Default outbound VM access in Azure will be retired on 30th September 2025

Microsoft is enhancing security by moving towards a secure-by-default mode, by retiring the default outbound access for all newly deployed Azure virtual machines as from the 30th September 2025.

What is default outbound access?

In Azure, virtual machines currently created in a virtual network without explicit outbound connectivity defined, are assigned a default implicit IP to allow outbound communication to the internet.

Retirement:

As from September 30th, 2025 Azure will no longer assign a default implicit IP for VMs to communicate outbound to the internet which means the default outbound access to the internet will be turned off.

What happens to existing virtual machines?

Existing VMs will not be impacted by this retirement and will stay using the default outbound access.

How does this affect new virtual machines deployed from 30th September 2025?

If you require outbound access after this date, you will have to enable outbound internet access with explicit outbound methods as explained below.

Transition:

If you have existing VMs with default outbound access and would like to migrate to a more secure-by-default configuration after this date, there is a mechanism to enable this configuration at any time as explained below.

Available options for explicit method of public connectivity

  1. Associate a NAT gateway to the subnet of your virtual machine.

2. Associate a standard load balancer configured with outbound rules.

3. Associate a Standard public IP to any of the virtual machine’s network interfaces (if there are multiple network interfaces, having a single NIC with a standard public IP prevents default outbound access for the virtual machine).

4. Use Flexible orchestration mode for Virtual Machine Scale Sets.

https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/flexible-virtual-machine-scale-sets-portal

–I hope this blog helped explain the deprecation of default outbound access as well as the 4 concepts of explicit outbound connectivity–

Leave a comment

Your email address will not be published. Required fields are marked *