Aviatrix Blog 
Mark your calendars: September 30, 2025 will bring a major change to Azure networking. Microsoft is retiring default outbound internet access for new virtual machines (VMs), and this change could significantly impact your cloud infrastructure if you’re not prepared.
At the moment, any new VM can access the internet automatically using default source network address translation (SNAT). With Azure retiring default internet outbound access in September 2025, this change means that every VM created in your Azure tenant from that date forward needs an explicit outbound access method to connect to the internet.
What You’ll Learn:
- Why Azure is retiring default outbound internet access and what this means for your security
- How to prepare your environment for this critical change before September 2025
- Key comparison of available outbound access methods (NAT Gateway, Public IPs, and Outbound Rules)
- Cost-effective alternatives that can enhance your cloud security
The Good News: Why Removing Default Outbound Access Improves Azure Network Security
The good news about this configuration change is that it’s ultimately healthy for your network security.
Today, default outbound internet access can get around important security protocols, including your organization’s content filtering or internet controls for outbound or egress traffic. Filtering egress traffic is critical because threat actors could exfiltrate data from these traffic streams as part of their attack, and you would be none the wiser.
The rest of the good news is that this configuration change won’t affect existing deployments as long as they do not require new VMs. You’ll need to redesign your network policies and procedures for new deployments, and likely have a plan for dealing with existing deployments, but you won’t have to rebuild internet access from scratch for your existing Azure VMs.
Your Action Plan: Preparing For the 2025 Changes
Though the end of default outbound access for new Azure VMs is a good thing, it does require networking teams to redesign and reconfigure their Azure networking infrastructure and policies. You’ll need to choose among a series of options for how new Azure VMs in your network access the internet.
Comparing Your Options: Available Azure Access Methods
When planning for the 2025 Azure outbound access changes, you have several options for connecting VMs to the internet:
- Instance-level public IPs: Assigns a dedicated public IP address directly to individual VMs, providing straightforward internet connectivity but requiring careful management of public IP resources and potentially increasing security risks through direct exposure.
- Outbound rules: Configure Load Balancer rules to control and manage outbound connections from VMs, offering more granular control over traffic flow but requiring additional configuration and management overhead.
- Azure NAT Gateway: Acts as a shared gateway service for outbound connectivity, providing a managed solution that allows multiple VMs in a subnet to share outbound IP addresses. This option offers the best balance of scalability and manageability for most deployments, with simplified IP management and consistent connectivity.
The downside of Azure NAT Gateways is something that all Cloud Service Provider (CSP)-native NAT gateways share: they don’t inspect egress traffic. These gateways leave your outbound traffic vulnerable to data exfiltration.
In addition, cloud providers charge you for all the data that’s being transferred from that NAT gateway, this can make your cloud bill high and also highly variable, making it difficult to predict the future costs for egress charges.
For a detailed comparison of these Azure outbound access options and their implementation, including configuration steps and best practices, see Microsoft’s technical documentation.
Alternative Solutions: Beyond Native Azure Tools
Curious about a better cloud network security solution for secure, high-performance internet access for your Azure VMs? Aviatrix‘s Cloud Firewall Solution offers capabilities designed to boost your security and enhance performance, whether your environment uses a single cloud, hybrid-cloud, or multicloud architecture.
Aviatrix’s Cloud Firewall Boosts Security and Performance
Aviatrix’s Cloud Firewall Solution includes:
- Secure egress: Establish a zero-trust framework for outbound traffic with features such as URL filtering, geo-blocking, geolocation-based monitoring, advanced threat detection, and network segmentation. This solution also recommends internet egress security policies and helps with constant monitoring and routine management.
- Cost controls: This solution offers flat-rate billing, or an “all-you-can-eat” model with no additional throughput costs. Unlike metered billing, this gives you full cost transparency. Customers save an average of 25% in savings or more compared to first-party NAT gateway solutions.
Learn more about the Cloud Firewall Solution.
Conclusion
Key Takeaways:
- Start planning now: don’t wait until September is approaching
- Existing VMs won’t be affected, but new deployments will need explicit configuration
- Consider security and cost implications when choosing your new outbound access method
- Evaluate third-party solutions that can provide additional security features and cost benefits
The change to Azure VM internet access is an opportunity, not an inconvenience. You now have an indisputable excuse to redesign your Azure environment to enhance security, boost performance, ensure resiliency, and optimize costs. Consider your alternatives, the Azure options, and our Aviatrix solution, to find the best fit for your organization.
Ready to prepare your Azure environment for this change? Download our free guide or schedule a consultation with our cloud networking experts to assess your specific needs.
Learn more about Aviatrix is partnering with Azure to strengthen cloud perimeter security: