Believe that the first contact with Azure readers will encounter such a problem, is the IP address of Azure, the first time I contacted Azure is also confused forced, a while VIP, do not know that is the meaning of membership, a while is dip, then came a pip, so it is easy to confuse, So today I'm going to talk a little bit about these kinds of ip!!!
Azure IP addresses fall into the following categories
VIP. Load-Balanced IP address (also called a public virtual IP address)
DIP. Internal IP Address (Azure official website called Vip:x,x for port number)
PIP. Instance-level public IP
Don't say much, put a picture first
This picture I was deducted from the official website, personally think this picture is still relatively clear
A. VIP
Overview. In ASM, this IP address is required, is the SLB load balanced IP address, you can also think of a cloud service IP address, you can understand, but in fact it is attached to the SLB (previously Azure SLB was built with VMS, is now a physical machine, which is why Ali's SLB is still separate Fees, Microsoft free reason), because we know that the cloud service is the equivalent of a container, which contains your various deployments, but this container outside of the SLB is exposed to the Internet, in the previous ASM, each cloud service can get a VIP for free, If an additional VIP address is required to pay a fee, an external person accessing the cloud service over the Internet is the VIP address that is accessed.
VIP has the following several characteristics
1. First, the IP address is SLB, and SLB attached to the cloud service, but the cloud service must be deployed, otherwise it will not be assigned VIP, once the deployment is deleted, the VIP will also be released, for example, when deploying two VMs in the same cloud service, the VIP of the two VMs, However, if both VMs are deleted, the VIP will also be released.
2. The IP address is ping-disabled, because SLB disables the ICMP protocol, and pings are based on the ICMP protocol.
3. The IP address can be fixed, can be fixed through PowerShell, if not fixed, once the system restarts the VIP will change, but even if fixed, once the deletion of the cloud service deployment is deleted, the VIP will still be released.
Two. DIP
Overview. Azure provides a virtual IP address for each deployment in the cloud service, which is the dip, which is typically a private IP address that can only be exchanged between intranet.
Dip has the following characteristics
1. This is the intranet IP address of the Azure VM, where different VMS in the same virtual network are communicating with each other via dips (of course, you can use NSGS in a subnet for policy).
The 2.Azure dip is assigned on a first-come-first-served basis, and the first VM that is created and powered on will be given an available dip.
3.DIP can also be fixed through PowerShell, whether in ASM or arm, even if the VM is stopped or shut down, the dip is still reserved, but if you delete the VM, in ASM, the dip will be released, no longer reserved for it, if in arm, If it is only removed to the virtual machine, the dip is still exclusive, because there is a network interface is not deleted, that is the virtual machine virtual network card is located, so the dip is still retained.
Three. PIP
Overview. We know that the dip of the virtual machine can not be directly accessed by the external network, you must pass the VIP port number to access, but if the virtual machine attached to the PIP, the extranet can be directly accessed, in ASM, Pip is not optional, can only be dynamic, in arm, is optional, can be set to static, in addition, we know that Ure inside the virtual network, is forbidden Ping, that is, only two virtual machines dip even in the same intranet is still not ping, but the addition of PIP, the two virtual machines can ping, which is why, This is because the ping packet is actually not a virtual network transmission, but with the help of the Internet, which is tantamount to bypassing the virtual network and SLB, which of course can ping, but someone found a strange problem, why I attached the pip VM can ping Baidu, But not access Baidu, what is the reason? Because your virtual machine is set up outside the NSG, and the NSG by default only 22 port, is SSH, so your 80 port is closed, of course, can not use the HTTP service, and because the NSG can only limit TCP/UDP traffic, and can not limit ICMP, so of course, can ping Baidu.
Pip has some of the following features
1.PIP is an independent public IP address, and the load Balancer IP address is not the same.
2. When both VMs in the same virtual network retain the static Pip, the two pips must be different.
3. If a VM we use PIP, all requests are sent directly to the VM, without an NSG, the VM does not need to configure the endpoint because all endpoints are exposed to the Internet.
4. If the VM opens the PIP, it can be ping directly, the principle is as above.
Those IP on Azure