Microsoft has announced that as of Sept. 30, 2025, they will no longer support default outbound connectivity for virtual machines (VMs) and scale sets. And that obviously has significant implications for users who currently (still) rely on it. Wondering why Microsoft made this decision? And what the possible alternatives are?
Azure has long offered default outbound connectivity for virtual machines, even if the VM doesn't have its own public IP address. Or is paired with a Load Balancer. This functionality allows the VM to connect to the Internet to download updates, communicate with external APIs and perform other Internet-related tasks. All without the need for your users to manually configure an outbound IP address.
Why is Microsoft deprecating it?
Support for default Azure outbound connectivity will end on September 30, 2025. And there are several reasons for this:
- Security: Default outbound connectivity can pose potential security risks. Automatically assigning an outbound IP address reduces control over outbound network traffic. And that can lead to unwanted outbound connections.
- Consistency and control: By forcing users to configure explicit outbound connectivity, Azure provides greater consistency and control over outbound network traffic. This allows you to better tailor your organization's security and network policies to your specific needs.
- Monitoring and analysis: By manually configuring outbound connectivity, users can better monitor and analyze network traffic. That can help identify anomalies and improve overall network performance.
What are the alternatives?
Azure Firewall
Looking for a cloud-based network security service that provides comprehensive protection for your virtual network resources? Azure Firewall is the right fit. With it, you get a fully managed Firewall-as-a-Service (FWaaS) with built-in high availability and unlimited cloud scalability. Azure Firewall provides advanced monitoring of network traffic, protects against threats and helps maintain your network and application security.
Benefits of Azure Firewall:
- Network Address Translation (NAT): Azure Firewall supports both Destination NAT and Source NAT. The latter allows internal virtual machines to communicate with the Internet through the firewall. That then translates the internal IP address to a public IP address from the firewall, allowing you to manage your outbound connectivity in a more controlled manner.
- Rule management: With Azure Firewall, you can define detailed network and application rules to manage outbound traffic. For example, you can specify which protocols, ports and destinations are allowed. And that allows you to have more control over your outbound traffic, securely.
- Logging and monitoring: Through Azure Firewall, you can monitor your network traffic in real time and generate detailed logs for analysis and compliance purposes. This makes it easier to detect unusual traffic and enforce your security policies.
- Integration with other Azure services: Azure Firewall integrates seamlessly with other Azure security services, such as Azure Security Center and Azure Sentinel. This allows you to implement a holistic security approach and effectively protect your organization from threats.
NAT Gateway
Azure Network Address Translation (NAT) Gateway is a fully managed and scalable network service. It is specifically designed to provide outbound Internet connectivity for virtual networks, without the need to manually configure each individual subnet. This ensures that your virtual machines (VMs) and scale sets can reliably and securely connect to the Internet through a fixed, public IP address.
Benefits of NAT Gateway:
- Fixed public IP addresses: Azure NAT Gateway allows you to assign 1 or more static public IP addresses to your virtual networks. This ensures consistent and predictable outbound IP addresses for all VMs connecting to the Internet through the gateway.
- Scalability: Azure NAT Gateway is designed to automatically scale based on network traffic. So you don't have to worry about capacity limits or performance issues, even during peak periods.
- Easy configuration: Setting up a NAT Gateway is easy and requires minimal effort. To do so, you only need to create a NAT Gateway resource and assign it to a subnet within your virtual network. All VMs in that subnet automatically use the NAT Gateway for outbound traffic.
- Security and reliability: Azure NAT Gateway provides advanced security. It prevents unauthorized access and protects your network from certain types of threats by using a limited number of fixed outbound IP addresses.
Azure Load Balancer
In need of a network service that helps distribute incoming network traffic across multiple back-end resources, such as virtual machines? Then we recommend choosing Azure Load Balancer. With it, you'll enjoy high availability and scalability by efficiently managing and distributing network traffic. Azure Load Balancer supports both Layer 4 (Transport Layer) Load Balancing and outbound NAT (Network Address Translation).
Benefits of Azure Load Balancer:
- Outbound NAT: Azure Load Balancer has a handy feature called Source Network Address Translation (SNAT). This allows internal VMs to send outbound traffic to the Internet using a fixed, public IP address. That way, you ensure that all outbound traffic comes from a known IP address, making network management and security a lot easier.
- Balanced traffic: Azure Load Balancer allows you to efficiently manage not only inbound, but also outbound traffic. That makes it a versatile solution for both your outbound connectivity and for balancing your inbound requests.
- Integration with virtual networks: Azure Load Balancer integrates seamlessly with Azure Virtual Networks (VNets), making it easy to assign the Load Balancer to a subnet and manage outbound traffic.
- Automatic scaling and reliability: Azure Load Balancer is designed to automatically scale up and down based on the needs of your network traffic. This ensures high availability and reliability without manual intervention.
Fixed and dedicated IP address per VM
A dedicated assigned IP address in Azure is a public IP address explicitly assigned to a specific virtual machine, scale set or network interface. This is used exclusively for both inbound and outbound traffic. And, in this way, it provides a fixed and predictable IP address for communication with the Internet.
Benefits of a dedicated IP address
- Consistent and predictable: By assigning a dedicated IP address to a VM or network interface, you ensure that all outbound communications go through this specific IP address And that makes it a lot more consistent and predictable to manage your network traffic and security policies.
- Instant allocation: The IP address is directly associated with a specific resource. As a result, no additional configuration is required, making implementation very simple and straightforward.
- Security and control: By using a dedicated IP address, you can set up precise firewall rules and access control lists (ACLs) specific to this IP address. That way, you create better security by allowing only authorized traffic.
What about your outbound connectivity?
* All NICs in the same group (VM/availability set/VMSS) must not be assigned to default PIP, default public LP or NAT Gateway. And must also not be part of VMSS with flexible orchestration mode.
Need help choosing?
Our Azure experts are more than happy to help you find the right network solution for your IT environment. Feel free to contact one of our specialists.