What it is
A public IP address that has just been associated with a resource — a VM's network interface, a load balancer front end, an application gateway — moving that resource from private-only to reachable across the public internet. This is the opposite of the idle/unattached public IP that only wastes money (AZF-0004): here the attachment itself is the risk, because it changes the network exposure of whatever it's bound to.
Why it happens
Attaching a public IP is a single property change — the IP's ipConfiguration starts pointing at a NIC or front-end config — and Azure treats it as ordinary networking, not a security event. There's no separate "you are now internet-facing" confirmation step.
It happens through the most routine actions: ticking "Public IP" while creating a VM, adding a front end to a load balancer, or a template redeploy that reintroduces an association someone had deliberately removed. Whether the newly exposed endpoint is actually protected then depends entirely on the NSG and firewall rules behind it, which are configured separately and easy to get wrong. The attachment lands quietly and the resource is live on the internet before anyone reviews what's listening.
What it costs / blast radius
The public IP itself is a few dollars a month, but that isn't the point. The blast radius is new internet exposure: any port the resource listens on is now reachable from anywhere unless an NSG or firewall explicitly blocks it. (Azure behavior; authored assessment.) A management port, a database engine, or an admin panel that was safely private a moment ago becomes a target the instant the association is made, and the change leaves no obvious trail unless someone is watching for it.
See it
resource nic 'Microsoft.Network/networkInterfaces@2023-09-01' = {
name: 'app-vm-nic'
location: location
properties: {
ipConfigurations: [ {
name: 'ipconfig1'
properties: {
subnet: { id: subnet.id }
privateIPAllocationMethod: 'Dynamic'
publicIPAddress: { id: publicIp.id } // now reachable from the internet
}
} ]
}
}resource nic 'Microsoft.Network/networkInterfaces@2023-09-01' = {
name: 'app-vm-nic'
location: location
properties: {
ipConfigurations: [ {
name: 'ipconfig1'
properties: {
subnet: { id: subnet.id }
privateIPAllocationMethod: 'Dynamic'
// no publicIPAddress -> private only; reach it via Bastion / a
// load balancer whose NSG restricts inbound to known sources
}
} ]
}
}How StratoLens helps
StratoLens tracks which resources are internet-facing across every subscription in your tenant and surfaces a public IP that has been newly attached, so a resource that just went from private to exposed shows up instead of blending into normal networking activity. You see the change without having to audit NIC configurations by hand.