The IP address 220.127.116.11 is a virtual public IP address that is used to facilitate a communication channel to internal platform resources for the bring-your-own IP Virtual Network scenario. Because the Azure platform allow customers to define any private or customer address space, this resource must be a unique public IP address. It cannot be a private IP address as the address cannot be a duplicate of address space the customer defines. This virtual public IP address facilitates the following things:
- Enables the VM Agent to communicating with the platform to signal it is in a “Ready” state
- Enables communication with the DNS virtual server to provide filtered name resolution to customers that do not define custom DNS servers. This filtering ensures that customers can only resolve the hostnames of their deployment.
- Enables monitoring probes from the load balancer to determine health state for VMs in a load balanced set
- Enables PaaS role Guest Agent heartbeat messages
The virtual public IP address 18.104.22.168 is used in all regions, all sovereign clouds, and will not change. Therefore, it is recommended that this IP be allowed in any local firewall policies. It should not be considered a security risk as only the internal Azure platform can source a message from that address. Not doing so will result unexpected behavior in a variety of scenarios.
Additionally, traffic from virtual public IP address 22.214.171.124 that is communicating to the endpoint configured for a load balanced set monitor probe should not be considered attack traffic. In a non-virtual network scenario, the monitor probe is sourced from a private IP.