Assigning multiple IPs to Windows VM in Azure

There are times when VM in Azure needs to have more than one IP address. It can be just secondary IP for specific service running on VM, or IP-address of load balancer that is attached to.

There are couple of (well documented) ways this can be configured on Azure end, and several ways to configure OS end.

When multiple IP addresses configured in Azure, the primary can be assigned via DHCP, however, that's a challenging task part to assign 2nd and subsequent IPs to VM.

Here I am exploring the new way that can be simple enough and effective at the same time.

Azure configuration.

Nothing new here, just repeating what is already was described a lot of times. 

On Azure end, there are 2 ways to get this done:
  1. assign 2nd (and all the subsequent, up to 200) IP address as a secondary IP
  2. use Attach Load Balancer to VM, and enable Floating IP (otherwise Load Balancer will use NIC IP, instead of LB IP)
This is important to understand that this if IP is not configured on Azure level, it does not matter if this is configured on OS level: Azure will just ignore them, and the minimum effect can be achieved - is that additional IP will not work. Maximum - connectivity to VM will be lost.

Windows configuration.

Loopback Interface

In Windows, there is a special NIC driver, called "KM - Loopback Test" that allows having virtual NIC.
This NIC can have the IPs statically configured in Azure.

Advantages:
  • Very well known way of configuring IPs on Windows VMs
Disadvantages:
  • Requires manual installation of Loopback Adapter (automatic installation is also possible, but requires downloading/installing external Microsoft tool, that does not have any persistent link)
  • Requires configuring relaxed routing configuration on NICs, that allows traffic destined to one nic, be received on another one.

Static NIC configuration

Just put the Ethernet NIC into static IP configuration mode, and configure all the required IPs as necessary.

Advandages:
  • Another widely used and accepted option.
  • Easy to automate without any external tools (powershell / netsh)
Disadvantages:
  • Easy to lose access to the VM, in case of misconfiguration or sudden IP address change.

DHCP + Static configuration coexistence on the same NIC:

Very few mentions of this approach in the Internet at all, and I haven't seen or faced anybody used that approach in Azure at all. 

This option, available since "Windows Server 2019/20 / Windows 10 2xHx" seems to change the game: It allows VM to have Primary IP of each NIC to be configured as dynamic via DHCP, and all the subsequent IPs - as static.

All that needed is just 3 netsh commands:

Get the interface name to use on the next steps

  • netsh interface ipv4 show interface
Enable DHCP and Static IP coexistence on this interface (unfortunately, only netsh is possible here, no powershell equivalent exists)

  • netsh interface ipv4 set interface interface="interface name" dhcpstaticipcoexistence=enabled
Finally, add one or more IP addresses

  • netsh interface ipv4 add address "interface name" 192.168.x.xxx 255.255.255.0

Advantages:
  • Uses the built-in Windows Tools
  • In case of Misconfiguration, IP address change, or reconfiguration, preserves access to VM via Primary (DHCP) IP address.
  • This option works perfectly fine on Windows laptops and Servers outside Azure
Disadvantages:
  • Works only on Windows 2019+/Windows 10+
  • Turning the option on requires netsh, cannot be done with PowerShell
  • GUI cannot be used to configure the IP addresses. Interface will seem to be using only DHCP, and will not display static IPs.

Example

Here how it looks like in my lab VM:

Screenshot shows Azure portal with Virtual Machine NIC configured with 3 IP addresses: one primary and two secondary.

VM "ipconfig /all" screenshot showing:
  • Primary DHCP IP, 
  • Two secondary static IPs
  • Public Load Balancer Floating IP configured
VM "ipconfig /all" screenshot showing: 1. Primary DHCP IP. 2. Two secondary static IPs. 3. Public Load Balancer Floating IP configured


Comments

Post a Comment

Popular posts from this blog

Traceroute in Azure

Image
Is it possible to traceroute in Azure? Despite a lot of negative statements, it is totally possible. Take a look: IPv4: IPv6: All you need is to meet 2 conditions here: Add Network Security Group rule allowing Inbound ICMP to this VM from Any source Configure VM with explicit instance-level public IP. Here's explanation for these conditions: 1. ICMP All the NSG rules in Azure, explicit or implicit, are stateful. This includes ICMP. As you may know, traceroute works by sending IP packets with very short TTL (starting with 1). Each router on the path is decreasing TTL by one, and the router that decreases packet TTL to 0, must drop it and should send ICMP message packet TTL Expired in transit. ICMP message will return to VM from the router, not from VM we are sening probes to. But NSG rules are only ready to receive responses from the end host. Opening ICMP inbound for all the hosts allows ICMP "Expired in transit" packets to reach original VM, and work tracert properly. 2....
Read more

Split-brain DNS with Privatelink domains and Internet Fallback

Image
Disclaimer: While I work for Microsoft, this article does not represent a recommended or validated architecture. It reflects my personal thoughts on a possible usage scenario. There's a new Azure Private DNS feature that allows fallback to Public DNS record if private one is not defined. Private DNS zones and the feature itself is perfectly explained in the official documentation and in blog posts of my coworkers, and I won't even try to repeat this. ( John Savill , Jose Moreno , Official Doc ) They are mostly created for Private Endpoint support for services provided by Microsoft. However, anyone can use the same feature to create Split-brain DNS for their own domain. Several use cases, besides Microsoft-provided services using Private Endpoints, that can be useful Use case 1. Corporate Split-brain DNS Imagine, you have different website versions for external and internal users. With Private DNS zones it was possible to create split DNS before, however, managing all the recor...
Read more