Azure BYOIP: A Comprehensive Guide to Custom IP Prefixes

Azure BYOIP allows you to bring your own IP prefix, which is a range of IP addresses that you can use to connect to Azure services.

You can choose from various IPv4 and IPv6 prefix lengths, ranging from /28 to /12, as mentioned in the article section.

This flexibility is especially useful for organizations with existing IP infrastructure, such as those with a large number of servers or applications.

BYOIP is a great option for these organizations, as it allows them to maintain control over their IP addresses and avoid the need for complex routing configurations.

Azure BYOIP offers several benefits, including the ability to retain your existing IP ranges to maintain your reputation and skip through externally controlled allowlists. This is especially useful for businesses that have built up a strong reputation over time.

You can also derive public IP address prefixes and standard SKU public IPs from your custom IP address prefixes, which can be used just like Azure-owned public IPs. This provides a lot of flexibility and makes it easy to integrate your own IP addresses with Azure's services.

Here are some key benefits of Azure BYOIP:

It's worth noting that there are some limitations to Azure BYOIP, including a maximum of five custom IP prefixes per region, which can be increased upon request. Additionally, custom IP prefixes don't currently support derivation of IPs with Internet Routing Preference or that use Global Tier.

By bringing your own IP (BYOIP) to the table, customers can retain their established reputation and continue to pass through externally controlled allowlists. This is a huge advantage, especially for businesses that have built up a strong reputation online.

You can also derive public IP address prefixes and standard SKU public IPs from custom IP address prefixes. These IPs can be used just like Azure-owned public IPs.

Here are the benefits of BYOIP in more detail:

When creating custom IP prefixes in Azure, there are some limitations to be aware of.

You can bring a maximum of five custom IP prefixes per region to Azure by default, but this limit can be increased upon request.

Custom IP prefixes don't support derivation of IPs with Internet Routing Preference or that use Global Tier for cross-region load-balancing.

In regions with availability zones, a custom IPv4 prefix or a regional custom prefix must be specified as either zone-redundant or assigned to a specific zone.

Custom IP prefixes don't currently support Reverse DNS lookup using Azure-owned zones; customers must onboard their own Reverse Zones to Azure DNS.

Here are the key limitations to keep in mind:

To onboard a custom IP range to Azure, you must own and have registered the range with a Routing Internet Registry such as ARIN or RIPE.

The range must be no smaller than a /24 (256 IP addresses) so that it will be accepted by Internet service providers.

You can onboard your ranges to Azure through the Azure portal, Azure PowerShell, Azure CLI, or by using Azure Resource Manager (ARM) templates.

Once onboarded, you can assign public IP addresses from the range to resources immediately or begin advertising the range before assigning, depending on your specific use case.

To assign the BYOIPs, create public IP prefixes (contiguous blocks of Standard SKU public IP addresses) from which you can allocate specific individual public IP addresses.

Onboarded IPs can be associated with any resource that supports Standard SKU public IPs, such as virtual machines, Standard Public Load Balancers, Azure Firewalls, and more.

You are not charged for maintenance and hosting of your onboarded Public IPs Prefix, but you are charged only for egress bandwidth from the IPs and any attached resources.

Here are the validation steps Microsoft performs to verify your ownership of the range and its association with your Azure subscription:

After you've completed the previous steps, your public IP range can move on to the Provisioning phase. In this phase, the range is created as a custom IP prefix resource in your Azure subscription.

The public IP range is now ready to be advertised from Azure and enter the Commissioning phase. This is where the range is advertised first from the Azure region where the custom IP prefix is located, and then by Microsoft's Wide Area Network (WAN) to the Internet.

The specific region where the range was provisioned is posted publicly on Microsoft's IP Range GeoLocation page. This is a crucial step, as it makes the range reachable and usable for your Azure resources.

You can assign public IP addresses from the range to resources immediately or begin advertising the range before assigning, depending on your specific use case. After issuing the command to commission a range, Microsoft will advertise it both regionally (within Azure) and globally (to the Internet).

The specific region where the range was onboarded will also be posted publicly for geolocation providers. You're not charged for maintenance and hosting of your onboarded Public IPs Prefix; you're charged only for egress bandwidth from the IPs and any attached resources.

Custom IPv4 and IPv6 prefixes have some differences in how they're onboarded and utilized, so be sure to check out the documentation for more information on these differences.