Upgrade from a Basic to Standard SKU public IP Address on Azure-hosted PA-VM

Using the Azure Portal, upgrade Basic SKU public IP Addresses associated with your private IPs assigned to your Firewall’s, or Panorama’s, interfaces, to Standard SKU public IP Addresses.

 

• Platform: PA-VM on Azure.
• Basic SKU public IP Addresses attached to interfaces on the Firewall.

Disclaimers:

• This article is intended to be used over and above Azure’s official documentation on this matter (https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-basic-upgrade-guidance).
• We recommend performing the upgrade during a maintenance window.

Prerequisites:

1. A Network Security Group (Microsoft, 2023) has to be attached to the interface that has the Standard SKU public IP Address assigned (Microsoft, 2023); an interface with a Basic SKU public IP Address doesn’t need an NSG.
2. The Basic SKU public IP Address has to be:
   1. Dissociated from the interface.
   2. Statically allocated.

3. Azure does not support having different SKUs of public IP Addresses on the same VM; 
   • This means that a Firewall cannot have both a Basic SKU public IP Address and a Standard SKU public IP Address public IP simultaneously; 
   • Attempting to associate a Standard SKU public IP Address to a VM that already has a Basic SKU public IP Address will lead to the following error in step 4 of the Procedure section of this article

The idea is to first dissociate ALL Basic SKU public IP Addresses, convert all of them to Standard SKU public IP Addresses, and then associate them all again.

1. Ensure that each interface that is expected to have a Standard SKU public IP Address, has an NSG; the Firewall VM pictured has, on its Untrust interface, the secondary IP as a Basic SKU public IP Address:

2. Shut the Firewall down either from the Azure portal, or (recommended) via the GUI or the CLI.
3. On the Azure portal, go to the Firewall VM page > Networking (under Settings).
4. We now dissociate all Basic SKU public IP Addresses from the VM; for each Basic SKU public IP Address on each interface, perform the following steps:
   1. Click on the highlighted text next to “NIC Public IP”.

2. Click on “Dissociate” and confirm dissociation when prompted to.

3. Click on “Upgrade to Standard SKU …” and acknowledge when prompted to.

4. Verify whether the SKU has changed.

5. On the Azure portal, go to the Firewall VM page > Networking (under Settings)
6. We now reassociate the newly converted Standard SKU public IP Addresses to the corresponding interface; for each Standard SKU public IP Address that has to be associated with each interface’s primary or secondary IP, perform the following:
   1. Click on the highlighted text next to “Network interface”.

2. Under IP configurations, click on the IP that should have a public IP.

3. On the side panel that opens (“Edit IP configuration”), check the box next to “Associate public IP address”, and from the dropdown list that will load, select the corresponding public IP address.

7. Turn the Firewall back on.

References

Microsoft. (2023, 03 15). Network security groups. Microsoft Learn - Documentation. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview