Azure Removing Default Outbound Access for Virtual Machines

Microsoft has announced that it is retiring default outbound internet access for new Azure Virtual Machines (VMs) on September 30, 2025.

What is default outbound access?

Outbound access is a way for a VM to connect to the internet. Previously, VMs could be created without setting a specified route to the internet, instead using an ephemeral dynamic IP address that cannot be managed. This allowed the VM to reach the internet but did not allow inbound access from the internet.

What is changing?

After September 30, 2025, any new VM created will no longer have default outbound access enabled. If an explicit route is not established, the VM cannot connect to the internet. Existing VMs created before this date will continue to use the default outbound access. Still, it is recommended to set an explicit route to ensure a more secure and manageable experience.

What are the options?

Resource	Inbound access?	Best for	Benefits
NAT Gateway	No	VMs that require inbound connectivity	Simple setupHighly secure
Load Balancer	Yes, managed by Network Security Group (NSG)	VMs that require scalability and secure inbound access	Cheaper than NAT GatewayCustomizable
Public IP Address	Yes, managed by Network Security Group (NSG)	VMs that require a unique public IP or test environment	Simple setupEasy to manage inbound rules

How to implement each option

• NAT Gateway (Recommended for outbound)
  • Browse to NAT Gateway and click Create
  • On the Basics page, select the appropriate Subscription, Resource Group & Region. Enter a Name.
  • On the Outbound IP page, select an existing available Public IP address or create a new one.
  • On the Subnet page, select the Virtual network and subnet(s) to attach the NAT Gateway.
  • On the Review + Create page, click Create. The NAT Gateway will be created and attached to the specified subnet(s).
  • Important Notes:
    • A NAT Gateway can be attached to any subnets in the same virtual network.
    • Each virtual network requires its own NAT Gateway.
• Load Balancer (Recommended for inbound)
  • Browse to Load Balancer and click Create.
  • On the Basics page, select the appropriate Subscription, Resource Group & Region. Enter a Name.
    • Select Standard for SKU and Public for Type.
  • On the Frontend IP configuration page, click Add a frontend IP configuration.
    • In the setup window, enter a name, select an available public IP address, or create a new one.
  • On the Backend Pools page, click Add a backend pool.
    • Choose a name for the pool (group of VMs) and virtual network.
    • Click Add under IP Configurations section.
      • Choose the appropriate VMs and click Add and Save.
  • Configure Inbound rules (Optional)
    • Only set rules if the Virtual Machines need inbound access from the internet.
  • On the Outbound rules page, click Add an Outbound rule.
    • On the setup window, enter a name and select the Frontend IP address & Backend pool created previously.
    • Optionally set Protocol, TCP reset, & Port allocation settings.
  • On the Review + Create page, choose Create. The Load Balancer will be created and assigned to the specified backend pool VMs.
• Public IP Address (Recommended for testing)
  • Browse to Public IP addresses and click Create.
  • On the Basics page, select the appropriate Subscription, Resource Group & Region. Enter a Name.
    • Select Standard for SKU.
  • On the Review + Create page, choose Create. The Public IP address will be created.
  • Once the IP address is created, assign it to the VM.
    • Browse to the Virtual Machines, expand the Networking blade, and choose Network settings.
    • Click on Configure Public IP address, which will open the Network Interface (NIC) settings.
    • Click on the IP configuration at the bottom of the page, or Add if none exists.
    • On the Edit IP configuration window, click the option to Associate public IP address.
      • On the dropdown, choose the Public IP address created previously and Save.

Notes & Best Practices

• For VMs not requiring inbound access, a NAT Gateway is the recommended solution.
• For VMs requiring inbound access, a Load Balancer is recommended over a Public IP address.
• Load balancers distribute inbound traffic across multiple VMs without directly exposing them to the internet.
• Public IP addresses should only be used for testing or when each Virtual Machine requires a dedicated public IP address.
• If a VM is in a subnet with a NAT Gateway and is also attached to a Load Balancer, the NAT Gateway will take precedence for outbound access.
  • In these cases, the inbound & outbound Public IP addresses (PIP) will be different.
    • Outbound traffic will use the NAT Gateway PIP.
    • Inbound traffic will use the Load Balancer PIP.

For more information, please contact us!