Share via

Clarification on Default Outbound Access Retirement for Azure VMs

Filip 40 Reputation points
2025-06-19T15:50:19.3433333+00:00

I'm reviewing this KB https://azure.microsoft.com/en-us/updates?id=default-outbound-access-for-vms-in-azure-will-be-retired-transition-to-a-new-method-of-internet-access and I'd like some clarification on a specific scenario.

According to the update, the default outbound access will be retired starting September 30, 2025, and the documentation mentions:

"...any virtual machines (existing or newly created) in existing VNETs that use default outbound access will continue to work after this change..."

Here's my question:

I currently have two VMs in the same subnet, which were deployed earlier and are using Microsoft’s default outbound access (without explicit public IPs or NAT) they are behind a load balancer with public ip for web app purpose. If I create a new VM in the same subnet and VNET after September 30, 2025, my understanding is that the new VM will not have default outbound connectivity and will instead require a NAT Gateway, Load Balancer, or Public IP for outbound access.

However, I'm confused about how this works when all three VMs are in the same subnet. If the two older VMs retain their default outbound access, but the new one doesn't, will Azure treat them differently even though they share the same subnet? Or will I need to transition all VMs in that subnet to use a NAT Gateway for consistency?

Any clarification on this would be greatly appreciated.

Thnaks,
Filip

Azure Virtual Machines
Azure Virtual Machines

An Azure service that is used to provision Windows and Linux virtual machines.

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Brian Lehr 11 Reputation points Microsoft Employee
    2025-08-24T22:16:13.0966667+00:00

    @Anusree Nashetty @Stefan Peters @filip Want to clarify - this is not exactly correct. In this scenario, VM C will still receive default outbound IPs, as the existing subnet will still not be private (and therefore not require an explicit method of outbound). Also note that even new VNETs can have subnets that are not private; however, the default value in the API will have the subnet-level parameter set to be private unless specified.

    Please note https://azure.microsoft.com/en-us/updates?id=492953

    "...new virtual networks will default to using private subnets, meaning that an explicit outbound method must be enabled in order to reach public endpoints on the Internet and within Microsoft.  Older versions of the Azure API will not be affected, and there would also be no change to existing virtual networks. This means that there will be no change in the operation of existing or new virtual machines in these subnets."

    1 person found this answer helpful.
    0 comments
  2. Marcin Policht 86,925 Reputation points MVP Volunteer Moderator
    2025-06-20T00:30:38.1233333+00:00

    AFAIK, The difference is implemented at the VM-level metadata during deployment — Azure checks whether a VM qualifies for default outbound access based on its creation timestamp and context. For VMs deployed before September 30, 2025, Azure enables a hidden outbound connectivity path through the Azure fabric (often referred to as "default SNAT"), while new VMs deployed after that date are flagged to exclude this implicit route, requiring explicit outbound configurations like NAT Gateway or Load Balancer outbound rules. This logic is enforced by the Azure control plane and does not depend on subnet configuration, which is why VMs in the same subnet can have different outbound behaviors.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments
  3. Anusree Nashetty 6,475 Reputation points Microsoft External Staff Moderator
    2025-06-19T23:28:03.69+00:00

    Hi Filip,

    Azure will treat the new VM differently even though it resides in the same subnet. For existing VMs in existing VNets that were using default outbound access before September 30, 2025 — no change: they will continue to have default outbound connectivity. For any new VMs deployed after September 30, 2025, even in the same VNet and subnet, default outbound access will not be available.

    According to your scenario, an existing VNet and subnet with 2 VMs (A & B) relying on default outbound access. A Load Balancer with a public IP in front of these VMs (used for inbound, not necessarily outbound). You plan to create VM C in the same subnet, after Sept 30, 2025. What happens is VM A and B will retain default outbound access as same. VM C, created after the cutoff, won’t get outbound access unless explicitly configured. The fact that all 3 VMs are in the same subnet/VNet is not enough, Azure checks the creation time of the VM, not just the subnet/VNet.

    For operational consistency, security, and easier management, Microsoft recommends transitioning all VMs in the subnet (or VNET) to use explicit outbound connectivity (like a NAT Gateway or properly configured load balancer). This avoids confusion and ensures predictable, auditable outbound IPs for all VMs.
    If you would like to move to a secure by default configuration after this date, Microsoft will provide a mechanism to opt in with ease. At any time, you can transition to an explicit outbound method that Azure offers.

    If you have any further queries, let me know. If the information is helpful, please click on Upvote.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.