Forum Discussion

DalskiBo's avatar
DalskiBo
Copper Contributor
Mar 18, 2026

How To Handle Dynamic IP Addresses Of Clients?

With most users having dynamic Ip addresses how does one handle the Azure Firewall?  I do not think setting a range for the IP's is useful because different ISP's have different ranges... What is t...
AnkitDyeonia's avatar
AnkitDyeonia
Occasional Reader
Mar 18, 2026

Handling dynamic IP addresses for clients in Azure Firewall is a common challenge, especially since traditional firewall rules rely on static ranges that change frequently with ISPs. 

While you mentioned that VPNs or VNET Peering seem like unnecessary complications, they are often the standard for a reason: security and reliability. However, depending on your specific use case (e.g., administrative access vs. general user access), there are several ways to handle this.

Solution 1: If your goal is to handle administrative access (RDP/SSH) for clients with dynamic IPs, Azure Bastion is the cleanest solution. It provides RDP/SSH access via SSL (port 443) directly through the Azure Portal. You don't need to allow any client IP addresses in the Azure Firewall. The client only needs to log into the Azure Portal. It eliminates the need to manage a VPN but does have a per-hour cost.

Solution 2: If you are trying to let users access a web application, instead of filtering by IP, use a WAF on Azure Front Door or Application Gateway. You can filter by geographic region or use identity-based access (like Entra ID/Azure AD) rather than relying on volatile IP addresses.

Solution 3: If you strictly want to use Azure Firewall and don't want a VPN, you can automate the update of firewall rules. Create a small script (Azure Logic App or PowerShell function) that clients can trigger. When they click a specific link or run a local script, it detects their current public IP and updates the Azure Firewall "Allow" rule. This is technically hacky and can lead to a messy firewall policy if not cleaned up (e.g., setting the rule to expire after 8 hours).

Solution 4: While you noted this adds complexity, a Point-to-Site (P2S) VPN is the industry standard for dynamic IPs. The Azure Firewall only needs to trust the Internal VPN Subnet (a static private range). It doesn't care what the client's public ISP IP is. Yes, it requires a Gateway and client-side setup, but it removes the IP-chasing headache entirely.

If you are managing servers, Azure Bastion is your best bet to avoid IP management. If you are providing broad network access to employees, a P2S VPN is the most stable path.