SOLVED

Query returns external IPs (but VM has only private IPs)

%3CLINGO-SUB%20id%3D%22lingo-sub-1445342%22%20slang%3D%22en-US%22%3EQuery%20returns%20external%20IPs%20(but%20VM%20has%20only%20private%20IPs)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1445342%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20use%20Azure%20Log%20Analytics%20and%20have%20this%20query%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%22Heartbeat%20%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20OSType%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E'Windows'%3C%2FSPAN%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20arg_max(TimeGenerated%2C%20*)%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20SourceComputerId%20%7C%20%3C%2FSPAN%3E%3CSPAN%3Esort%3C%2FSPAN%3E%20%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20%7C%20%3C%2FSPAN%3E%3CSPAN%3Erender%3C%2FSPAN%3E%3CSPAN%3E%20table%22%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20response%2C%20I%20get%20external%20IPs%20in%20the%20ComputerIP%20column%20(Example%20%3CSPAN%3E40.68.38.236)%3C%2FSPAN%3E.%3CBR%20%2F%3EWhat%20is%20it%20about%20the%20IPs%3F%3C%2FP%3E%3CP%3ESince%20these%20VMs%20only%20use%20private%20IPs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EStefan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1445342%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448336%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20returns%20external%20IPs%20(but%20VM%20has%20only%20private%20IPs)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448336%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F24406%22%20target%3D%22_blank%22%3E%40Stefan%20Kie%C3%9Fig%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eeven%20if%20an%20Azure%20computer%20is%20not%20associated%20to%20a%20Public%20IP%20via%20a%20NIC%2C%20Load%20Balancer%2C%20etc.%2C%20when%20it%20does%20outbound%20Internet%20requests%2C%20SNAT%20comes%20into%20play%20and%20an%20IP%20from%20a%20pool%20of%20Azure%20IPs%20is%20assigned%20to%20your%20resource%20(more%20details%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fload-balancer%2Fload-balancer-outbound-connections%23defaultsnat%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Hello,

I use Azure Log Analytics and have this query:

 

"Heartbeat | where OSType == 'Windows'| summarize arg_max(TimeGenerated, *) by SourceComputerId | sort by Computer | render table"

 

In response, I get external IPs in the ComputerIP column (Example 40.68.38.236).
What is it about the IPs?

Since these VMs only use private IPs.

 

Regards

Stefan

1 Reply
best response confirmed by Stefan Kießig (Regular Contributor)
Solution

@Stefan Kießig 

 

even if an Azure computer is not associated to a Public IP via a NIC, Load Balancer, etc., when it does outbound Internet requests, SNAT comes into play and an IP from a pool of Azure IPs is assigned to your resource (more details here).