corresponding interface.

Once you start using the multiple public IP feature, a NAT VM is not required in front of any Internet facing use cases as was previously needed. If you are using a NAT VM then you can reassign the NAT VM’s public IP directly on the VM-Series firewall public facing interface in the Azure Portal.  For example, one or more public IP’s can be the untrust interface (eth1) in the diagram below.

 

resource group.png

 

Now multiple services or applications can be hosted from the same interface, or from separate interfaces. For example, application 1 is served from the VM-Series eth1 interface, and application 2 can be served from eth2 interface. For highly available designs and scalability, it is recommended to use Azure-native load balancers like Azure Application Gateway or Azure Load Balancer, as discussed here.

Register now
Ask Questions Get Answers Join the Live Community
Contributors