Explicit outbound connectivity method mandatory for special subnets?

Question

Explicit outbound connectivity method mandatory for special subnets?

David Garcinuño 0

Hi,

Taking advantage of the default outbound access retirement, we are going to try converting all subnets to private. For the subnets where we have virtual machines this is not a problem, since they have a route table with rules to redirect all outbound traffic through a firewall. However, we have a doubt about subnets that host other types of Azure resources: the GatewaySubnet (hosting a VPN Gateway), the subnet used to deploy a PostgreSQL Flexible Server instance, or the subnet where an Application Gateway is deployed. Do these subnets require an explicit outbound connectivity method, or can they be made private without configuring one?

Praveen Bandaru 11,635 Reputation points Microsoft External Staff Moderator

2025-09-12T14:45:04.2533333+00:00

Hello David Garcinuño

We are checking whether the response from Michele Ariis was helpful. Please let us know if it addressed your question, and feel free to reach out if you have any additional queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 11,635 Reputation points Microsoft External Staff Moderator

2025-09-15T16:01:35.3066667+00:00

Hello David Garcinuño

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

1 answer

Your answer

Praveen Bandaru 11,635 Reputation points Microsoft External Staff Moderator

2025-09-12T14:45:04.2533333+00:00

Hello David Garcinuño

We are checking whether the response from Michele Ariis was helpful. Please let us know if it addressed your question, and feel free to reach out if you have any additional queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 11,635 Reputation points Microsoft External Staff Moderator

2025-09-15T16:01:35.3066667+00:00

Hello David Garcinuño

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 1

Hi, no: for “special” subnets an explicit egress method is not needed (and is not supported for GatewaySubnet), GatewaySubnet uses managed egress and does not need to be managed with NAT GW or UDR 0.0.0.0/0; PostgreSQL Flexible Server in delegated subnet manages egress itself (only configure private DNS/PE); Application Gateway does not require outbound NAT (put NSG with GatewayManager tag allowed and UDR only to reach backends); rule of thumb: explicit egress (NAT GW/LB outbound/Public IP) is needed for VMs, these subnets can remain private respecting the NSG/UDR exceptions provided by the service.

Share via

Explicit outbound connectivity method mandatory for special subnets?

1 answer

Your answer