Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0036

A newly attached public IP quietly puts a resource on the internet

Attaching a public IP to a NIC or load balancer moves a resource from private to internet-facing in one property change, with no separate confirmation.

Footgun ID
AZF-0036 (Azure Footgun No. 36)
Azure service
Azure Public IP
Resource type
Microsoft.Network/publicIPAddresses
Updated
July 1, 2026

What it is

A public IP address that has just been associated with a resource — a VM's network interface, a load balancer front end, an application gateway — moving that resource from private-only to reachable across the public internet. This is the opposite of the idle/unattached public IP that only wastes money (AZF-0004): here the attachment itself is the risk, because it changes the network exposure of whatever it's bound to.

Impact (security)
A previously private resource becomes reachable from the entire internet
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Attaching a public IP is a single property change — the IP's ipConfiguration starts pointing at a NIC or front-end config — and Azure treats it as ordinary networking, not a security event. There's no separate "you are now internet-facing" confirmation step.

It happens through the most routine actions: ticking "Public IP" while creating a VM, adding a front end to a load balancer, or a template redeploy that reintroduces an association someone had deliberately removed. Whether the newly exposed endpoint is actually protected then depends entirely on the NSG and firewall rules behind it, which are configured separately and easy to get wrong. The attachment lands quietly and the resource is live on the internet before anyone reviews what's listening.

What it costs / blast radius

The public IP itself is a few dollars a month, but that isn't the point. The blast radius is new internet exposure: any port the resource listens on is now reachable from anywhere unless an NSG or firewall explicitly blocks it. (Azure behavior; authored assessment.) A management port, a database engine, or an admin panel that was safely private a moment ago becomes a target the instant the association is made, and the change leaves no obvious trail unless someone is watching for it.

See it

Footgun: NIC given a public IP -> the VM is now internet-facing
resource nic 'Microsoft.Network/networkInterfaces@2023-09-01' = {
  name: 'app-vm-nic'
  location: location
  properties: {
    ipConfigurations: [ {
      name: 'ipconfig1'
      properties: {
        subnet: { id: subnet.id }
        privateIPAllocationMethod: 'Dynamic'
        publicIPAddress: { id: publicIp.id }   // now reachable from the internet
      }
    } ]
  }
}
Fix: keep the resource private, or gate the exposure behind an NSG/Bastion
resource nic 'Microsoft.Network/networkInterfaces@2023-09-01' = {
  name: 'app-vm-nic'
  location: location
  properties: {
    ipConfigurations: [ {
      name: 'ipconfig1'
      properties: {
        subnet: { id: subnet.id }
        privateIPAllocationMethod: 'Dynamic'
        // no publicIPAddress -> private only; reach it via Bastion / a
        // load balancer whose NSG restricts inbound to known sources
      }
    } ]
  }
}

How StratoLens helps

StratoLens tracks which resources are internet-facing across every subscription in your tenant and surfaces a public IP that has been newly attached, so a resource that just went from private to exposed shows up instead of blending into normal networking activity. You see the change without having to audit NIC configurations by hand.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.