Azure – Default outbound internet access will be retired in September 2025

As you know when you deploy virtual machines in Azure, these VM’s automatically have internet provided through a default outbound internet access.

Diagram of default outbound access.

Because the default outbound connectivity uses a default public address which can change and is not compliant with a Zero trust approach, it has been a recommendation to implement an explicit outbound connectivity using either a NAT Gateway, an attached public IP or load balancer rules.

Starting September 30, 2025, this default outbound connectivity will be retired and you will have to use an explicit outbound connectivity before this date using either of these methods:

  • Associate a NAT gateway to the subnet of your virtual machine
  • Associate a standard load balancer configured with outbound rules
  • Associate a public IP to any of the virtual machine’s network interfaces (if there are multiple network interfaces, having a single NIC with a standard public IP prevents default outbound access for the virtual machine)

Diagram of explicit outbound options.

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.