This chapter covers Azure Public IP Prefixes, a feature that allows you to reserve a contiguous block of public IP addresses for your subscription. For the AZ-104 exam, understanding Public IP Prefixes is essential for designing scalable and manageable network architectures, especially when you need predictable public IP ranges for whitelisting or DNS. Questions on this topic appear in approximately 5-7% of exam questions, often integrated with scenarios involving load balancers, VPN gateways, and network security. Mastering this topic will help you answer questions about IP address management, SKU compatibility, and prefix lifecycle operations.
Jump to a section
Imagine a large corporation that frequently hosts events. Instead of finding individual parking spots each time, they reserve an entire parking lot with a contiguous block of spaces. This reserved lot ensures that all their guests park together, making access control and signage consistent. The corporation owns the lot for as long as they need it, and they can allocate individual spaces to different events without worrying about fragmentation. Similarly, a Public IP Prefix in Azure reserves a contiguous block of public IP addresses (e.g., 16 addresses in a /28 prefix). Once reserved, these IPs are dedicated to your subscription, and you can assign them to Azure resources like load balancers, VPN gateways, or individual VMs. The prefix ensures that all your public IPs come from a known range, simplifying firewall rules and DNS management. When you no longer need an address, you can return it to the prefix for reuse, just as an unused parking spot becomes available for the next event. However, you cannot use an IP from the prefix without first creating a standard SKU public IP resource from it, similar to needing a parking pass to use a specific spot. This reserved block gives you predictability and control, just as a reserved parking lot gives the corporation consistency and efficiency.
What is a Public IP Prefix?
A Public IP Prefix is a reserved, contiguous block of public IPv4 or IPv6 addresses assigned to your Azure subscription. The prefix itself is an Azure resource that defines the size of the block (e.g., /28 for 16 addresses, /29 for 8 addresses). Once created, you can create individual public IP resources from the prefix, and those IPs will come from the reserved range. The prefix ensures that all IPs allocated to your resources belong to a known, contiguous range, which simplifies network security rules, DNS configurations, and compliance requirements.
Why Does It Exist?
Without a prefix, when you create multiple public IP addresses, they are assigned from Azure's large pool and are generally non-contiguous. This makes it difficult to predict the exact IP range for whitelisting in third-party firewalls or for setting up reverse DNS records. A Public IP Prefix solves this by giving you a dedicated block that you control. It also reduces the administrative overhead of managing individual IPs and ensures that you can plan your IP space effectively.
How It Works Internally
When you create a Public IP Prefix, Azure reserves a block of addresses from a regional pool. The prefix is tied to a specific Azure region and subscription. You can then create standard SKU public IP addresses from the prefix. Each standard SKU public IP created from the prefix consumes one address from the block. You cannot create basic SKU public IPs from a prefix; only standard SKU is supported. The prefix itself does not consume an IP address—it just defines the range. The IPs are only consumed when you create a public IP resource from the prefix.
Key Components, Values, and Defaults
Prefix sizes: The supported prefix sizes are /28 (16 addresses) and /29 (8 addresses) for IPv4. For IPv6, the size is /124 (16 addresses). These are the only sizes allowed; you cannot create a /27 or /30 prefix.
SKU: Public IP Prefixes support only Standard SKU. Basic SKU is not compatible.
Tier: Regional (default) or Global. Global prefixes are for cross-region load balancers and are only available with Standard SKU.
IP version: IPv4 or IPv6. You cannot mix versions in a single prefix.
Idle timeout: Not applicable to the prefix itself; individual public IPs have their own idle timeout setting (default 4 minutes, configurable 4-30 minutes).
Domain name label: You can optionally assign a domain name label to the prefix, which will be used as a suffix for the IPs created from it (e.g., myprefix.eastus.cloudapp.azure.com).
Availability: Public IP Prefixes are available in all Azure regions, but you should verify regional support for the specific size and IP version.
Configuration and Verification Commands
To create a Public IP Prefix using Azure CLI:
az network public-ip prefix create \
--resource-group MyResourceGroup \
--name MyPrefix \
--location eastus \
--prefix-length 28To create a public IP from the prefix:
az network public-ip create \
--resource-group MyResourceGroup \
--name MyIP \
--public-ip-prefix MyPrefix \
--sku Standard \
--allocation-method StaticTo list all IPs in a prefix:
az network public-ip prefix show \
--resource-group MyResourceGroup \
--name MyPrefix \
--query "publicIPAddresses"In the Azure portal, you can navigate to the Public IP Prefix resource and see a list of associated IPs under "Overview".
Interaction with Related Technologies
Azure Load Balancer: You can assign a public IP from a prefix to a load balancer's frontend. For cross-region load balancers, you need a Global prefix.
VPN Gateway: VPN gateways can use a public IP from a prefix for the gateway's public endpoint. This ensures the gateway's IP is from your known range.
Azure Firewall: You can associate a public IP from a prefix to Azure Firewall for outbound traffic.
Network Security Groups (NSGs): You can reference the prefix's IP range in NSG rules to allow or deny traffic from your reserved block.
Azure DNS: You can create reverse DNS records for the entire prefix range, ensuring that all IPs in the block have consistent PTR records.
Lifecycle and Management
Create: You create a prefix with a specified size and region. The prefix is assigned immediately, and the IPs are reserved but not yet consumed.
Allocate: Create a standard SKU public IP from the prefix. Each allocation consumes one address. You cannot allocate an IP that is already in use.
Release: When you delete a public IP that was created from a prefix, the address returns to the prefix pool and becomes available for reuse.
Delete: You can delete a prefix only if no public IPs are currently allocated from it. Attempting to delete a prefix with active IPs will fail.
Resize: You cannot resize a prefix after creation. To change the size, you must delete and recreate it.
Performance and Limits
Subscription limits: By default, you can have up to 1000 public IP prefixes per subscription per region. Each prefix can have up to 16 IPs (for /28) or 8 IPs (for /29). The total number of public IP addresses per subscription is also limited (default 1000 for Standard SKU).
Regional limits: The number of prefixes you can create may be subject to regional capacity. Azure may reject prefix creation if the regional pool is exhausted.
Global prefix: Global prefixes are available only for cross-region load balancers. They cannot be used for regional resources.
Common Configuration Patterns
Whitelisting: Reserve a /28 prefix and use the IPs for all outbound traffic from your Azure resources. Configure your on-premises firewall to allow traffic from the entire prefix range.
DNS Management: Assign a domain name label to the prefix so that all IPs have a predictable FQDN (e.g., ip1.myprefix.eastus.cloudapp.azure.com).
Compliance: Use a prefix to ensure that all public IPs in a subscription come from a known block, simplifying audit logs and compliance reports.
Plan the prefix size
Determine the number of public IP addresses you need. Choose a /28 prefix for 16 addresses or a /29 for 8 addresses. The prefix size is fixed after creation, so plan carefully. Consider future growth; you cannot resize a prefix. The prefix must be Standard SKU and regional (or global for cross-region load balancers). Ensure your subscription has enough remaining public IP quota (default 1000 Standard IPs per region).
Create the Public IP Prefix
Using Azure CLI, PowerShell, or portal, create the prefix resource. Specify the resource group, name, location, and prefix length. At this point, Azure reserves the IP range, but no IPs are consumed. The prefix appears in your subscription as a resource. You can optionally assign a domain name label. The creation is synchronous and typically completes within seconds.
Create a public IP from the prefix
Create a standard SKU public IP address resource, specifying the prefix as the source. Azure will allocate one of the available addresses from the prefix. The allocation is static (the IP does not change). You can optionally set the idle timeout (default 4 minutes) and assign a DNS label. The new IP is now associated with the prefix and appears in the prefix's list of allocated IPs.
Associate the IP to a resource
Attach the public IP to an Azure resource such as a load balancer frontend, VPN gateway, or VM NIC. For load balancers, you can also use the prefix directly for frontend IP configurations. The resource now uses an IP from your reserved block. Ensure the resource's SKU matches (Standard). For VMs, you must use a Standard SKU NIC and a Standard SKU public IP.
Manage and release IPs
When you no longer need a public IP, delete the public IP resource. The address returns to the prefix pool and becomes available for reuse. You can also disassociate the IP from a resource without deleting it. To delete the entire prefix, you must first delete all public IPs allocated from it. Monitor the prefix's used IP count via Azure Monitor or CLI.
Enterprise Scenario 1: SaaS Provider with Customer Whitelisting
A SaaS company hosts multi-tenant applications in Azure. Their customers require whitelisting of the provider's public IPs in their on-premises firewalls. Without a prefix, the provider would have to communicate each new IP address to customers, causing operational overhead. By reserving a /28 prefix, the provider ensures all outbound traffic from their Azure resources (via Azure Firewall or NAT gateway) comes from a known, contiguous range. They configure the prefix with a domain name label, and customers whitelist the entire /28 range. When the provider scales and adds more instances, new IPs from the prefix are automatically within the whitelisted range. Misconfiguration: If the provider accidentally uses a basic SKU public IP (not supported with prefix), the IP will not come from the prefix, breaking the whitelist.
Enterprise Scenario 2: E-commerce Platform with DNS and Reverse DNS
An e-commerce platform uses multiple public IPs for different services (web, API, CDN). They need consistent reverse DNS (PTR) records for email deliverability and compliance. By using a /28 prefix, they can set up reverse DNS for the entire prefix once, rather than per IP. They assign a domain name label to the prefix, so each IP gets a predictable FQDN (e.g., web1.myprefix.eastus.cloudapp.azure.com). They also use the prefix with Azure Load Balancer to distribute traffic across VMs. Performance: The prefix does not introduce latency; it's purely a management construct. Common pitfall: Trying to use a global prefix for regional resources — global prefixes only work with cross-region load balancers.
Enterprise Scenario 3: Government Agency with Compliance Requirements
A government agency must ensure that all public IPs used by Azure resources are from a known, auditable block. They create a /29 prefix per region and enforce via Azure Policy that all public IPs must be created from a prefix. This ensures that no ad-hoc IPs are used. They also set up NSG rules that only allow traffic from the prefix range to their on-premises network. Misconfiguration: If an administrator creates a public IP without specifying a prefix, the policy will deny the creation. The agency also uses Azure Monitor to alert when the prefix usage exceeds 80% capacity, triggering a request for a new prefix.
AZ-104 Objective Coverage
Public IP Prefixes fall under objective "Configure and manage virtual networking" (4.2). Specifically, the exam tests your ability to:
Create and configure a public IP prefix
Allocate public IP addresses from a prefix
Understand SKU compatibility (Standard only)
Know supported prefix sizes (/28, /29 for IPv4; /124 for IPv6)
Differentiate regional vs. global prefixes
Understand that you cannot delete a prefix with active IP allocations
Common Wrong Answers and Why
"You can create a basic SKU public IP from a prefix" — This is false. Prefixes only support Standard SKU. Candidates often confuse this with the fact that basic SKU public IPs exist, but they cannot be derived from a prefix.
"You can resize a prefix after creation" — False. Prefix size is fixed. If you need more IPs, you must create a new prefix. The exam tests this as a trick: "You need 20 IPs, what prefix size?" The answer is two /28 prefixes (32 IPs total) because /27 is not allowed.
"A prefix consumes an IP address" — False. The prefix itself does not consume an IP; it just reserves a range. Only when you create a public IP from the prefix is an address consumed.
"You can use a global prefix for a regional load balancer" — False. Global prefixes are only for cross-region load balancers. Regional prefixes are for all other resources.
Specific Numbers and Terms
Prefix sizes: /28 (16 IPs), /29 (8 IPs), /124 (16 IPv6 IPs)
SKU: Standard only
Tier: Regional or Global
Allocation method: Static only (when created from prefix)
Domain name label: Optional, but if set, it applies to all IPs from the prefix
Quota: 1000 prefixes per subscription per region, 1000 Standard public IPs per region
Edge Cases and Exceptions
IPv6 prefixes: Only /124 is supported. IPv6 prefixes are still in preview in some regions.
Global prefix: Only available for cross-region load balancers (Standard SKU). Cannot be used for VPN gateways or VMs.
Prefix deletion: You must delete all associated public IPs first. The portal will show an error if you try to delete a prefix with active IPs.
Regional capacity: In some regions, you may not be able to create a prefix due to IP exhaustion. The exam may present a scenario where a prefix creation fails, and you need to choose a different region or size.
How to Eliminate Wrong Answers
If a question mentions "basic SKU" in the context of a prefix, eliminate that option immediately.
If a question asks about resizing a prefix, the correct answer is "create a new prefix" or "cannot resize."
If a question involves a cross-region scenario, check if the prefix tier is "Global" — if not, the answer is wrong.
Remember that a prefix is a management resource, not an IP address. Questions that imply the prefix itself is an IP are incorrect.
Public IP Prefixes reserve a contiguous block of IPs; sizes are /28 (16 IPs) and /29 (8 IPs) for IPv4, /124 (16 IPs) for IPv6.
Only Standard SKU public IPs can be created from a prefix; Basic SKU is not supported.
Prefixes are regional by default; Global prefixes are only for cross-region load balancers.
You cannot resize a prefix after creation; plan ahead or create a new prefix.
A prefix does not consume an IP address until a public IP resource is created from it.
To delete a prefix, you must first delete all public IPs allocated from it.
Prefixes simplify whitelisting, DNS reverse records, and compliance by providing a known IP range.
Subscription limits: up to 1000 prefixes per region, up to 1000 Standard public IPs per region.
These come up on the exam all the time. Here's how to tell them apart.
Public IP Prefix
Reserves a contiguous block of IPs (e.g., /28 for 16 IPs).
Simplifies whitelisting and DNS management by providing a known range.
Only supports Standard SKU.
Cannot be resized; must be recreated for different size.
All IPs from the prefix share the same domain name label suffix.
Individual Public IP
Creates a single, non-contiguous IP address from Azure's pool.
Each IP must be managed individually; no inherent grouping.
Supports both Basic and Standard SKU.
Can be deleted and recreated with different settings (e.g., allocation method).
Each IP can have its own unique domain name label.
Mistake
A public IP prefix consumes an IP address from the Azure pool.
Correct
The prefix itself does not consume an IP address. It reserves a contiguous block of addresses. Only when you create a public IP resource from the prefix is an address consumed. The prefix is a logical container.
Mistake
You can create both basic and standard SKU public IPs from a prefix.
Correct
Only Standard SKU public IPs can be created from a prefix. Basic SKU is not supported. If you need basic SKU, you must create it outside a prefix.
Mistake
A prefix can be resized after creation to add more IPs.
Correct
Prefix size is fixed at creation. You cannot change the prefix length (e.g., from /29 to /28). To get a larger block, you must create a new prefix.
Mistake
Global prefixes can be used for any Azure resource.
Correct
Global prefixes are only for cross-region load balancers. They cannot be used for regional resources like VPN gateways or VMs. Regional prefixes are for all other resources.
Mistake
You can delete a prefix even if it has active public IPs allocated.
Correct
You must first delete all public IPs allocated from the prefix before you can delete the prefix. Azure will block the deletion if there are active IPs.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. Public IP Prefixes only support Standard SKU public IPs. If you need a basic SKU public IP, you must create it without a prefix. This is a common exam trap — always check the SKU when working with prefixes.
The supported sizes are /28 (16 addresses) and /29 (8 addresses). You cannot create a /27 or /30 prefix. For IPv6, only /124 (16 addresses) is supported. These sizes are fixed and cannot be changed after creation.
Yes, you can optionally assign a domain name label to the prefix. This label becomes the suffix for all public IPs created from the prefix. For example, if the label is 'myprefix' and the region is 'eastus', the FQDN for an IP would be 'ip1.myprefix.eastus.cloudapp.azure.com'.
The IP address is released back to the prefix pool and becomes available for reuse. It does not go back to Azure's general pool. This allows you to reuse the same IP addresses within your prefix.
No. Global prefixes are designed specifically for cross-region load balancers (Standard SKU). For regional resources like VPN gateways or regional load balancers, you must use a regional prefix.
The default limit is 1000 prefixes per subscription per region. Additionally, the total number of Standard public IPs per region is also limited to 1000 by default. These limits can be increased by requesting a quota increase from Azure support.
No. The prefix size is fixed at creation. If you need a different size, you must delete the existing prefix (after removing all associated public IPs) and create a new one with the desired size.
You've just covered Public IP Address Prefixes — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?