class="wp-singular news-template-default single single-news postid-8046 wp-custom-logo wp-theme-microwarehouse tribe-no-js">
Major Changes Coming to Azure Networking: End of Default Outbound Access
Microsoft has announced a significant change to Azure networking. Starting September 30, 2025, Microsoft will no longer offer default outbound internet access for new virtual machines (VMs). This is a major shift that you will need to understand, as it will impact both new and existing deployment.
What is default outbound access?
Currently, any new VM created in Azure can access the internet automatically, without any additional configuration. Azure provides this access using a default outbound IP, but this IP is not owned by the customer.
From September 30th onward, this will no longer be the case. New VMs will not have automatic internet access.
If default outbound access is gone, how do I access the internet?
After these changes you will need to configure an explicit method of internet access for your VMs. Be it an Azure NAT gateway, statically assigned Public IP address, NVAs or load balancers.
Comparing these options:
Public IPs
-
- You can assign a public IP address directly to your VMs. For small setups this might be the easiest and cheapest method, approx. €3 per month RRP per public IP, but it does come with risks. Assigning a public IP to a VM means that any misconfiguration in the network security group (NSG) could potentially expose your servers to the internet. This method will become unmanageable for set-ups with multiple VMs.
Azure NAT gateway
-
- An Azure NAT gateway works like an on-premises network with a basic router, it allows you to have multiple virtual machines behind one public IP address. The NAT gateway is assigned to a subnet allowing all new and existing VMs in that subnet to access the internet via its IP. This is particularly useful in cases of Azure Virtual Desktop so that all session host will use the same external IP and any external resources they require access to can be locked down to just that IP. It has much less risk than assigning addresses directly as there is no default inbound access but conversely has a higher cost at €29 per month, 4 cents per GB processed plus the cost of one standard Public IP.
Network Virtual Appliance
-
- This is an excellent choice for medium sized deployments, AVD environments or where security is of the highest importance. A network virtual appliance or NVA is a virtual machine running a firewall O/S, most firewall vendors such as WatchGuard, SonicWall, Fortinet, Checkpoint, OPNSense, pfSense, etc provide an Azure image. Just like an Azure NAT gateway it also preforms like an on-premises network. It allows all VMs in a vNet to access the internet without manual configuration on each one, all machines will have the same outbound public IP address, but it also allows you to configure security polices, inbound NAT and can act as a VPN endpoint, all with the same familiar interface as their on-prem counterparts. The initial setup is slightly more complex but ongoing management is no different to any other firewall. The costs can vary depending on the size of the environment, the licence cost and spec required by the vendor but can be as low as €20 per month for the VM and IP address plus software charges.
What is the impact?
All new Azure VMs created after the 30th of September will be affected by this change, existing machines will continue to work as they currently are, but it’s recommended to get ahead of the change.
Why is this change being made?
Providing default internet access is contrary to the principles of Zero Trust Networking. All inbound or outbound access should be explicitly granted rather than implicitly allowed. Also, from an admin point of view customers don’t own the default outbound IP address. This IP might change, and any dependency on it could cause issues in the future.
Default outbound access in Azure – Azure Virtual Network | Microsoft Learn