Prepare for Azure Default Outbound Access Retirement
Big changes are coming to Azure networking:
Azure’s Default Outbound Access for VMs will be retired on September 30, 2025.
If you’re currently relying on Azure’s automatic outbound connectivity, it’s time to start planning your transition and fast. Here’s what you need to know and how Cloud2 can help you secure and optimize your outbound traffic.
What Is Azure Default Outbound Access?
When you create a virtual machine in a virtual network without defining outbound connectivity, Azure automatically assigns an IP address from its pool, enabling Internet access.
Pros:
Works automatically, no setup required
No extra costs
Cons:
Unpredictable IP addresses
Limited control over security, monitoring, and policy enforcement
In short: while it was convenient, it was never built for secure, scalable cloud operations.
What Happens After September 30, 2025?
All new VMs will require explicit outbound connectivity — default access will no longer be available.
Existing VMs will not immediately lose connectivity, but Microsoft strongly recommends migrating to an explicit outbound solution.
Scaled environments (e.g., VDI, autoscaling) are most impacted, as new VMs won't have automatic outbound IPs.
Cloud2 recommends transitioning proactively to avoid service disruptions and to improve your security posture.
Why a Firewall-Based Approach?
While Microsoft suggests NAT Gateway as the default option, we recommend using a Firewall instead.
By using a centralized firewall, you gain a single controlled egress point, full visibility, and improved security against threats like data exfiltration or malware traffic.
Firewall Options for Azure
We support a wide range of firewall solutions in Azure to meet diverse security requirements and budgets, including both native options and third-party next-generation firewalls (NGFWs):
Cloud-Native Firewalls
Ideal for small to medium businesses or organizations with straightforward needs. Options range from basic offerings with limited throughput to more advanced tiers that provide autoscaling, DNS proxy, threat intelligence, and full TLS inspection with intrusion detection and prevention capabilities.
Third-Party Next-Generation Firewalls (NGFWs) (ie. Palo Alto Networks and Fortinet)
Designed for security-conscious environments requiring deep traffic inspection and advanced threat protection. These can be fully managed services that integrate directly with Azure infrastructure or virtual appliances deployed in hub virtual networks. They offer features like high scalability, granular control, and integration with broader security ecosystems.
Don't Wait – Start Planning Today
The retirement date might seem far away, but planning and implementing a new outbound connectivity strategy takes time.
We’re here to help you assess, plan, and deploy the best solution for your environment.