8/28/2021
22
-->

Public IP addresses allow Internet resources to communicate inbound to Azure resources. Public IP addresses enable Azure resources to communicate to Internet and public-facing Azure services. The address is dedicated to the resource, until it's unassigned by you. A resource without a public IP assigned can communicate outbound. Azure dynamically assigns an available IP address that isn't dedicated to the resource. For more information about outbound connections in Azure, see Understand outbound connections.

A public Internet Protocol address is globally unique, and only assigned to a unique device. The are two types of Internet Protocol (IP) addresses: Public and Private. As defined above what a public IP address it, but to clarify, a private IP address assigned to devices within your private space without letting them directly exposed to the. You can find the public IP address of your network via any device or computer connected to it. Firstly, be sure to connect to your device’s network: Like, if you are using a smartphone and you are not connected to your Wi-Fi network, then you will find the public IP address of your mobile data.

How to Find Your Public IP Address. IP Address Finding Websites. The easiest way to find your external IP address is most definitely to use a website dedicated to doing just that. Find Your IP Address From the Command Line. Locate the IP Address From Your Router or Modem. How to Stop Your. A web server, email server and any server device directly accessible from the Internet are candidate for a public Internet Protocol address. A public Internet Protocol address is globally unique, and only assigned to a unique device. The are two types of Internet Protocol (IP) addresses: Public and Private.

In Azure Resource Manager, a public IP address is a resource that has its own properties. Some of the resources you can associate a public IP address resource with:

  • Virtual machine network interfaces
  • Internet-facing load balancers
  • VPN gateways
  • Application gateways
  • Azure Firewall

IP address version

Public IP addresses are created with an IPv4 or IPv6 address.

SKU

To learn about SKU upgrade, refer to Public IP upgrade.

Public IP addresses are created with one of the following SKUs:

Important

Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of basic SKU resources and standard SKU resources. You can't attach standalone virtual machines, virtual machines in an availability set resource, or a virtual machine scale set resources to both SKUs simultaneously. New designs should consider using Standard SKU resources. Please review Standard Load Balancer for details.

How To Find Public Ip

Standard

Standard SKU public IP addresses:

  • Always use static allocation method.
  • Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.
  • Secure by default and closed to inbound traffic. Allow list inbound traffic with a network security group.
  • Assigned to network interfaces, standard public load balancers, or Application Gateways. For more information about Standard load balancer, see Azure Standard Load Balancer.
  • Can be zone-redundant (advertised from all 3 zones), zonal (guaranteed in a specific pre-selected availability zone), or no-zone (not associated with a specific pre-selected availability zone). To learn more about availability zones, see Availability zones overview and Standard Load Balancer and Availability Zones. Zone redundant IPs can only be created in regions where 3 availability zones are live. IPs created before zones are live will not be zone redundant.
  • Can be used as anycast frontend IPs for cross-region load balancers (preview functionality).

Note

Inbound communication with a Standard SKU resource fails until you create and associate a network security group and explicitly allow the desired inbound traffic.

Note

Only Public IP addresses with basic SKU are available when using instance metadata service IMDS. Standard SKU is not supported.

Note Large digital timer clock.

Diagnostic settings does not appear under the resouce blade when using a Standard SKU Public IP address. To enable logging on your Standard Public IP address resource navigate to diagnostic settings under the Azure Monitor blade and select your IP address resource.

Basic

All public IP addresses created before the introduction of SKUs are Basic SKU public IP addresses.

With the introduction of SKUs, specify which SKU you would like the public IP address to be.

Basic SKU addresses:

  • Assigned with the static or dynamic allocation method.
  • Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.
  • Are open by default. Network security groups are recommended but optional for restricting inbound or outbound traffic.
  • Assigned to any Azure resource that can be assigned a public IP address, such as:
    • Network interfaces
    • VPN Gateways
    • Application Gateways
    • Public load balancers
  • Don't support Availability Zone scenarios. Use Standard SKU public IP for Availability Zone scenarios. To learn more about availability zones, see Availability zones overview and Standard Load Balancer and Availability Zones.

Allocation method

Basic and standard public IPs support static assignment. The resource is assigned an IP address at the time it's created. The IP address is released when the resource is deleted.

Basic SKU public IP addresses support a dynamic assignment. Dynamic is the default assignment method. The IP address isn't given to the resource at the time of creation when selecting dynamic.

The IP is assigned when you associate the public IP address resource with a:

  • Virtual machine
  • The first virtual machine is associated with the backend pool of a load balancer.

The IP address is released when you stop (or delete) the resource.

For example, a public IP resource is released from a resource named Resource A. Resource A receives a different IP on start-up if the public IP resource is reassigned.

The IP address is released when the allocation method is changed from static to dynamic. To ensure the IP address for the associated resource remains the same, set the allocation method explicitly to static. A static IP address is assigned immediately.

Note

Even when you set the allocation method to static, you cannot specify the actual IP address assigned to the public IP address resource. Azure assigns the IP address from a pool of available IP addresses in the Azure location the resource is created in.

Static public IP addresses are commonly used in the following scenarios:

  • When you must update firewall rules to communicate with your Azure resources.
  • DNS name resolution, where a change in IP address would require updating A records.
  • Your Azure resources communicate with other apps or services that use an IP address-based security model.
  • You use TLS/SSL certificates linked to an IP address.

Note

Azure allocates public IP addresses from a range unique to each region in each Azure cloud. You can download the list of ranges (prefixes) for the Azure Public, US government, China, and Germany clouds.

DNS hostname resolution

Select the option to specify a DNS domain name label for a public IP resource.

This selection creates a mapping for domainnamelabel.location.cloudapp.azure.com to the public IP in the Azure-managed DNS.

For instance, creation of a public IP with:

  • contoso as a domainnamelabel
  • West US Azure location

The fully qualified domain name (FQDN) contoso.westus.cloudapp.azure.com resolves to the public IP address of the resource.

Important

Each domain name label created must be unique within its Azure location.

How To Find Public Ip

DNS Recommendations

If a region move is needed, you can't migrate the FQDN of your public IP. Use the FQDN to create a custom CNAME record pointing to the public IP address.

If a move to a different public IP is required, update the CNAME record instead of updating the FQDN.

You can use Azure DNS or an external DNS provider for your DNS Record.

Virtual machines

You can associate a public IP address with a Windows or Linux virtual machine by assigning it to its network interface.

Choose dynamic or static for the public IP address. Learn more about assigning IP addresses to network interfaces.

Note

Azure provides an ephemeral IP for Azure Virtual Machines which aren't assigned a public IP address, or are in the backend pool of an internal Basic Azure Load Balancer. The ephemeral IP mechanism provides an outbound IP address that isn't configurable.

The ephemeral IP is disabled when a public IP address is assigned to the virtual machine or the virtual machine is placed in the backend pool of a Standard Load Balancer with or without outbound rules. If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine, the ephemeral IP is disabled.

For more information on outbound connections in Azure, see Using Source Network Address Translation (SNAT) for outbound connections.

Internet-facing load balancers

You can associate a public IP address of either SKU with an Azure Load Balancer, by assigning it to the load balancer frontend configuration. The public IP serves as a load-balanced IP.

You can assign either a dynamic or a static public IP address to a load balancer front end. You can assign multiple public IP addresses to a load balancer front end. This configuration enables multi-VIP scenarios like a multi-tenant environment with TLS-based websites.

For more information about Azure load balancer SKUs, see Azure load balancer standard SKU.

Note

Azure provides an ephemeral IP for Azure Virtual Machines which aren't assigned a public IP address, or are in the backend pool of an internal Basic Azure Load Balancer. The ephemeral IP mechanism provides an outbound IP address that isn't configurable.

The ephemeral IP is disabled when a public IP address is assigned to the virtual machine or the virtual machine is placed in the backend pool of a Standard Load Balancer with or without outbound rules. If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine, the ephemeral IP is disabled.

For more information on outbound connections in Azure, see Using Source Network Address Translation (SNAT) for outbound connections.

VPN gateways

Azure VPN Gateway connects an Azure virtual network to:

  • Azure virtual networks
  • On-premises network(s).

A public IP address is assigned to the VPN Gateway to enable communication with the remote network.

  • Assign a dynamic basic public IP to a VPNGw 1-5 SKU front-end configuration.
  • Assign a static standard public IP address to a VPNGwAZ 1-5 SKU front-end configuration.

Application gateways

You can associate a public IP address with an Azure Application Gateway, by assigning it to the gateway's frontend configuration.

  • Assign a dynamic basic public IP to an application gateway V1 front-end configuration.
  • Assign a static standard public IP address to a V2 front-end configuration.

Azure Firewall

Find Ip Address

Azure Firewall allows you to create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

You can only associate static standard public IP addresses with a firewall. This allows outside firewalls to identify traffic originating from your virtual network.

At-a-glance

The following table shows the property through which a public IP can be associated to a top-level resource and the possible allocation methods.

Top-level resourceIP Address associationDynamicStatic
Virtual machineNetwork interfaceYesYes
Internet-facing Load balancerFront-end configurationYesYes
VPN gatewayGateway IP configurationYesYes (VPNGwAZ only)
Application gatewayFront-end configurationYes (V1 only)Yes (V2 only)
Azure FirewallFront-end configurationNoYes

Limits

The limits for IP addressing are listed in the full set of limits for networking in Azure.

How

The limits are per region and per subscription. Contact support to increase the default limits up to the maximum limits based on your business needs.

Pricing

Public IP addresses may have a nominal charge. To learn more about IP address pricing in Azure, review the IP address pricing page.

Next steps

  • Learn about Private IP Addresses in Azure

This type of information is especially useful when you’re auditing a company’s network, or when you’re involved in some sort of cybersecurity investigation. Even if you aren’t researching a cybersecurity incident, sometimes you’ll need this information to configure whitelisting rules in your own firewall.

How To Find Public Ip Address In Linux

A few weeks ago we wrote about using IP scanner tools to find active hosts within corporate and remote networks. We also published an article about the best port scanners available, which included network discovery information.

While the utilities we mentioned are indeed useful for IP mapping and network discovery, they can fall short when you need to find the complete IP ranges a company owns. That’s the topic we’re exploring today.

How to identify a company’s public network address range

How to find public ipv4 address

One of the most traditional ways to get the IP address of a company is to use the ping command, which allows you to get the main IP address of the webserver behind the webpage. But that doesn’t give you the full company’s public network address range. It’s only a single isolated IP.

When you need the full IP address ranges owned by a company, there are other terminal-based commands and web-based solutions that can help you. Let’s explore them.

Using WHOIS information

We’ve mentioned the powerful WHOIS command in a lot of our articles. It’s one of the oldest terminal-based commands available, and can help retrieve information from domain names and IP addresses. It’s also of great use when it comes to finding the public network IP ranges of any company.

When the company doesn’t own any network subnets, it may be using collocated hardware, dedicated servers or virtual instances on popular cloud providers. In this case, WHOIS commands might not be as effective as one might hope, and other types of network explorations are needed.

These types of companies are often digital agencies, development teams, or software developers that rely on 3rd party networks.

For these kinds of small companies, one way to detect their public network IP addresses is by using Nmap commands with popular NSE scripts like DNS-brute, or use any other subdomain scanner tool.

However, a faster and simple solution is to use the SecurityTrails IP Explorer feature, which allows you to visualize all DNS dependent records:

How to find public ip address of router
  • Go to https://securitytrails.com
  • Type the domain name of the company you need to investigate
  • Explore the results, as shown below:

Here, we found the main IP addresses used by greynoise.com, which belong to network infrastructure provided by Squarespace, Inc. If you click on subdomains, you’ll find other subdomains used, along with each of their IP addresses:

In another scenario, if a company owns complete subnets (often seen in big companies), this IP range information may be stored in WHOIS records, letting you use a simple WHOIS client to retrieve the needed information.

For this purpose, we can use the following syntax:

This will show you all the registered IP ranges on the Asia Pacific RIR that belong to Microsoft. Here’s an output example:

You’ll see a lot of results, including company information, organizational details, country, etc.

Only in Asia, we found around 23 IP ranges owned by Microsoft. Imagine how much you can find in the rest of the world!

This is one of the most classic of methods. However, it’s a manual one and not particularly friendly for non-technical users.

Using a RIR API

If you don’t like using manual commands, and you do have some programming skills, you could interact directly with any of the RIR’s API and run your queries from there.

The five RIRs allow access to their API so you can launch simple queries against any of the global WHOIS databases, letting you access data from specific IP ranges, or by searching strings such as company names.

For example, if you’re using RIPE¹ as one of the major RIRs and you want to explore an IP range, you can launch a simple HTTP request like this:

If you need to explore a company’s data, you can do so by using its name, in the following way:

In both cases, the response will be returned in XML format by default.

You can do the same thing by checking the official API docs for each of the five RIRs. Remember these are free APIs, and there are limits in place for avoiding abuse. Keep that in mind.

Using SurfaceBrowserTM

What if you could avoid querying RIRs altogether, or query another WHOIS server to get the full IP blocks of any company in the world in just one second?

Brace yourself—such a tool really exists. It’s called SurfaceBrowser™.

SurfaceBrowser™ is our enterprise-grade product built as an attack surface analysis tool. And when it comes to network mapping, it can help you quickly retrieve the total IP blocks for any company in the world.

You can manually type the name of any company in the world, or choose to explore the full intelligence data we have ourselves (including total IP blocks) — from any of the Fortune 500 companies and Top 500 websites according to Alexa:

Here, we launched our test using Amazon as an example. Then, we clicked the IP Blocks option in the left menu, which can yield valuable results in less than a second.

Once you arrive at the results page, you’ll be able to obtain the total IP blocks, summarized by the Regional Registrar. You’ll be given the choice to show records between popular RIRs such as ARIN, RIPE, APNIC², AFRINIC and more. You’ll also be able to visualize IP blocks by subnet size including ranges such as /29, /30, /28, /18, /16, and others.

The results will be displayed showing the IP Block number, IP Count, Unique User Agents, assigned RIR, as well as hostnames and number of hosted domains for each IP range.

From this interface, you’ll be able to jump into specific IP ranges, to fetch real-time information regarding that block, which includes IP Count, Bitmask, Base IP, Broadcast IP, Network Mask, Host Mask, Service Provider, ASN lookup, and Organization.

If you’re also interested in discovering the IP neighbors for this IP range, it’s automatically displayed right below the IP Block information, showing complete stats of Unique User Agents and Hosted sites (a perfect DNS enumeration) for each neighbor range:

Today we learned new ways to get the full IP blocks of any company in the world. Some of them involve manual queries against the top RIRs, while others are fully automated, secure and give you access to all the public network blocks within a second.

Jump to the next level of cybersecurity intelligence data: book a demo with our sales team to test SurfaceBrowser™, our enterprise-grade product that will reveal not only the total IP blocks of any company, but also critical information about DNS records, domain names, open ports and SSL certificates.

¹ https://www.ripe.net/² https://whois.apnic.net

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.