SOLVED: What is 168.63.129.16? Azure WireServer IP Explained

Yesterday we had client with many IP and DNS problems and the screenshot below was taken after we cleaned up about half of them. As you can see, 168.63.129.16 is used both as a DHCP server and as a DNS FORWARDER, and the name shows up as <UNABLE TO RESOLVE>. This is unexpected to Windows Server administrators who understand on-prem DNS and DHCP, but completely normal and correct in Azure VM’s.


what is 168 63 129 16what is 168 63 129 16

What is 168.63.129.16?

If you know anything about IP addressing you will immediately recognize this as a public IP but:

  1. it does not resolve to a name
  2. you can not talk (ping, NSLookup, Telnet…) to it from outside of Azure

So just what is it?

Microsoft calls it the “Azure WireServer IP“. The IP 168.63.129.16 is a special virtual public IP address used by Microsoft Azure for several critical functions within the Azure platform. This IP address is consistent across all Azure regions and national clouds, and it plays a vital role in the operation and management of Azure resources.

Functions of 168.63.129.16

  1. DHCP Services: This IP address is used by Azure to provide DHCP services to virtual machines (VMs). When a VM is deployed in Azure, it can obtain a dynamic IP address from this DHCP service, ensuring that each VM has the necessary network configuration to communicate within the virtual network
  2. DNS Services: The IP address also serves as a DNS server for VMs that do not have a custom DNS server configured. It provides filtered name resolution, allowing VMs to resolve the hostnames of other resources within the same virtual network. This ensures that internal communication within the Azure environment is seamless and efficient
  3. VM Agent Communication: The Azure VM Agent uses this IP address to communicate with the Azure platform. This communication is essential for the VM Agent to signal that the VM is in a “Ready” state and to send heartbeat messages, which are used to monitor the health and status of the VM
  4. Health Probes: Azure Load Balancer uses this IP address to perform health probes on VMs. These probes help determine the health and availability of VMs, ensuring that traffic is only directed to healthy instances

Should Internal DNS Servers Be Forwarders in Azure?

As shown in the screenshot above, for DNS servers in Azure, it is generally recommended to have only 168.63.129.16 listed in DNS forwarding.

If you have internal DNS servers that need to resolve internal domain names not managed by Azure, you might consider adding them as DNS forwarders. However, this depends on your specific network architecture and requirements:

  • Internal Name Resolution: If you have internal domains or resources that are not part of the Azure environment, listing your internal DNS servers as forwarders can help resolve those names
  • Hybrid Environments: In hybrid environments where you have both on-premises and Azure resources, you might need to configure DNS forwarders to ensure seamless name resolution across both environments

The Microsoft “best practice” for DNS Forwarding in Azure is:

  • Primary Forwarder: Use 168.63.129.16 for Azure-specific DNS queries
  • Secondary Forwarders: Add internal DNS servers if you need to resolve internal domain names not managed by Azure

High Availability & How It Works

The IP address 168.63.129.16 in Azure is “highly available”. It is a virtual public IP that is used across all Azure regions and national clouds, ensuring consistent availability and reliability. It is

  • not subject to user-defined routes
  • always accessible to VM’s within the entire Azure environment, regardless of the network configuration

Communication with this IP address is secure, as only the internal Azure platform can source messages from it.

History & Interesting Facts

Microsoft has been using the Azure WireServer IP address (168.63.129.16) since the very early days of Azure. This IP address is unique in that it is owned by Microsoft and does not ever change, providing a stable and reliable endpoint for critical Azure services.

One interesting aspect of this IP address is that it does not support reverse DNS lookup. This means that if you try to retrieve the Fully Qualified Domain Name (FQDN) using reverse lookup commands, you won’t receive any FQDN.

Also, 168.63.129.16 will not respond to DNS requests from on-prem servers, so don’t use it as a FORWARDER there.

Conclusion

The Azure WireServer IP address 168.63.129.16 is a cornerstone of Azure’s networking infrastructure, providing DHCP, DNS, VM Agent communication, and health probe services. Its consistent presence across all Azure regions and its secure, reliable operation make it an essential component of the Azure platform.


Published by
Ian Matthews