Get a Demo
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Aviatrix Blog

Default Azure Outbound Internet Access is Being Retired in September 2025. Are You Ready?

Prepare for the change to Azure VM internet access by reviewing Azure options or a security solution like Aviatrix Cloud Perimeter Security.

November 21, 2024 in Azure, cloud perimeter security By Bryan Woodworth

On September 30, 2025, internet access in Azure will change dramatically: newly-created Virtual Machines (VMs) will no longer have default outbound access to the internet. At the moment, any new VM can access the internet automatically using default source network address translation (SNAT). With Azure retiring default internet outbound access in September 2025, this change means that every VM created in your Azure tenant from that date forward needs an explicit outbound access method to connect to the internet.

 

Why Removing Default Outbound Access Improves Azure Network Security

The good news about this configuration change is that it’s ultimately healthy for your network security. Today, default outbound internet access can get around important security protocols, including your organization’s content filtering or internet controls for outbound or egress traffic. Filtering egress traffic is critical because threat actors could exfiltrate data from these traffic streams as part of their attack, and you would be none the wiser.

The rest of the good news is that this configuration change won’t affect existing deployments as long as they do not require new VMs. You’ll need to redesign your network policies and procedures for new deployments, and likely have a plan for dealing with existing deployments, but you won’t have to rebuild internet access from scratch for your existing Azure VMs.

 

How to Prepare Your Azure Environment for the 2025 Outbound Access Changes

Though the end of default outbound access for new Azure VMs is a good thing, it does require networking teams to redesign and reconfigure their Azure networking infrastructure and policies. You’ll need to choose among a series of options for how new Azure VMs in your network access the internet.

 

Compare Azure Outbound Access Methods: NAT Gateway, Public IPs, and Outbound Rules

When planning for the 2025 Azure outbound access changes, you have several options for connecting VMs to the internet:

  • Instance-level public IPs: Assigns a dedicated public IP address directly to individual VMs, providing straightforward internet connectivity but requiring careful management of public IP resources and potentially increasing security risks through direct exposure.
  • Outbound rules: Configure Load Balancer rules to control and manage outbound connections from VMs, offering more granular control over traffic flow but requiring additional configuration and management overhead.
  • Azure NAT Gateway: Acts as a shared gateway service for outbound connectivity, providing a managed solution that allows multiple VMs in a subnet to share outbound IP addresses. This option offers the best balance of scalability and manageability for most deployments, with simplified IP management and consistent connectivity.

 

The downside of Azure NAT Gateways is something that all Cloud Service Provider (CSP)-native NAT gateways share: they don’t inspect egress traffic. These gateways leave your outbound traffic vulnerable to data exfiltration. In addition, cloud providers charge you for all the data that’s being transferred from that NAT gateway, this can make your cloud bill high and also highly variable, making it difficult to predict the future costs for egress charges.

For a detailed comparison of these Azure outbound access options and their implementation, including configuration steps and best practices, see Microsoft’s technical documentation.

 

Aviatrix’s Cloud Perimeter Security Boosts Security and Performance

Curious about a better cloud network security solution for secure, high-performance internet access for your Azure VMs? Aviatrix‘s Cloud Perimeter Security solution offers capabilities designed to boost your security and enhance performance, whether your environment uses a single cloud, hybrid cloud, or multicloud architecture.

Aviatrix’s Cloud Perimeter Security Solution includes:

  • Secure egress: Establish a zero trust framework for outbound traffic with features such as URL filtering, geo-blocking, geolocation-based monitoring, advanced threat detection, and network segmentation. This solution also recommends internet egress security policies and helps with constant monitoring and routine management.
  • Cost controls: This solution offers flat-rate billing, or an “all-you-can-eat” model with no additional throughput costs. Unlike metered billing, this gives you full cost transparency. Customers save an average of 25% in savings or more compared to first-party NAT gateway solutions.

 

Learn more about the Cloud Perimeter Security Solution.

 

Conclusion

The change to Azure VM internet access is an opportunity, not an inconvenience. You now have an indisputable excuse to redesign your Azure environment to enhance security, boost performance, ensure resiliency, and optimize costs. Consider your alternatives, the Azure options, and our Aviatrix solution, to find the best fit for your organization.

 

Learn more about Aviatrix is partnering with Azure to strengthen cloud perimeter security: