Upgrading Azure Basic Public IP address to Standard sku - part 2

 In this video I will try to answer few important and crucial queries I received on LinkedIn, youTube video comments and so on.

1. Can I upgrade the ip addresses attached to a VM NIC one by one?
2. Can I create new NIC, disassociate all existing basic public ips from old nic, perform the upgrade to standard and then attach to new NIC?
3. Can I disassociate all existing basic public ips from current nic, perform the upgrade to standard and then attach to same existing NIC?
4. What if I have my public IP basic, static and not attached to anything, can I upgrade?
5. Does this upgrade involve downtime? If yes, how much? Or how can I calculate?
6. Is there a way to rollback upgrade in case of failure?
7. Whom I should involve during the activity?

#azure #azurevm #publicIP

Part 1 Video is here - https://www.sanganakauthority.com/2025/03/upgrading-basic-public-ip-address-to.html

Upgrading a basic public IP address to standard sku - part 1

 Azure Basic SKU Public IP is retiring on Sep 2025. 

In this video I will talk about – 

1. Why to upgrade basic public Ips to standard, what is the need?

2. Important information about basic IP retirement

3. Understand scenarios in which you will need an upgrade from basic to standard

4. I will demo about Azure VM having NIC with multiple basic public IP upgrade

5. I will also demo about VMs in Av set and are having basic sku public IP then how do you upgrade them.

6. Then we will close. Rest of the upgrade scenarios I will cover in next part of this. 

Feel free to reach out in case of any questions. 

Azure Firewall with Static Outbound Public IP – Azure NAT Gateway

12 min to read.

Abstract

Below conversation may come as a surprise for some organizations when they onboard on Azure Firewall – [Click on image to get better view]

Azure Firewall randomly selects attached public IPs for outbound SNAT connections.

Many times for outbound connections, organizations prefer to use static public IP for Outbound SNAT connections. This helps a lot in whitelisting at organization customer’s / partner’s end. As of today Azure Firewall do not offer this capability.

This article talks about; how can you make sure that traffic leaving Azure Firewall uses a static public outbound IP addresses or range of static public IP addresses.

The solution proposed below is being used in many large enterprises today successfully, for providing static outbound IP to Azure Firewall.

Let’s go!

Understanding inbound and outbound connections

In below diagram I have one Azure VNET in which I have deployed one windows server and Azure Firewall instance in dedicated subnet. Let us quickly understand what is inbound and outbound traffic flow.

The Azure VM do not have any public IP assigned to it. If I host a sample application on top of this Azure VM then public facing endpoint is public IP of Azure Firewall.

Inbound means traffic originating from internet and reaching to Azure VM through DNAT operation of Azure Firewall. Refer below diagram – [click on image to get better view].

Note – Remember, for the inbound connection there will be response sent. This is response traffic and not outbound traffic.

Outbound means traffic generated within Azure environment and going out to internet. Refer below diagram – [click on image to get better view].

Problem Statement

No Outbound Static IP

Now that inbound and outbound traffic is clear; in above diagram Partner DC may ask for public IP of your Azure environment to whitelist in their firewalls. So in that case we will need static public IP/ range of public Ips assigned to firewall.

This way outbound traffic generated with Azure [in our case inside Azure VM] to partner DC will be SNAT to static public IP.

However as stated above; Azure Firewall randomly picks up any public IP assigned to it for outbound SNAT. This proposes challenges to customers.

Limited SNAT ports

Another important point to consider is about SNAT ports. When traffic goes out from firewall, a port will be used to send the traffic outbound. These number of ports are always per public IP assigned to Azure Firewall. Azure Firewall offers 2048 ports per public IP assigned. This might be a lower number based on application nature.

Whenever one outbound connection is made, one port will used from Azure Firewall. The engaged port is not released until connection operation is completed. At the same time if Azure Firewall needs to make another outbound connection then another port will be used.

This means, at any given point, one instance of Azure Firewall service with one public IP attached, can make maximum 2048 outbound concurrent connections.

Azure Firewall support max 250 public Ips. So total SNAT ports available on Azure Firewall – 250*2048 = 512,000.

However, 250 public IP is still a big number. You do not attach so many public Ips to Firewall instance out of the blue. You generally attach per application. Bringing 250 applications behind single Azure Firewall instance may not be possible right away when you start Azure journey.

At the same time; your single application running behind Azure firewall may easily need concurrent a million outbound connections. Example, WebSocket based chat application, mobile app communication using websockets.

Therefore we need a way by which we can scale SNAT ports as well for outbound connections passing through Azure Firewall.

Verifying Random IP Behavior

I have below construct in my Azure Subscription. [Click on the image to get better view] –

1.      Created VNET with 3 subnets – Firewall Subnet, Web VM subnet, Jump VM Subnet

2.      Attached two public Ips to Azure Firewall.

3.      Created Web VM in Web Layer and did NOT attach any public IP.

4.      Create Route Table with below routes and attached to web layer subnet

a.      If destination is Jump Layer subnet – next hop VNET

b.      If destination is internet [0.0.0.0/0] – next hop AzureFirewall IP.

5.      Created Jump VM WITH Public IP; just to take RDP to web VM over its private ip.

Here are the screenshots of Azure Firewall IP configurations and UDR on Web Layer Subnet. [click to get better view].

I am going to add ifconfig.me domain inside Azure firewall to allow the outbound traffic. Therefore we need to add DNS settings on Azure Firewall. Below is the screenshot to add the same – [click to get better view].

We will be using ifconfig.me URL to get the IP. Therefore allow the same in Azure Firewall as shown below using application rules. [click to get better view].

Now when I run command Curl ifconfig.me/ip from putty of Web VM; we see the firewall IP as an output. This means because of UDR attached to web layer, internet traffic initiated from web vm is passing through Azure Firewall. Azure Firewall then sending to internet by SNAT [Source NAT] to its own one of the public IP.

From below screenshot you can clearly see that any random IP out of two public Ips attached 

to Azure Firewall, is being used while outbound traffic is SNAT from Azure Firewall. 

[click to get better view]. 

From above screenshot it is visible that out of the two public Ips random IP is being chosen for outbound access.

Here is the Deal…NAT Gateway!

Microsoft Azure releases Virtual Network NAT service that simplifies the outbound-only internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses your specified static public IP addresses.

Many times this service is also referred to as NAT Gateway.

Per public IP attached to NAT gateway we get 64,000 outbound SNAT ports. One NAT gateway can have 16 public IP addresses attached.

So total outbound SNAT ports available with a NAT gateway = 16 * 64,000 = 1,024,000.

So NAT Gateway is our solution to get Static Public IP for outbound traffic flowing through Azure Firewall.

Create NAT gateway and associate to subnet of Azure Firewall. Assign a public IP to NAT gateway. So as shown in the below diagram, even if the Azure Firewall has 2 public IP addresses; traffic originating from Web VM always take NAT Gateway associated public IP as outbound IP. [click to get better view].

Create NAT GW and associate to AzureFirewallSubnet using below sample powershell commands. Make sure you replace Resource groups name, VNET Name and location as appropriate.

# Create public IP addresses

New-AzPublicIpAddress -Name public-ip-1 -ResourceGroupName AzFwStaticIPRG -Sku Standard -AllocationMethod Static -Location 'Central India'

# Create NAT gateway

$PublicIPAddress1 = Get-AzPublicIpAddress -Name public-ip-1 -ResourceGroupName AzFwStaticIPRG

New-AzNatGateway -Name firewall-nat -ResourceGroupName AzFwStaticIPRG -PublicIpAddress $PublicIPAddress1 -Location 'Central India' -Sku Standard

# Associate NAT gateway to subnet

$virtualNetwork = Get-AzVirtualNetwork -Name MyVNET -ResourceGroupName AzFwStaticIPRG

$natGateway = Get-AzNatGateway -Name firewall-nat -ResourceGroupName AzFwStaticIPRG

$firewallSubnet = $virtualNetwork.subnets | Where-Object -Property Name -eq AzureFirewallSubnet

$firewallSubnet.NatGateway = $natGateway

$virtualNetwork | Set-AzVirtualNetwork

 The Azure NAT Gateway I created has public IP address 52.x.x.20 and is visible on Azure portal as below – [click to get better view].

Similarly it is associated to AzureFirewallSubnet as shown below – [click to get better view].

Verifying Static Outbound IP Address

Logged in to webvm using SSH and ran curl ifconfig.me command. We can see that it is showing Nat Gateway IP. Using NAT Gateway, for outbound traffic passing through Azure Firewall NEVER selected random IP from Azure firewall. [click to get better view].

Conclusion

Hope this article helped to overcome behavior of random public IP selection of Azure Firewall for outbound traffic. NAT Gateway is fully managed service and helps to configure static public outbound IP for outbound traffic passing through Azure Firewall.

Happy Static IPs!

A humble request!

Internet is creating a lot of digital garbage. If you feel this a quality blog and someone will definitely get benefited, don't hesitate to hit share button present below. Your one share will save many precious hours of a developer. Thank you.

Next Related Posts

Proven Azure Architecture Patterns using PaloAlto NGFW and F5 DDoS and WAF

4 VNETs and transitive Routing using Azure firewall

Azure Virtual Machines – real world frequently asked questions – not easily answered.

Azure VM disk encryption, what should be my approach!

Bypass onpremises firewall to RDP or SSH into Azure VM 

Transitive Routing and Site to Site VPN, Azure Firewall, VNET Peering, 4 VNETs

14 min to read.

Abstract

In earlier blog I talked about solving transitive routing problem in 3 VNETs. Recently I came across a situation where transitive routing was required across 4 layers.

A (On-premises DC) < site to site VPN> B (VNET with VPN GW) < peered to> C (Firewall VNET) < peered to> D (server app VNET).

Interested to know how to achieve transitive routing across 4 VNETs? Read on.

Problem Statement

Let us understand the problem better by using example. [Click to get better view]-

Requirements are as below -

1.      Contoso company has on-premises DC connected to Azure Landing Zone VNET using Site to Site VNET.

2.      Server Deployment should be done in separate VNET and all traffic should be monitored using Firewall

3.      The firewall must be placed in separate VNET for logical separation and more granular control.

4.      Communication between OnPremises DC server to Azure Server VNET must pass through S2S VPN, Firewall in both directions.

This is classic Transitive routing scenario in Azure, but a complex one. There are 4 networks and you need connectivity between first and fourth; without having them connecting directly.

Let us solve this one by one.

Solving on premises DC connectivity to Azure Landing Zone VNET

I don’t have any on premises site for demo. Therefore I created Azure VNET only and will be treating it as on premises site.

So we have 2 Azure VNETs across which we need connectivity. You can easily set it up using VNET to VNET connection or using VPN Gateway connection. However to replicate real world scenario we will create Site to Site VPN between On premises DC and Contoso Landing Zone Azure VNETs; using Azure VPN Gateway in each.

Connection between Server VNET to Firewall VNET

Server VNET needs to send data [ in our case we will just try RDP] to on premises DC VM. However they are not connected directly.

Also traffic to/ from server VNET has to be filtered through firewall. Therefore we created separate VNET for Server and firewall. I decided to use Azure firewall and the VNET is called as Transit VNET below.

As Server VNET just receive / send data to/ from Azure firewall; we need Standard VNET Peering between Server and Transit VNET.

Connection between Firewall VNET to Landing Zone VNET

Data from Server VNET VMs need to be sent to on premises. However it has to be passed from Azure firewall. Therefore we need Transit VNET to send data to on premises in reality.

So we want traffic from firewall VNET to reach to contoso on premises DC VNET using S2S VPN Gateways present in both VNETs.

For this we will need to setup VNET Peering with Remote Gateway option between Transit VNET and Landing Zone VNET. Only Standard VNET peering won’t work in this scenario.

Final Solution Architecture looks like below

[click to get better view].

Setting up Site to Site between Azure VNETs

We need to create two Local network gateway as shown in above diagram. You need to take care of below when you create S2S between Azure VNETs using Azure VPN Gateways.

1.      Create Contoso DC Local network gateway and assign public IP of Contoso DC VPN GW. Assign range of on premises DC private VNET.

2.      Create Contoso Zone Local Network Gateway and assign public IP of Contoso Zone VPN GW. Assign ranges of Server, Transit and Zone private VNET.

Refer below screenshots – [click to get better view]

Then to setup Site to Site IPSec tunnel follow the guide as describe here - Tutorial- Connect on-premises network to virtual network: Azure portal - Azure VPN Gateway | Microsoft Docs

Refer below screenshots – [click to get better view]

This completes the S2S connection between 2 Azure VNETs using Azure VPN Gateway.

Provision Azure Firewall and Add Network Rules

Create dedicated subnet for Azure Firewall in Transit VNET and then create Azure Firewall in Transit VNET.

We want RDP traffic from Server VNET to DC VNET and vice versa to allow through Azure Firewall. Therefore add below rules in Azure Firewall network rules. [click to get better view]

Setup VNET Peering between Server, Transit and Zone VNETs

First configure server VNET to Transit VNET peering as shown below. Here as both VNETs to dot have Azure VPN Gateway; so this will be standard VNET peering. [click to get better view]

Then configure Transit VNET to Zone VNET peering. Here Zone VNET has Azure VPN Gateway and we want traffic filtered from Transit VNET firewall to pass to on premises DC VNET over S2S.

Therefore use remote gateway setting in Transit VNET peer, and “Use this VNETs Gateway or Route server” setting in Zone VNET peer as shown. [click to get better view].

This step completes all the required peering setting as per architecture diagram.

Configure Azure Route Tables

From Server subnet we want traffic to go to Contoso DC and pass through Azure Firewall. Therefore we need to add below rules on server subnet –

1.      If destination is Contoso DC VNET then next hop is firewall IP

2.      If destination is Zone VNET then next hop is firewall IP

Then assign route table to server subnet as shown below. [click to get better view].

The traffic received on Contoso Zone GW and destined to server vnet should also be passed always to firewall. Therefore we need to add below rules on Zone Gateway Subnet route table –

1.      If destination is server VNET then net hop is firewall IP.

Then assign route table to Gateway subnet of Zone VNET. [click to get better view.]

This completes configuration of all Route tables.

Confirm the connectivity between Server and On Premises DC VNET

Login to Server VM using public IP. Then simply ping to on premises Dc VM. The ping should be successful as shown below. If we try to take RDP to On Premises DC VM over private IP from server VM; it should be successful as shown below. [click to get better view].

You can view the source address of server VM from event viewer as below – [click to get better view]

Similarly RDP from On Premises DC server to Server VM over private IP should also be successful.

Conclusion

Hope this article helped to design Transitive Routing across 4 VNETs.

Happy Peering!!

A humble request!

Internet is creating a lot of digital garbage. If you feel this a quality blog and someone will definitely get benefited, don't hesitate to hit share button present below. Your one share will save many precious hours of a developer. Thank you.

Next Related Posts

Transitive routing across 3 VNETs using Ubuntu VM

Azure Virtual Machines – real world frequently asked questions – not easily answered.

Azure Migration frequently asked questions, not easily answered!

Azure VM disk encryption, what should be my approach!

Bypass onpremises firewall to RDP or SSH into Azure VM

Run Android emulator and Android Studio on Azure VM using Hyper V

14 min to read.

Abstract

Due to Corona outbreak, times are hard! Please take care everyone! I wish good health for all! Stay safe!

There is another outbreak I am seeing – Making Development environment available on Azure to enable Work from home. Almost in every customer call I hear about requirement to enable Development Environment on Azure and accessing it from Home laptop/ PC and continue the business.

In the era of “Mobile first” almost every big enterprise, every Small and Medium Business (SMB), every Start up company have mobile development teams. They use variety of tools and one of the important IDE used for Mobile development is “Android Studio”.

Installing and running Android studio is smooth; however Android emulator installation fails on Azure VM. It is not straight forward. In this blog we will see “how to enable Android emulator with Android Studio on Azure VM”.

Let’s go!

Concept - Android Emulator and VM Acceleration

Without a virtualization technology and VM acceleration, the Android emulator must translate the machine code from the VM block by block to conform to the architecture of the host computer. This process can be quite slow. 

With a hypervisor, the VM and the architecture of the computer running emulator match, so the emulator can run code directly on the processor using the hypervisor. This improvement drastically increases both the speed and performance of the android emulator.

This concept is well suited for hardware. For example, if you have laptop then Android emulator can work like a charm. Because the required hardware for VM acceleration is provided by underlying laptop on which you are running Android Studio and hypervisor for emulator runs on laptop hardware.

Android Emulator and Intel HAXM

Android emulator is default based on Intel Hardware Accelerated Execution manager [HAXM]. This is Virtualization technology used behind the scene by Android studio to run the android emulator. HAXM is installed as a part of installation process of Android Studio as well.

So on Azure VM where we plan to run the Android simulator, Intel HAXM should be installed and present.

At the same time Intel HAXM and Hyper V are mutually exclusive. Means, if you have Hyper V enabled then HAXM can’t be installed and vice versa.

Installation of HAXM on Azure VM is not a problem. The VM series is a problem. When you say I want to install the HAXM; Hyper V should be disabled. Most of the VM series today have Hyper V “some way” enabled or not supported.

Remember Azure VM itself is a VM. Means it is based on Hyper V behind the scene already. Now on top of this VM you want to install another Hypervisor – either HAXM or Hyper V. The only series that supports the Hyper V on Azure VM itself is Hyperthreaded VMs – Dsv3 and Esv3 series or Dv3 and Ev3 series.

This Azure VM series support nested virtualization; because it supports running Hyper V on top of it or running any other hypervisor on top of it. Therefore installation of HAXM on Azure VM will succeed only on these Azure VMs and other will fail.

Now even if we install HAXM successfully on Azure VM and then install Android Studio with emulator successfully; the emulator will not work. I have experienced many errors as described below -

“error while loading state for instance 0x0 of device 'goldfish_pipe'”.

“Unfortunately, the Android emulator can’t support virtual machine acceleration from within a virtual machine.”

Android Emulator and WHPX

Microsoft Visual Studio has Android Emulator. It uses WHPX technology behind the scene. However it works on hardware. Means it can run well on your laptop but not on Azure VM. I could not start Android Emulator on Azure VM. When I attach the Visual Studio Android Emulator to Android Studio; it fails with many errors.

So what is the solution?

Solution and Architecture

Well, the solution provided will not help to run the latest version of Android emulator. However you will be able to make the Android Emulator work on Azure VM with “Older version”.

For this we will leverage “VS Emulator for Android” which is earlier version of Android Emulator Microsoft had released prior to current version of “hardware acceleration” based Android emulator.

So overall solution looks as follow – [click to get better view].

As a part of the solution make sure you provision VM with v3 series. I have selected Ds4v3 VM on Azure portal and provisioned it. By default allow the internet access to this VM so that we can download required software. As per the diagram I have attached public IP to my VM. So take RDP over public IP.

After RDP, install the software in the order mentioned below.

Visual Studio Emulator for Android – Life saver!

I have selected below version [click to get better view] of Windows 10 for provisioning VM on Azure. Also I have selected Ds4v3 series and Gen1 for provisioning. Go ahead and provision Azure VM.

Install Hyper V

Login to your VM and configure Hyper V on top of it. Open Run window -> type “appwiz.cpl” -> Click on “Turn windows feature on or off” -> Select all options against Hyper V option -> Select option “Windows Hypervisor platform”. After successful installation restart VM. Refer below [click to get better view].

Install Java

VS Emulator for Android requires Java. Therefore install using the link - https://www.java.com/download/.

Restart the machine.

Install Visual Studio Emulator for Android

Go to this page - https://visualstudio.microsoft.com/vs/msft-android-emulator/. Install VS emulator for Android. Remember we don’t have to install the complete Visual Studio here. The Visual Studio based Android emulator is based on Hardware acceleration and it will not work on Azure VM. At least I could not make it work after lot of attempts.

Successful installation screen shown below. It should also appear in start menu. [click to get better view].

After installation restart the Azure VM.

Install Android Studio

Install Android Studio from the link - https://developer.android.com/studio#downloads. Current version as of today is Android Studio 3.6.3. Install with default selected options. After successful installation you will see an option “start android studio”. Select this option and click finish as shown [click to get better view].

This launches the Android Studio and further starts configuration of Android Emulator. Continue with standard configuration with default options selected. You will see that HAXM installation failed. This is expected behavior as Hyper V is already enabled; HAXM is bound to fail. You will get screenshot as follows [click to get better view] –

This completes the installation of all required software. Restart the machine.

Integrating Android Studio to use Visual Studio Emulator for Android

The default path of Android SDK for me is - C:\Users\kunal\AppData\Local\Android\Sdk. This is default path.

We need to set a specific registry key to tell Visual Studio Emulator for Android where the Android Sdk is located. To set the needed registry key, run the script below in PowerShell on the Azure VM. If you have installed it on different path then change the below path in script accordingly.

$androidSdkPath = Resolve-Path $(Join-Path "$($env:APPDATA)" "../Local/Android/Sdk")

$registryKeyPath = "HKLM:Software\WOW6432NODE\Android Sdk Tools"

New-Item -Path $registryKeyPath

New-ItemProperty -Path $registryKeyPath -Name Path -PropertyType String -Value $androidSdkPath

Successful execution of the script will have below view [click to get better view].

Running Android Studio with VS Emulator for Android

First open Visual Studio Emulator for Android. On the launch screen you will see all version available in this emulator. You will see the last version that were available on this was API 23 Marshmallow. Refer below screenshot [click to get better view].

From above screen I downloaded the red marked device for emulator. When you click on Green checkmark then Device emulator starts as shown below [click to get better view].

Now open Android Studio. Click on “Start a new Android Project” on start screen. Then Select the Project Template as Basic Activity. Click Next. On “Configure your project” screen I selected Java as Language and kept rest of the setting as is. Click Finish. The creation of new project will take few mins. Final screen will be visible as shown. As you can see, VS Emulator is also visible on the below diagram. This means Android Studio has picked up VS Emulator for Android [click to get better view].

Go ahead and click on Run to deploy your test application on this emulator.

Post deployment you will see your application running on Visual Studio Emulator for Android as shown below [click to get better view].

Follow general security best practices when you take RDP over internet to this VM. Like whitelisting incoming IP in NSG etc.

Disclaimer

Visual Studio emulator for android is obsolete version and has last version of android available as API 23 – Android 6.0 - Marshmallow. However currently Android is running with version API 29 – Android 10.0 - Q.

I know we are not running on latest version however this workaround unblocks us in current Covid-19 situation.

Also, on top of this page - https://visualstudio.microsoft.com/vs/msft-msandroid-emulator/, it explains you that current version of Android Emulator uses hardware acceleration. VS Emulator for Android is older version of it and not recommended. 

However I chose this solution to my customers as of now; as this unblocks the customer immediately with the power of Azure cloud.

Also, right now my customer was not able to perform any android specific development task due to Corona virus situation. So even if older version, at least customer was able to continue the business and that was more important.

I repeat, the above approach of using older version of VS emulator is obsolete. For best experience you should switch to Hardware based emulator either using HAXM or WHPX. The above stated approach is a workaround for now. May be in future Microsoft Azure may release “absolutely non restricted Hyper V” supporting VMs and it may work.

Please note, this recommendation is my personal recommendation and in no way it represents the company I work for.

Bonus Tip

You can very well use this approach with Azure Windows Virtual Desktop [WVD]. Plus on top of it if you want to test your APK by device connection to USB; then you can enable local laptop USB while you take RDP to WVD and make it work.

Conclusion

Hope this article helped you to get started on Android Studio and Android emulator with Azure VM quickly. Let me know your views in comments section below to improve and what are your thoughts on this approach.

Happy emulating!!

A humble request!

Internet is creating a lot of digital garbage. If you feel this a quality blog and someone will definitely get benefited, don't hesitate to hit share button present below. Your one share will save many precious hours of a developer. Thank you.

Next Related Posts

Azure Virtual Machines – real world frequently asked questions – not easily answered.

Start stop multiple Azure VMs on schedule and save cost!

ExportAzure VMs to CSV!

Azure Migration frequently asked questions, not easily answered!

Azure VM disk encryption, what should be my approach!