I recall conversing with a friend about the internet access settings for Azure Virtual Machines (VMs) around five to six years ago. The topic arose as we aimed to improve the VMs’ security by design and minimize internet access. The discussion centred on ways to enhance security by restricting internet access by default, which led us to impose restrictions on all subnets within Azure.
Since then, Azure has adopted the Zero Trust network security principle, which has led to significant changes in outbound internet access for VMs. As a result, default internet access from Azure VMs is now disabled, and the announcement came out last week.
Effective September 30, 2025, Azure virtual machines will no longer have automatic outbound access connectivity. From that point forward, new VMs will require explicit outbound connectivity to access the Internet. In this blog post, we will explore this change and recommend alternative options for VMs that need internet access.
Background:
When configuring a virtual machine in Azure, it is crucial to know that if outbound connectivity is not explicitly defined, a default outbound access IP address will be automatically allocated. It should be noted that this IP address is a public IPv4 address owned by Microsoft and is subject to change without prior notice. As a result, relying on this address for any production workload is not recommended due to the potential risk of disruption or instability. Therefore, it is advisable to take the necessary steps to specify outbound connectivity and ensure that the virtual machine is set up securely and reliably.
If virtual machines need to download Windows updates or activate licenses, they require internet access. However, being careful is essential, as unrestricted internet access can be dangerous. To minimize risks, it’s advisable to enable explicit outbound connectivity, which only allows access to necessary services and limits the possibility of unauthorized access or malicious activity. In the Azure scenario, the explicit outbound access is more secure with the following benefits:
- Restrict the traffic to a limited destination endpoint.
- Trace the outbound network traffic.
- Secure by design aligning with the Zero Trust principle.
- The customer has control and no dependencies on Azure services.
Alternate Options for VMs to access the Internet.
Virtual machines can achieve explicit outbound internet access with the below options in Azure Cloud:
- NAT gateway – With Azure NAT Gateway, connecting to the Internet from your virtual networks is now more accessible and streamlined. You can use your static public IP addresses for all outbound connectivity in the network. The best part is that you don’t need a load balancer or public IP addresses directly attached to your virtual machines. The NAT gateway is the most efficient way to connect to the Internet from your virtual networks.
- Public load balancer – You can configure the public load balancer to use your public IP addresses for outbound connectivity of the backend instances. Outbound rules allow you to explicitly define SNAT (source network address translation) for a standard SKU public load balancer. With outbound rules, you have complete control over outbound internet connectivity. You can scale and customize this feature as per your requirements through manual port allocation.
- Virtual machines with a public IP address – When a VM is assigned a public IP, it is a one-to-one relationship. In Azure, the public IP assigned to the IP configuration of the instance’s NIC is used for all outbound flows, and the instance can access all ephemeral ports. If a client requests traffic, it is returned from the virtual machine’s public IP address, also known as the instance-level IP. However, there may be more suitable solutions for resources that require production-grade performance.
- Azure Firewall or NVA Appliance – Using Azure Firewall or NVA, you can establish specific rules for outbound internet access through a firewall. With a Firewall device, you can redirect all traffic towards the Internet, sending it to a designated next hop rather than directly to the Internet. Azure Firewall offers automatic SNAT for any outbound traffic going to public IP addresses. When you configure Azure Firewall with Forced Tunnel, you can choose to advertise a default route via BGP or use User Defined Route (UDR) to route traffic through an on-premises edge firewall or other network virtual appliance (NVA) before it’s sent to the Internet. This allows for more control over network traffic processing. This option will be the most preferred and secure method.
With the recent announcement of this change, it is essential to ensure that our workloads remain unaffected by any IP changes. Consider you have deployed VMs on Azure Cloud Services (extended support). In that case, this retirement will not impact you, and no action is necessary. This is the end of this blog, and I hope you had good information about the Azure VM’s outbound access.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.
