Microsoft has announced the retirement of default outbound Internet access for Virtual Machines (short VMs) in Azure as part of their secure future initiative, effective on the 30th of September 2025. On this date, default outbound access connectivity for new deployments will be retired. After this date, all new VMs that require internet access will need to use explicit outbound connectivity methods such as Azure NAT Gateway, Azure Load Balancer outbound rules, or a directly attached Azure public IP address.
Update Overview
Recommended Actions for Azure VM Default Outbound Access Retirement
To maintain uninterrupted internet connectivity for your VM workloads, you should evaluate your current VM’s workloads and internet access requirements. Understand what your VMs need regarding connectivity to determine the best transition strategy. The next step involves selecting the most suitable outbound method. Review the Azure documentation to choose between Azure NAT Gateway, Azure Load Balancer outbound rules, direct public IP addresses, or using a virtual appliance/Azure Firewall.
Once you have selected the appropriate method, proceed with implementing explicit connectivity:
- Migrate VMs to Use Azure NAT Gateway: Create a NAT gateway and associate it with your VM’s subnet. This enables managed connections and improved reliability.
- Configure Outbound Rules on Azure Load Balancer: Apply outbound rules on a standard load balancer to manage and control internet access.
- Assign a Public IP Address Directly to the VM: Attach a standard public IP directly to the VM’s network interface to ensure dedicated internet connectivity.
- Utilize a Virtual Appliance or Azure Firewall: Enhance security and control by guiding internet traffic through a virtual appliance or Azure Firewall.
Benefits of Explicit Outbound Connectivity for Azure VMs
Switching to explicit outbound methods offers several benefits. Improved reliability ensures consistent and managed internet connectivity, eliminating reliance on default configurations. Enhanced security aligns with Zero Trust network principles, preventing default internet exposure. Furthermore, avoiding IP loss is crucial as default outbound access IPs can change and cause disruptions. Explicit methods prevent such issues, ensuring that your infrastructure remains robust and secure.
Key Considerations and Common Concerns
As you transition to explicit outbound connectivity, several questions and considerations might arise. Migrating ensures reliable internet connectivity and offers enhanced reliability and security. Managed and consistent internet access adheres to best practices for network security. Future-proofing is also essential as it prepares your infrastructure for advancements and changes.
Conclusion on Azure VM Default Outbound Access Retirement
Transitioning to explicit outbound connectivity is imperative for the reliability and performance of your Azure environments. Making this shift before the deadline ensures you avoid disruptions and benefit from enhanced capabilities and security. Don’t wait until the last minute; begin planning your transition today to ensure seamless continuity of your services. And in our opinion, always use Azure Firewall or a network appliance as your default outbound connectivity solution.
Additional Resources
For detailed guides and further assistance, refer to: