In this article, we’ll discuss:
- Why Microsoft is ending default outbound internet access and what this means for your network security
- How to get your environment ready before the deadline (September 30)
- A comparison of outbound access options (Public IPs, NAT Gateway, etc.)
What is Microsoft doing now??
Since Azure’s early days, Microsoft has been giving newly created VMs and VMSS (Virtual Machine Scale Set) a hidden public IP address – even though you never asked for it.
At first glance, it seems that this VM has no public IP, right?
However, when you go into that VM and open a web browser, you can reach the internet without issue. That access comes through a pool of source network address translation (SNAT) IP addresses, a setup that Microsoft calls default outbound internet access.
After September 2025, Azure will no longer assign a default implicit IP for VMs to reach the internet.
If you deploy compute resources in Azure, you'll need to be aware of this change, as it will have a huge impact.
Why is Microsoft bringing this change?
After all these years, why is Microsoft doing this now? With today’s default outbound access, Azure VMs can bypass security controls, such as content filtering, leaving egress traffic unmonitored and vulnerable to data exfiltration.
For example: Azure Virtual Desktop hosts could access the internet directly, ignoring security policies.
Hence, Azure is moving towards a secure-by-default model, motivated by these three reasons:
- Zero Trust security principles recommend against having a virtual network open to the internet by default.
- Connectivity should be explicit, not implicit. You should only grant access where required, which reduces network risk.
- Default outbound IPs will change over time. Anything dependent on them will eventually break.
With this configuration change, the issues mentioned above will be resolved, thereby improving your network security.
Will it affect existing deployments?
The good news is that existing deployments will continue to work as long as they don’t require new VMs. Only new VMs or new subnets will need explicit connectivity.
“Microsoft has said that this change will not impact existing virtual networks and subnets.”
In general, default outbound access was never recommended for production workloads, as it provides administrators with limited control over a VM’s internet access.
Don’t forget your PaaS services
As you know, Azure is more than just VMs on networks. There are platform services, such as storage accounts, databases, AI, and cognitive services, among others, all designed with internet-facing endpoints. With new private subnets, these services become inaccessible from your VMs.
Private endpoints solve this by connecting your VMs directly to Azure services over Microsoft's private backbone, eliminating the need for the public internet.
How do you prepare for this change?
Fortunately, you don’t have to rebuild internet access from scratch for your existing Azure VMs. However, you’ll need to:
- Redesign and update your current network policies and procedures for new deployments.
- Create a plan for existing deployments.
What to do if you still need internet access?
If your setup requires explicit outbound connectivity, you’ll need to choose how your newly deployed VMs access the internet. You can choose from a range of options:
Available Azure Access Options
Options after September 2025 for configuring explicit outbound connectivity include:
- Public IPs for VMs: Don’t scale as networks grow. Additionally, it will expose your VM to inbound threats from the internet, as it’s directly accessible to the world. Only Network Security Groups (NSGs) can protect it.
- Load balancers with outbound rules: Suitable for multiple VMs that do the same job. It's a significantly lower cost than a firewall, but the downside here is that it doesn't scale well and requires additional configuration and overhead.
- NAT Gateway: Optimal outbound connectivity solution gives you a static IP address for all outbound connectivity to the internet, and can have loads of VMs behind it.
- Firewalls: If you need secure (inbound and outbound) access from the internet, security filtering, TLS inspection, a firewall is a great option. The downsides are its higher cost and the way it manages your outbound ports (limited to 2,496 SNAT ports for every public IP address that's attached to your firewall, with a limit of up to 250 IPs.)
As you can see, each option has different features and cost trade-offs. Often, an Azure firewall and the Azure NAT gateway are the best options. Which one is actually best depends.
A NAT Gateway is often the simplest and most cost-effective choice, as it provides a static outbound IP for multiple VMs on a subnet. It offers a simpler outbound internet access option that is similar to today’s default outbound access.
You can also combine a firewall and a NAT gateway for even greater scalability.
