# Public IP address

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/public-ip-address

## Quick definition

A public IP address is like your home's mailing address on the internet. It lets other computers, websites, and services find your device from anywhere in the world. This address must be unique across the entire internet so that data packets are delivered to the right destination. Internet service providers (ISPs) assign these addresses to routers or servers that need to be reachable from outside a local network.

## Simple meaning

Think of the internet as a giant city filled with millions of buildings. Each building needs a unique street address so that mail and packages can be delivered correctly. In this city, your home computer or server is one of those buildings. A public IP address is that unique street address for your device on the internet. It tells every other computer or service on the planet exactly where to send data. Without a public IP address, your device would be like a house without a number or street name, invisible to the rest of the world.

Now, imagine you live in a large apartment complex. The complex itself has one main street address, but each apartment inside has a different unit number. In this analogy, the apartment complex is your home network. The main street address is the public IP address of your router. The unit numbers are private IP addresses assigned to devices inside your home, like your laptop, phone, or smart TV. When you send a request to a website, your router uses its public IP address to talk to the internet. The website sees that the request came from your apartment complex's main address. When the response comes back, your router knows which apartment (which device) should get the data because it remembers who made the request.

Public IP addresses are a finite resource. The original version of the internet protocol, called IPv4, uses addresses that are 32 bits long, which allows for about 4.3 billion unique addresses. When the internet was first designed, nobody predicted that billions of devices would need their own public IP addresses. That is why we now also have IPv6, which uses 128-bit addresses and allows for an almost unimaginable number of unique addresses. For most home users, their internet plan includes a single public IP address, which is shared by all devices through a process called Network Address Translation or NAT.

It is also important to understand that public IP addresses can be static or dynamic. A static public IP address never changes. It is like a permanent storefront address. A dynamic public IP address changes periodically, usually when your router reboots or your ISP decides to reassign it. This is like using a forwarding service that changes your mailing address every few months. For most everyday browsing, a dynamic IP is fine. But for hosting a website, running a game server, or using remote access tools, a static IP is much more reliable.

In the world of IT certification, you need to understand that a public IP address is globally routable. This means that routers on the public internet know how to forward data to that address. In contrast, private IP addresses, like those in the 192.168.x.x range, are not routable on the public internet and are only used within a local network. The distinction between public and private addressing is fundamental to how networks are designed and secured.

## Technical definition

A public IP address is a globally unique numeric identifier assigned to a network interface that is directly reachable over the public internet. These addresses are governed and allocated by the Internet Assigned Numbers Authority (IANA) and distributed through Regional Internet Registries (RIRs) such as ARIN, RIPE NCC, APNIC, LACNIC, and AFRINIC. Public IP addresses are fundamental to the internet's routing infrastructure because they enable end-to-end communication between devices across different autonomous systems.

In Internet Protocol version 4 (IPv4), a public IP address is a 32-bit number, typically represented in dotted-decimal notation, such as 203.0.113.1. The address space is divided into five classes, though Classless Inter-Domain Routing (CIDR) is now the standard approach to allocation. IPv4 public addresses must be unique across the entire internet. This unicast model ensures that a packet sent to a destination IP address reaches exactly one interface. Public addresses are distinct from private addresses as defined in RFC 1918, which reserves specific ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) for use within private networks and prohibits their routing on the public internet.

The lifecycle of a public IP address involves allocation, assignment, and routing. IANA allocates blocks of addresses to RIRs. RIRs then assign smaller blocks to ISPs and large organizations. ISPs in turn assign individual addresses or subnets to end customers. These assignments are tracked in routing tables maintained by Border Gateway Protocol (BGP). When a packet is sent from a source device, routers examine the destination public IP address and consult their routing tables to determine the best path. Each router along the path performs a longest prefix match to forward the packet toward the destination network.

Network Address Translation (NAT) is a critical mechanism that allows multiple devices on a private network to share a single public IP address. The router performs port address translation (PAT), mapping each internal private IP and port combination to the router's public IP address and a unique source port. This conserves public IPv4 addresses but breaks the original end-to-end model of IP. For this reason, IPv6 was developed. IPv6 public addresses are 128 bits, represented as eight groups of four hexadecimal digits, for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334. The abundance of IPv6 addresses allows every device to have a unique globally routable address without requiring NAT.

In cloud computing environments like AWS, Azure, and Google Cloud, public IP addresses are often elastic or ephemeral. An elastic IP address in AWS is a static public IPv4 address that can be remapped to different instances. An ephemeral public IP is automatically assigned when an instance starts and released when it stops. These services also support Bring Your Own IP (BYOIP) and IPv6 addressing. Cloud load balancers often use public IP addresses as the frontend endpoint, which then distributes traffic to backend instances with private addresses.

Security considerations are paramount. Public IP addresses expose devices directly to the internet, making them potential targets for scanning, attacks, and unauthorized access. Therefore, devices with public IP addresses should be protected by firewalls, security groups, network ACLs, and regular patching. In exam contexts, understanding when to assign a public IP address versus using a NAT gateway or bastion host is a common scenario.

Performance and availability also relate to public IP addressing. Anycast addressing, where the same public IP is advertised from multiple locations, is used by services like DNS and CDN networks to route users to the nearest server. This relies on BGP routing decisions. In contrast, unicast public IPs are used for point-to-point communication. For high availability, public IP addresses can be paired with failover mechanisms, where a secondary device takes over the IP in case of failure.

## Real-life example

Imagine you want to send a letter to your friend who lives in a large city. You write the street address, the city, and the zip code on the envelope. That address is like a public IP address. It is unique for that specific house or apartment building. The postal service knows exactly how to route your letter based on that address. The letter goes from your local post office to a regional sorting center, then to the destination city, and finally to your friend's mailbox. This is exactly how data packets travel across the internet using public IP addresses.

Now, suppose your friend lives in a dormitory at a university. The dormitory has a main address on the street. Inside the dormitory, there are hundreds of rooms. If you send a letter addressed only to the dormitory's street address, the mailroom staff won't know which resident should receive it. That is why you also include the room number. In this analogy, the dormitory's main street address is the public IP address of the router. The room number is the private IP address or port number of the specific device inside the network. The mailroom staff is the router that performs NAT, remembering which internal device requested which communication.

Let's take another example. You are running a small online bakery from your home. You have a website where customers can place orders. Your home router has a public IP address. When a customer types your website's domain name, their computer uses the Domain Name System (DNS) to translate that name into your public IP address. Their browser then sends a request directly to that public IP. Your router receives the request and forwards it to the web server running on one of your home computers. The web server sends the webpage back through the router, which sends it to the customer. Without a public IP address, your customers would have no way to find your bakery online. It would be like having a bakery with no street address or phone number listed in any directory.

A key nuance is that if your internet plan gives you a dynamic public IP address, the address can change. This would be like your bakery moving to a new street every few months without notifying your customers. That is why businesses often pay for static public IPs or use a dynamic DNS service that automatically updates the domain name to point to the new IP address.

## Why it matters

Public IP addresses are the foundation of internet connectivity. Without them, devices on different networks would be unable to locate and communicate with each other. For IT professionals, understanding public IP addressing is critical for network configuration, security, and troubleshooting. When you configure a router, firewall, or server, you must decide which interfaces require a public IP and which should remain private.

From a security perspective, any device with a public IP address is exposed to the entire internet. This means it can be scanned, probed, or attacked at any moment. Security best practices dictate that public IPs should only be assigned to devices that genuinely need direct internet access, such as web servers, mail servers, or VPN endpoints. All other devices should reside behind a NAT gateway or firewall. Misconfiguring public IP assignments is a common source of data breaches and network outages.

In cloud computing, public IP addresses have cost implications. Cloud providers typically charge for public IPv4 addresses, either per hour or per month. There is also a finite supply of IPv4 addresses, which is why they are becoming more expensive. IT professionals must consider whether a workload truly needs a public IP or whether it can be accessed through a load balancer, VPN, or private link. This decision affects both security posture and operational costs.

For certification candidates, public IP addressing appears in almost every networking domain. From subnetting in CompTIA Network+ to security groups in AWS Solutions Architect, the concept underpins how networks are built and secured. Understanding the difference between public and private addressing, how NAT works, and how to assign addresses in IPv4 and IPv6 is tested across multiple exams.

## Why it matters in exams

In the CompTIA Network+ exam (N10-008), public IP addresses are covered under Objective 1.4, which focuses on IP addressing and subnetting. You must know the difference between public and private IP ranges, how IPv4 and IPv6 addressing work, and the role of NAT. Questions often ask you to identify which IP address in a list is public and which is private. For example, a question might present 10.0.0.1, 192.168.1.100, 172.16.0.5, and 8.8.8.8 and ask which is a public address. The answer is 8.8.8.8, which is Google's DNS server.

For the CompTIA Security+ exam (SY0-601), public IP addresses relate to network security controls, firewall rules, and access control lists. You need to understand that allowing inbound traffic from the internet to a public IP without proper filtering is a security risk. Exam questions may present a scenario where an organization opens a port on a public IP for remote access, and you must recommend a more secure alternative, such as a VPN or bastion host.

In the CCNA exam (200-301), public IP addressing is critical for routing concepts. You must know how to configure NAT on Cisco routers, including static NAT, dynamic NAT, and PAT. Subnetting questions require you to calculate how many public IP addresses are needed for a given number of hosts. You also need to understand how BGP advertises public IP prefixes. A typical question might ask you to troubleshoot a scenario where internal users cannot access the internet because of a NAT misconfiguration.

For AWS Solutions Architect (SAA-C03), public IP addresses appear in the context of EC2 instances, Elastic IPs, NAT gateways, and internet gateways. You must decide when to assign a public IP to an EC2 instance versus using a NAT gateway for outbound-only access. A common question involves designing a highly available web application where the web servers need public IPs but the database servers should remain private. You also need to understand that an Elastic IP is a static public IPv4 address that you can allocate and remap.

In the Microsoft Azure exam (AZ-104), public IP addresses are a resource in Azure. You must know the difference between basic and standard SKU public IPs, how to associate them with VMs and load balancers, and how to configure DNS name labels. Questions often involve scenarios where a VM needs to be reachable from the internet or where you need to preserve the public IP through a VM restart.

For the Google Associate Cloud Engineer exam, public IP addresses are used with VM instances, forwarding rules, and Cloud NAT. You must understand that external IP addresses are billed and that you can promote an ephemeral external IP to a static one.

Across all these exams, the pattern is consistent: you must understand not just what a public IP address is, but when and why to use it, and what the security and cost implications are. Question types include multiple-choice, scenario-based, and drag-and-drop configuration tasks.

## How it appears in exam questions

Public IP address questions appear in several distinct patterns. The first pattern is identifying public versus private addresses. For example, a multiple-choice question lists five IP addresses and asks which one is a public IPv4 address. The trick is that private addresses fall into the RFC 1918 ranges, while loopback (127.0.0.0/8), link-local (169.254.0.0/16), and multicast (224.0.0.0/4) are also not public. A correct answer would be an address not in any of these reserved ranges.

Another common pattern is scenario-based questions involving NAT. For instance, a company has a single public IP address but 50 employees need internet access. The question asks what technology allows multiple devices to share the public IP. The answer is Port Address Translation or PAT, a form of NAT. A follow-up question might ask you to identify the correct configuration command on a Cisco router.

Subnetting questions frequently require you to calculate public IP allocation. For example, an organization has been assigned the public IP block 203.0.113.0/28. How many usable host addresses does it provide? The answer is 14, because the /28 prefix gives 16 total addresses, minus the network and broadcast addresses. You may also be asked to determine the subnet mask or the range of valid host addresses.

Security-related questions often present a scenario where a server with a public IP is compromised. The question asks what the first step should be. The correct approach is to isolate the server, review firewall logs, and change the security group or network ACL to block unnecessary inbound traffic. Another question might ask which port should be open on a public-facing web server: 80 and 443 are correct, while 22 (SSH) should be restricted.

In cloud exams, a typical question describes an architecture where a web application is hosted on EC2 instances in a VPC. The instances need to be reachable from the internet. The question asks what resource must be attached to the VPC. The answer is an Internet Gateway (IGW). A variation asks what happens if the public IP of an EC2 instance changes after a stop and start: the answer is that a new public IP is assigned unless an Elastic IP is attached.

Troubleshooting questions might show a ping failure to a public IP. The possible causes include a missing default route, a misconfigured firewall, incorrect NAT settings, or an ISP outage. You must analyze the output of commands like ipconfig, traceroute, or show ip route to identify the issue.

Finally, some questions test IPv6 knowledge. They may ask which address type is globally routable and unique on the internet. The answer is a Global Unicast Address, which is the IPv6 equivalent of a public IPv4 address.

## Example scenario

You are a network administrator for a small company called TechFlow. TechFlow recently moved to a new office and your boss asks you to ensure that employees can access the internet. The ISP has provided a single public IPv4 address: 198.51.100.10. You have 25 employees, each with a laptop, and 10 other devices like printers and IP phones.

Your first task is to configure the router. You connect the router's WAN interface to the ISP modem and assign the public IP 198.51.100.10 to that interface. Then you configure the LAN interface with a private IP address from the 192.168.1.0/24 range, such as 192.168.1.1. You enable DHCP so that devices automatically receive private IPs like 192.168.1.100 through 192.168.1.135.

The critical step is enabling NAT. You configure the router to translate all traffic from the private network to the public IP. When an employee types a website address, their laptop sends the request to the router. The router changes the source IP from the private address to 198.51.100.10 and assigns a unique source port. When the response returns, the router looks at the destination port and forwards the data to the correct laptop.

Now, your boss wants to host a small web server in the office to showcase the company's portfolio. You need to make this web server accessible from the internet. You configure port forwarding on the router. You instruct the router that any incoming request on port 80 (HTTP) directed to 198.51.100.10 should be forwarded to the internal web server with private IP 192.168.1.50. Now, anyone on the internet can type http://198.51.100.10 and reach the web server.

During a routine check, you discover that the public IP is dynamic and changed overnight. The web server is now unreachable. You call the ISP to request a static public IP, which they provide. You update the port forwarding configuration. The company also registers a domain name and sets up a DNS A record pointing to 198.51.100.10. Now, customers can use the domain name instead of the IP.

This scenario demonstrates the core functions of public IP addressing: enabling outbound internet access for a private network, hosting services for external users, and the importance of static addresses for reliability.

## What Is a Public IP Address and Why It Matters for Cloud and Networking Exams

A public IP address is a globally unique identifier assigned to a device or service that is reachable over the public internet. Unlike private IP addresses, which operate within local networks (RFC 1918 ranges like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), public IP addresses are routable across the entire internet and must be unique worldwide. They are allocated by regional internet registries (RIRs) to internet service providers (ISPs) and cloud providers, which in turn assign them to customers.

In cloud environments such as AWS, Azure, and Google Cloud, public IP addresses are used to enable external access to virtual machines, load balancers, NAT gateways, and other resources. For example, an AWS EC2 instance can have a public IP address that allows SSH or RDP connections from the internet. Similarly, an Azure virtual machine can be assigned a public IP to expose a web application. Google Cloud uses external IP addresses for similar purposes, often attached to VM instances or forwarding rules.

Understanding public IP addresses is critical for exams like AWS SAA, Azure AZ-104, Google ACE, CompTIA Network+, CompTIA Security+, and Cisco CCNA. These exams test your ability to choose the right type of IP address (static vs. dynamic), manage allocation (IPv4 vs. IPv6), and implement security controls (such as network ACLs and security groups that restrict traffic to/from public IPs).

Key characteristics include: they are globally unique, assigned by ISPs or cloud providers, and can be static (reserved) or dynamic (assigned at launch and released on stop). In cloud platforms, public IPs often incur cost when allocated but not attached to a running resource (as in AWS Elastic IP costs). Public IPv4 addresses are a scarce resource; many providers now charge for them to encourage IPv6 adoption.

From a security perspective, public IP addresses expose resources to the internet, making them prime targets for attacks. Best practices include using public IPs only when necessary, placing resources behind load balancers or NAT gateways, and using security groups or firewall rules to limit inbound traffic. For exam purposes, knowing when to use a public IP vs. a private IP with a VPN or Direct Connect is a common scenario.

the public IP address is a foundational concept in networking and cloud architecture. Mastery of its types, costs, allocation methods, and security implications will appear across multiple certification exams. This section builds the base for more advanced topics like elastic IPs, NAT, and internet gateways.

## How Public IP Address Costs Work in AWS, Azure, and GCP

Public IP addresses are not always free. In major cloud platforms, they come with specific pricing models that are important to understand for both real-world cost management and exam scenarios. In AWS, a public IPv4 address assigned to an EC2 instance is free while the instance is running, but if you allocate an Elastic IP (static public IP) and don't attach it to a running instance, you incur a small hourly charge. This is designed to discourage IP hoarding. AWS also charges for public IPv4 addresses on NAT gateways and load balancers per hour and per gigabyte of data processed. Starting in 2024, AWS introduced a charge for all public IPv4 addresses, even those attached to running EC2 instances, to encourage IPv6 migration.

In Azure, public IP addresses come in two SKUs: Basic and Standard. Basic SKU public IPs are free but have no availability SLA, while Standard SKU public IPs have a small hourly cost but provide features like availability zones, default outbound access, and zone-redundancy. Azure also charges for idle public IPs (allocated but not assigned to a resource) and for public IPs used with load balancers. The cost varies by region.

Google Cloud Platform (GCP) charges for static external IP addresses that are not in use, and for premium-tier networking (which uses static public IPs for better performance). GCP also offers a discount for using ephemeral (dynamic) public IPs, which are free while attached to a running VM but incur a small charge if the VM is stopped. Standard-tier networking uses dynamic public IPs at no extra cost.

All three providers charge for data egress (outbound traffic) through public IPs, which can be a significant cost in high-traffic applications. Exam questions often test your understanding of idle IP costs, differences between static and dynamic, and when to use a NAT gateway (which uses public IPs) vs. a NAT instance. For example, the AWS SAA exam may ask: 'Which AWS resource incurs charges for an unattached Elastic IP?' The answer is: an Elastic IP that is not associated with a running instance.

Cost optimization tips include: releasing unused public IPs, using private IPs for internal communication, leveraging IPv6 where possible, and consolidating outbound traffic through a single NAT gateway. In CCNA and Network+ exams, cost is not directly discussed, but the concept of IP scarcity and the difference between public and private addressing is tested.

Understanding these costs is crucial for passing cloud certifications and for building cost-efficient architectures. Always check the latest pricing pages as cloud providers update their billing models frequently.

## Public IP Address States and Lifecycle in Cloud Environments

A public IP address in cloud platforms goes through several states during its lifecycle. Understanding these states is essential for troubleshooting and exam success. In AWS, an Elastic IP (public IP) can be in one of several states: allocated (created but not associated), associated (attached to an instance or network interface), or released (deleted). While allocated but not associated, it incurs a charge. In Azure, a public IP resource can be in the 'Created' state (allocated but not assigned), 'Assigned' (associated with a resource like a VM or load balancer), or 'Deleted' (removed). Azure also has a 'Provisioning' state during creation and a 'Failed' state if creation errors occur.

In GCP, external IP addresses are either 'Ephemeral' (dynamic, assigned on VM creation and released on stop) or 'Static' (reserved until released). Static IPs can be in 'Reserved' state (allocated but not in use) or 'In Use' (attached to a resource). Reserved static IPs incur charges if not used. Ephemeral IPs are free while the VM runs but change on stop/start unless you configure static IP.

The lifecycle also includes transitions: when you stop an EC2 instance with a non-Elastic public IP, the IP is released and a new one is assigned on start. This is a common exam scenario in AWS SAA and Azure AZ-104. For example, an Azure VM with a Basic SKU public IP will lose its IP on stop/deallocate, while a Standard SKU IP retains it.

Exam clues often focus on state changes: 'What happens to the public IP of an EC2 instance when it is stopped and started?' The answer: the public IP changes if it's not an Elastic IP. For an Elastic IP, it remains associated but you may still pay for it if the instance is stopped. Similarly, in Azure, a standard public IP remains assigned even if the VM is stopped, but you still pay for the IP resource.

Another important state is 'Idle' or 'Unassociated'. In AWS, this triggers billing. In Azure, idle public IPs (not assigned to any resource) also incur a cost. GCP charges for unassociated static IPs. Recognizing these states helps answer multiple-choice questions about cost optimization and IP retention.

Finally, the release state is permanent: once released, the IP is returned to the pool and cannot be reused. This is tested in scenarios where you need to replace a public IP for security reasons (e.g., after a DDoS attack). Cloud providers allow you to disassociate and reassociate IPs as needed, but releasing is final.

Mastering the lifecycle of public IPs is a core skill for cloud administrators and appears in questions about high availability, disaster recovery, and cost management across all major certification exams.

## Security Implications of Public IP Addresses and Exam-Relevant Controls

Public IP addresses inherently expose resources to the internet, making security a top priority. In cloud and networking exams, you are expected to know how to secure resources that use public IPs. The first line of defense is Network Access Control Lists (NACLs) and Security Groups (in AWS), or Network Security Groups (NSGs) in Azure, and Firewall Rules in GCP. These act as virtual firewalls that filter traffic based on source and destination IP, port, and protocol. For example, an AWS security group rule can allow inbound SSH (port 22) only from a specific public IP address (e.g., your office IP), reducing the attack surface.

A common exam scenario is: 'You have an EC2 instance with a public IP that must only be accessible from a specific range of IPs. Which security mechanism should you use?' The correct answer is a security group with an inbound rule restricted to that IP range. In CCNA and Network+, you might encounter Access Control Lists (ACLs) on routers that filter traffic based on public IP addresses.

Another security concern is the use of public IPs for outbound traffic. If a resource has a public IP, it can initiate outbound connections to the internet, which can be a data exfiltration risk. Exams test your ability to use NAT gateways or proxy servers to control outbound traffic, especially in private subnets. For example, in AWS, you might place resources in a private subnet without a public IP and route outbound traffic through a NAT gateway that has a public IP. This is a key concept in the AWS SAA exam.

Public IP addresses also play a role in DDoS mitigation. Cloud providers offer services like AWS Shield, Azure DDoS Protection, and Google Cloud Armor that can be enabled on resources with public IPs to absorb attacks. Exam questions might ask: 'Which AWS service provides protection against layer 3/4 DDoS attacks for resources with public IPs?' The answer is AWS Shield Standard (free) or Advanced (paid).

using public IPs can violate compliance requirements (e.g., PCI DSS, HIPAA) if not properly secured. Exams test your ability to architect solutions that avoid public exposure, such as using internal load balancers, VPNs, or AWS PrivateLink. For instance, a question might ask: 'How can you expose a web application to the internet without assigning a public IP to the backend servers?' The answer: place servers behind a public load balancer that has a public IP, and keep the backend in a private subnet.

Finally, public IP address management (IPAM) tools like AWS IPAM can help track and audit public IP usage, which is important for security and compliance. Securing public IPs is about controlling inbound and outbound traffic, monitoring for threats, and minimizing exposure. This topic is heavily tested in Security+, CCNA, and all cloud certifications.

## Common mistakes

- **Mistake:** Thinking that all IP addresses that start with 10, 172, or 192 are private.
  - Why it is wrong: Only specific ranges within those prefixes are private according to RFC 1918. For 172, only 172.16.0.0 through 172.31.255.255 are private. 172.32.0.0 is public. For 192, only 192.168.0.0 through 192.168.255.255 are private. Other addresses like 192.0.2.0 are public.
  - Fix: Memorize the exact RFC 1918 ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
- **Mistake:** Assuming a public IP address is assigned to every device in a home network.
  - Why it is wrong: Most home networks use NAT, so only the router has the public IP. All internal devices use private IPs. The public IP is shared.
  - Fix: Understand that NAT allows many private IPs to share one public IP. Only devices with a direct internet connection, like a web server, typically have their own public IP.
- **Mistake:** Confusing public IP addresses with gateway addresses.
  - Why it is wrong: The default gateway is the router's IP on the local network, which is usually a private IP. The public IP is the address used on the internet side of the router. They are different concepts.
  - Fix: Remember: the default gateway is the exit point inside your network; the public IP is the address seen by the outside world.
- **Mistake:** Believing that a public IP address never changes unless the ISP is contacted.
  - Why it is wrong: Many ISPs assign dynamic public IPs that can change whenever the router reconnects. Only a static public IP requires a request to the ISP.
  - Fix: Check your internet service plan. If it is a residential plan, your public IP is likely dynamic. Verify by noting the IP and checking it after a router reboot.
- **Mistake:** Assuming IPv6 public addresses work exactly like IPv4 public addresses with NAT.
  - Why it is wrong: IPv6 was designed to restore end-to-end connectivity. Most IPv6 networks do not use NAT. Every device can have a globally unique public IPv6 address. Security is achieved through firewalls, not address scarcity.
  - Fix: Learn that IPv6 public addresses are abundant and each device can have one. NAT is generally not used in native IPv6 networks.
- **Mistake:** Thinking that a public IP address is the same as a static IP address.
  - Why it is wrong: Public IP refers to global routability; static vs dynamic refers to whether the address changes. A public IP can be either static or dynamic. A private IP can also be static or dynamic.
  - Fix: Understand that 'public' and 'static' are separate attributes. A public IP can be dynamic, and a private IP can be static.

## Exam trap

{"trap":"The exam shows a scenario where a company uses the IP address 10.10.10.10 on a web server that must be accessible from the internet. The question asks what is wrong.","why_learners_choose_it":"Learners see 10.10.10.10 and think it is a valid address because it looks like a typical server IP. They forget that the 10.0.0.0/8 range is private and not routable on the internet.","how_to_avoid_it":"Always check the first octet of any IP address against the RFC 1918 ranges. If it falls into 10.x.x.x, 172.16.x.x through 172.31.x.x, or 192.168.x.x, it is private and cannot be used as a public-facing address. The correct solution would be to assign a public IP or use NAT port forwarding."}

## Commonly confused with

- **Public IP address vs Private IP address:** A private IP address is used within a local network and is not routable on the public internet. Public IPs are unique globally and are routable. Private IPs reuse the same ranges across countless networks, while public IPs must be unique. (Example: Your home Wi-Fi gives your laptop a private IP like 192.168.1.5. The router's WAN port has a public IP like 203.0.113.45. The laptop uses the private IP to talk to the router, and the router uses the public IP to talk to the internet.)
- **Public IP address vs Static IP address:** A static IP address does not change over time. Both public and private IPs can be static. A public IP is about global reachability, while a static IP is about permanence. A public IP can be dynamic, and a private IP can be static. (Example: Your company's web server has a public static IP of 198.51.100.20. Years later, it remains the same. In contrast, your home router might have a public dynamic IP that changes every month.)
- **Public IP address vs Elastic IP address (AWS):** An Elastic IP is a specific AWS service for providing a static public IPv4 address that can be remapped between instances. It is a cloud implementation of a static public IP. Traditional public IPs are not dynamically remappable between devices without reconfiguration. (Example: If your EC2 instance fails, you can reassociate the Elastic IP to a backup instance in minutes. With a traditional public IP, you would need to update DNS and wait for propagation.)
- **Public IP address vs Default gateway:** The default gateway is the IP address of the router interface on your local subnet, usually a private IP. It is the device that forwards traffic out of the local network. A public IP is the address seen by external networks. They are not the same. (Example: Your laptop's default gateway is 192.168.1.1 (private). The router's public IP is 203.0.113.1. Your laptop sends traffic to the default gateway, which then masquerades it with the public IP.)
- **Public IP address vs IP address (general):** Every network interface needs an IP address to communicate. But only public IPs are globally unique and routable on the internet. Private IPs are sufficient for local communication. (Example: Two different companies can both use 192.168.1.1 on their internal routers. But only one device in the world can use the public IP 8.8.8.8.)

## Step-by-step breakdown

1. **ISP Assignment** — Your internet service provider assigns a public IP address to your WAN connection. This is typically done via DHCP on the modem or router. The address can be dynamic or static depending on your plan.
2. **Router Configuration** — The router's WAN interface is configured with this public IP. The router also has a LAN interface with a private IP, which acts as the default gateway for all local devices.
3. **Device Request Initiation** — When a device on the local network, such as a laptop, wants to access a website, it sends a data packet with its private source IP and the website's destination IP. The packet is sent to the default gateway (the router).
4. **NAT Translation** — The router receives the packet and performs Network Address Translation (specifically PAT). It replaces the private source IP with its own public IP and assigns a unique source port. This mapping is stored in the NAT table.
5. **Packet Routing on Internet** — The translated packet now has a public source IP and is forwarded through the ISP's network and across the internet. Routers along the path use the destination IP to forward the packet toward the target server.
6. **Response Reception** — The target server sends a response packet back to the router's public IP and the specific source port that was assigned. The packet traverses the internet to the router.
7. **Reverse NAT Translation** — The router checks its NAT table to find which private IP and port correspond to the incoming destination port. It then rewrites the destination IP to the private address of the original requesting device and forwards the packet internally.
8. **Data Delivery to Device** — The device receives the response packet on its private IP. The communication is complete. The device is unaware that NAT occurred; it believes it is directly communicating with the remote server.
9. **Port Forwarding for Inbound Services** — If you want to host a service accessible from the internet, you configure port forwarding on the router. You specify that incoming traffic on a particular port of the public IP should be forwarded to a specific private IP and port. The router adds a static entry to its NAT table.
10. **Address Renewal or Change** — If the public IP is dynamic, the router may request a new address when it reboots or when the DHCP lease expires. This changes the public IP. For static IPs, the address remains constant, requiring no renewal.

## Practical mini-lesson

A public IP address is more than just a number. It is the primary identifier that makes your network visible on the internet. As an IT professional, you will frequently need to configure, troubleshoot, and secure public IP addresses across different environments.

In a typical office network, the process starts with the ISP. They hand off a connection, often via a fiber optic or cable modem. The modem provides a public IP to the WAN interface of your router. You need to verify that the router has received a public IP, not a private one from the ISP. This is a common misconfiguration where the ISP's CPE is in bridge mode versus router mode. If your router gets a private IP like 10.10.10.2 from the ISP, you are behind Carrier-Grade NAT (CGNAT), and you cannot host any services without further configuration.

When configuring NAT, you must decide between static NAT, dynamic NAT, and PAT. Static NAT maps a single public IP to a single private IP, useful for servers. Dynamic NAT maps a pool of public IPs to a pool of private IPs. PAT is the most common, mapping many private IPs to one public IP using port numbers. In Cisco IOS, the command would be `ip nat inside source list 1 interface gigabitethernet0/0 overload`.

Firewall rules are critical. Just because a device has a public IP does not mean all ports should be open. The principle of least privilege applies. You should allow only necessary protocols and ports. For a web server, allow TCP ports 80 and 443. For SSH, restrict source IPs. Use security groups in AWS or Network Security Groups in Azure to define inbound and outbound rules.

Troubleshooting public IP issues often begins with the command `ipconfig` or `ifconfig` on the client to check the default gateway. Then you can access the router and check its WAN interface status. Use `show ip interface brief` on a Cisco router to see if the interface has a public IP. Ping the public IP from inside the network to confirm connectivity. If that works, ping the public IP from an external source to verify inbound reachability.

In cloud environments, never assign a public IP to a database server. Use a NAT gateway for outbound traffic and a load balancer for inbound traffic. This reduces the attack surface. Also, remember that cloud providers charge for public IPv4 addresses. In AWS, each Elastic IP costs money if it is not associated with a running instance. In Azure, a basic SKU public IP is cheaper than standard SKU, but standard offers more features like availability zones.

Finally, understand how DNS works with public IPs. An A record maps a domain name to an IPv4 public IP. An AAAA record maps to an IPv6 public IP. If your public IP changes, you must update the DNS records. Dynamic DNS services automate this by running a client on your router that updates the DNS provider whenever the IP changes.

## Commands

```
aws ec2 allocate-address --domain vpc --region us-east-1
```
Allocates a new Elastic IP address in the specified VPC and region. Use when you need a static public IP that you can attach to an instance or NAT gateway.

*Exam note: Tests knowledge of Elastic IP allocation for VPC vs EC2-Classic (legacy). In AWS SAA, you must know that Elastic IPs are for VPC and can be moved between instances.*

```
aws ec2 associate-address --instance-id i-1234567890abcdef0 --allocation-id eipalloc-12345678
```
Associates an Elastic IP (by allocation ID) to a running EC2 instance. Use to assign a static public IP to an instance after allocation.

*Exam note: CCNA and Network+ don't cover AWS commands, but cloud exams (SAA, AZ-104) test associating IPs to instances for high availability. Remember to use allocation ID, not public IP.*

```
az network public-ip create --resource-group myResourceGroup --name myPublicIP --sku Standard --allocation-method Static
```
Creates a Standard SKU static public IP in Azure. Use when you need a stable, zone-redundant public IP for a load balancer or VM.

*Exam note: AZ-104 tests SKU differences: Basic vs Standard. Standard is zone-redundant by default and has a cost, while Basic is free but not resilient.*

```
gcloud compute addresses create my-static-ip --region us-central1 --network-tier PREMIUM
```
Reserves a static external IP address in GCP with premium network tier. Use for low-latency, global access.

*Exam note: Google ACE exam covers network tiers: Premium (default, uses static IP) vs Standard (ephemeral, no cost). Know that static IPs incur charges when not in use.*

```
ip addr add 203.0.113.5/24 dev eth0
```
Assigns a public IP address to a Linux network interface. Used in on-premises or non-cloud environments for static IP configuration.

*Exam note: Network+ and CCNA test Linux commands for IP configuration, but focus more on Cisco IOS: 'ip address 203.0.113.5 255.255.255.0'. Understand the CIDR notation.*

```
configure terminal
interface GigabitEthernet0/0
ip address 203.0.113.1 255.255.255.0
no shutdown
```
Assigns a public IP to a Cisco router interface. Use when configuring edge routers for internet connectivity.

*Exam note: Classic CCNA command. Tests understanding of interface configuration, subnet mask, and that 'no shutdown' enables the interface.*

```
netsh interface ipv4 add address "Ethernet" 203.0.113.10 255.255.255.0
```
Adds a static public IP to a Windows network interface from command line. Use for servers on-premises.

*Exam note: Security+ and Network+ may include Windows commands. Know that 'netsh' is the network shell utility for Windows IP config.*

```
aws ec2 disassociate-address --association-id eipassoc-12345678
```
Disassociates an Elastic IP from an instance. Use before moving the IP to another instance or releasing it.

*Exam note: AWS SAA exam: disassociating is required before releasing an Elastic IP, otherwise it remains attached. Also causes brief downtime.*

## Troubleshooting clues

- **Public IP address changes after stopping and starting a VM** — symptom: User receives new public IP after restarting an EC2 instance or Azure VM, breaking connectivity to any allowed IPs in security groups.. By default, AWS assigns a dynamic public IP to EC2 instances unless an Elastic IP is used. Similarly, Azure VMs with Basic SKU public IP release the IP on stop/deallocate. The new IP is different, so any whitelist or DNS record referencing the old IP breaks. (Exam clue: Common exam question: 'How to retain the same public IP after a VM restart?' Answer: Use static/EIP in AWS or Standard SKU in Azure.)
- **Cannot reach internet from a VM with a public IP but no route configured** — symptom: VM can receive inbound traffic on its public IP but cannot ping or curl external websites.. A public IP on the VM allows incoming connections, but outbound traffic requires a default route to an internet gateway (in cloud) or a router with NAT (on-premises). If the route table lacks a 0.0.0.0/0 next hop to an internet gateway, outbound packets are dropped. (Exam clue: AWS SAA: 'An EC2 instance has a public IP but cannot access the internet. What is missing?' Answer: A route in the subnet's route table pointing to an internet gateway.)
- **Elastic IP shows 'locked' or 'in use' but no resource is attached** — symptom: In AWS console, an Elastic IP appears associated but the instance is terminated. Cannot release the IP.. The Elastic IP may be associated to a network interface (ENI) that is not attached to any instance, or it's associated to a NAT gateway or load balancer. The release requires disassociation from the resource first. (Exam clue: Troubleshooting question: 'You cannot release an Elastic IP. What is the first step?' Answer: Check for any attached resources and disassociate.)
- **Azure public IP cannot be assigned to a VM due to overlapping IP range** — symptom: When trying to assign a public IP to a VM, error: 'The public IP address overlaps with an existing private IP range.'. Azure validates that the public IP address does not conflict with the virtual network's address space. This can happen if the public IP falls within the VNet's CIDR range (e.g., VNet uses 10.0.0.0/8 and public IP is 10.1.1.1). Azure prohibits this to prevent routing confusion. (Exam clue: AZ-104: 'Why can't I assign a public IP within a VNet's address space?' Answer: Because Azure does not allow public IPs that overlap with the VNet's private IP range.)
- **Public IP appears duplicated in GCP - static IP already in use** — symptom: When creating a VM with a specific static IP, error: 'The IP address is already in use by another resource.'. Static IPs are unique per project and region. If another VM, forwarding rule, or load balancer already uses that IP, the allocation fails. The IP must be released from the original resource first. (Exam clue: Google ACE: 'How to move a static IP between VMs?' Answer: Release from one VM and assign to another, but note that it cannot be in use during transfer.)
- **High latency or packet loss when using public IP across regions** — symptom: Users in Europe experience slow web access to a US-based VM with public IP. Ping times are high and packet loss occurs.. Public IP addresses are routed over the public internet, which can have variable latency and congestion. Using a cloud provider's global network (e.g., AWS Global Accelerator, Azure Front Door) can reduce latency by routing traffic via private backbone. (Exam clue: Exam scenario: 'How to improve performance for globally distributed users accessing a public IP?' Answer: Use a CDN or global accelerator service.)
- **Public IP is blocked by ISP or corporate firewall** — symptom: Users cannot access a service hosted on a public IP from certain networks, but access works from other locations.. ISPs or corporate firewalls may block certain IP ranges (e.g., known cloud provider ranges) due to security policies. Public IP blacklists can also cause blocking if the IP was previously used for spam. (Exam clue: Security+ exam: 'What is a common reason for a public IP to be blocked?' Answer: The IP may be on a blacklist due to past malicious activity.)

## Memory tip

To remember if an IP is public, think 'No 10, No 172.16-31, No 192.168.' These are the private ranges. Everything else is public.

## FAQ

**Can I change my public IP address?**

Yes, if your ISP assigns dynamic IPs. Rebooting your router or releasing and renewing the DHCP lease can result in a new public IP. For a static IP, you cannot change it without requesting a new one from your ISP.

**Is a public IP address safe?**

A public IP by itself is not unsafe, but it exposes your device to the internet. You must use a firewall, security groups, and keep software updated. Many attacks start with scanning public IPs for open ports.

**Do I need a public IP for gaming?**

For console or PC gaming, you usually do not need a public IP. Your router's NAT handles outbound connections. However, if you want to host a game server, you need a public IP and configured port forwarding.

**What is the difference between a public IP and a WAN IP?**

The WAN IP is the IP address on the wide area network interface of your router. It is usually the public IP assigned by your ISP. However, in some cases, the WAN IP could be a private IP if you are behind CGNAT.

**How do I find my public IP address?**

You can visit websites like whatismyip.com or ifconfig.me. Alternatively, you can log into your router's admin panel and check the WAN status. In Windows, you can use PowerShell with the command (Invoke-WebRequest ifconfig.me).Content.

**Can two devices have the same public IP?**

No, not at the same time. Public IPs must be globally unique. However, through NAT, many devices can share a single public IP by using different port numbers.

**Why are public IPv4 addresses running out?**

IPv4 uses 32-bit addresses, providing about 4.3 billion addresses. With the growth of the internet, smartphones, and IoT, that number is insufficient. IPv6 solves this with 128-bit addresses.

**What is a public IP in cloud computing?**

In cloud platforms like AWS, Azure, and GCP, a public IP is a resource you can assign to virtual machines, load balancers, or NAT gateways. They may be ephemeral (released when the instance stops) or static (reserved for your account).

## Summary

A public IP address is a globally unique identifier that allows a device to be reached directly over the internet. It is the foundation of all internet communication, from browsing websites to hosting servers. Understanding public IP addressing requires knowing the distinction between public and private ranges, how NAT enables address sharing, and the role of IPv6 in overcoming address exhaustion.

For IT certification candidates, public IP addressing is a recurring theme across multiple exams, including Network+, Security+, CCNA, AWS Solutions Architect, Azure Administrator, and Google ACE. You will encounter questions about identifying public addresses, configuring NAT, troubleshooting connectivity, and designing secure network architectures. The key takeaway is to always consider the context: is the device supposed to be internet-facing or internal? Should the IP be static or dynamic? What security controls are needed?

In practice, professionals must be comfortable with router configuration commands, cloud resource management, and diagnostic tools. Public IP addresses are a finite and valuable resource, especially for IPv4. Misconfiguring them can lead to security breaches, downtime, or unexpected costs. By mastering this concept, you build a strong foundation for more advanced topics in routing, security, and cloud networking.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/public-ip-address
