Default outbound access for VMs in Azure will be retired, what are my options?

Default outbound access for VMs in Azure will be retired, what are my options?

Introduction

In this post we will discuss internet access for Azure virtual machines. The most common method is using the implicit IP on VM, which assigns a dynamic public IP address to the virtual machine without you having to configure anything.

However, this can cause issues with IP address changes and other security-related concerns. Other options include using load balancers, Azure Firewall, or NAT gateways to access the internet from virtual machines.

It is important to transition away from implicit IP on a VM by September 30, 2025, as Microsoft will deprecate this method of talking to the web. What should you do instead? Well that is what we will discuss now.

Securing outbound access in Azure

First we will cover internet access today in Azure. Most of you have or probably will some day deploy a virtual machine in Azure. Say you deploy your machine, you log on to it and you can automatically access the internet. You can Google things, you can download software and browse Facebook if you'd like to. You don't actually have to do much at all, besides from deploying your virtual machine, choosing which virtual network and subnet to use in Azure.

When you do this, you are actually using something called implicit IP on VM. So, there are a few different ways you can access the internet from Azure virtual machines. The most common one, and the one that you probably have used before, is the implicit IP on VM option. You are dynamically assigned a public IP address, which other services on the internet will see your connection come from.

This is a problem for a few reasons. First of all, it can change. So if you are in an enterprise setting (where you never should NOT use an appliance/firewall) and you are working with third party services then maybe they allow access based on the public IP you source with. All of a sudden your IP changes which can happen at anytime with implicit IP on VM, and you cannot access their service any longer.

Not to mention the bigger problem, which is security. When you talk outbound to the internet, using this public IP which is assigned directly to your virtual machine the response traffic is sent directly back to your virtual machine without first being filtered through some appliance. You are essentially relying on the protection you have in the operating system, and that's not what we want.

What should you use instead - both inbound & outbound

There are other ways you can access and receive traffic from the internet in Azure. You could use a load balancing service for instance. Azure has several different load balancers, ranging all the way from regional layer 4 to global layer 7 load balancing solutions.

  • Azure Load Balancer
  • Azure Application Gateway
  • Azure Front Door
  • Azure Traffic Manager

And to most of these solutions, you can assign a static public IP address. So if any communication is going outbound, traveling through this load balancer or appliance, response will get sent back the same way. You are masking the private IP addresses in the subnet for your virtual machines and since your IP is static meaning it will not change you do not need to worry about keeping 3rd party vendors up to date with this information. The same is true if you talk outbound through Azure Firewall, or some other third party network virtual appliance solution. This is called Network Address Translation or NAT for short.

While we mostly will use load balancers to handle inbound traffic we do have options for outbound traffic as well, which is what we will focus on more now as well as I have prepared some template-code for you to deploy to quickly get up and running with NAT Gateway.

For outbound connectivity we can use as I said an Azure Firewall, some other third-party appliance or a NAT Gateway. The beauty with Azure Firewall is the built-in protection that we can take advantage of. If we have Azure Firewall Premium for instance you can use some more advanced protection mechanisms, such as IDPS. We also have the option to use a NAT gateway which is not as expensive or complex as a firewall.

A NAT gateway associated with our subnet where our servers are located will help us mask our private resources using the assigned public IP address which is a resource we create in Azure. This is also beneficial because the NAT gateway will only accept response traffic, so it doesn't allow any inbound traffic at all, except for traffic coming back that you have initiated from your source virtual machine.

Example of a NAT Gateway deployment

We will deploy three resources: VNET, the NAT gateway itself & a public IP address.

If you do not have a virtual network yet you can create one using Azure Powershell or AZ CLI, in this example we will use Powershell

## Authenticate to Azure & select your subscription
Connect-AzAccount
Select-AzSubscription -SubscriptionId "<your_sub_id>"
  • Create RG and Virtual Network
## Set some variables
$rg = "rg-prod"
$vnet = "vnet-prod"
$subnet = "sn-prod"
$location = "westeurope"

## Create a virtual network
## Create a virtual network
New-AzResourceGroup -Name $rg -Location $location
New-AzVirtualNetwork -Name "vnet-prod" -ResourceGroupName $rg -Location $location -AddressPrefix "10.0.0.0/24"
  • Create NATGW, PIP & Subnet Association
## Create NAT Gateway, PIP and associate with subnet
New-AzPublicIpAddress -Name $pip -ResourceGroupName $rg -Location $location -Sku "Standard" -AllocationMethod "Static" -Zone 1,2,3 
New-AzNatGateway -Name $natgwname -ResourceGroupName $rg -Location $location -IdleTimeoutInMinutes 4 -Sku "Standard" -PublicIpAddress (Get-AzPublicIpAddress -Name $pip -ResourceGroupName $rg)
$subnet_config = Add-AzVirtualNetworkSubnetConfig -Name $subnet -VirtualNetwork (Get-AzVirtualNetwork -Name $vnet -ResourceGroupName $rg) -NatGatewayId (Get-AzNatGateway -Name $natgwname -ResourceGroupName $rg).Id -AddressPrefix "10.0.0.0/26"
$subnet_config | Set-AzVirtualNetwork

Now we have a new VNET with a subnet that has a NAT Gateway associated with it. If you browse to https://whatsmyip.org for example from within your VM you should see the same IP as you have assigned on your Public IP resource in Azure.

Here is the entire script published on Github

Main Points

  • Implicit IP on VM is a common method for accessing the internet from Azure virtual machines today, especially in lab environments.
  • Implicit IP can cause issues with IP address changes and security. Transition away from implicit IP on a VM by September 30, 2025.
  • Other options include using load balancers, Azure Firewall/3rd-party NVA or NAT gateways for internet access.
  • Azure Firewall Premium provides additional security features such as IDPS.
  • NAT gateway is a much more simple solution to deploy for internet access than a Firewall which can be more complex.

References

Default outbound access for VMs in Azure will be retired— updates and more information | Azure updates | Microsoft Azure
Default outbound access connectivity for virtual machines will be retired in September 2025 -- updates and more information

About me

About me
If you have landed on my page you will have already understood my passion for tech, but obviously there is more to life than that. Here I will try and outline a few of my other hobbies. Strength training I am a person who loves to move around and challenge