Azure Ends Default Outbound Access for VMs—What's Changing and How to Prepare by Sept 30, 2025

On September 30, 2025, Microsoft will retire the default outbound access feature for Azure Virtual Machines (VMs). Initially, Azure provided automatic outbound internet access (via SNAT) to VMs deployed without explicit outbound configurations. While this was convenient, Microsoft now emphasizes security, control, and predictability by moving to an explicit outbound model.

If you don't have a well-architected landing zone, this could impact you!

What Exactly Is Changing?

• New VMs on or after September 30, 2025: If deployed in a new virtual network (VNet) that hasn't previously used default outbound, these VMs will not get default outbound access unless you configure an explicit method.
• Existing VMs in existing VNets: These will retain default outbound access, even after the retirement date.
• VMs created after September 30, 2025 in existing VNets: Will not receive default outbound—explicit configuration (e.g. NAT Gateway, Load Balancer, Public IP) will be required.

‍

Why Is Microsoft Making This Change?

1. Security & Zero‑Trust alignment: Implicit outbound access bypasses network policy controls and isn’t auditable. Explicit methods enable granular, secure egress control.
2. Predictability & Stability: Default outbound IPs are not customer-owned and may change unexpectedly, disrupting services.
3. Governance & Auditing: Explicit methods offer centrally managed, traceable IP addresses for compliance and operations.
   

‍

What Should Customers Do Now?

1. Audit Your Environment

• Identify VMs using default outbound access using Azure Advisor or manual review.
• Note which existing VNets allow default outbound and which new VNets are likely to be impacted.

2. Choose an Explicit Outbound Strategy

Options include:

• NAT Gateway (recommended for scale and simplicity)
• Azure Firewall
• Standard Load Balancer with outbound rules
• Direct Public IP assignment (best for dev or limited scope; not ideal for production due to security risk).

This strategy should be defined as part of your well-architected landing zone--if you don't have one, or aren't sure what that is, please reach out so we can review your environment together!

3. Implement Gradual Migration

• Prioritize high-risk or frequently updated VMs.
• For environments like Azure Databricks, begin deploying workspaces with NAT Gateway configurations. Existing workspaces in old VNets remain unaffected (for now).
• Use staging or test environments to validate outbound behavior.

4. Standardize New Deployments

• Configure new VNets and subnets as private subnets, requiring explicit outbound configuration.
• Use Azure Policy to enforce your new standard(s).

5. Communicate and Educate

• Alert internal teams about the deadline.
• Update deployment templates, IaC scripts, and CI/CD pipelines to include outbound setup.
• Provide guidance documents or workshops to your engineering teams.
  

Final Thoughts & How We Can Help

This shift marks Microsoft’s continued alignment with Zero Trust and network security best practices. While the change impacts deployment workflows, the benefits of improved stability, monitoring, and security are clear.

How we can support you:

• Conduct outbound access readiness assessments
• Develop tailored migration plans
• Implement and optimize outbound strategies using NAT Gateways, Load Balancers, or Public IPs
• Train your teams and update documentation to ensure seamless future deployments

Mark September 30, 2025 on your calendar—it’s a pivotal date for Azure networking. By proactively transitioning to explicit outbound configurations, organizations can ensure secure, stable, and manageable connectivity for both current and future workloads.