Microsoft is rolling out a major Azure Networking Changes that will reshape how VMs connect to the internet. Starting September 30, 2025, newly created Azure VMs will no longer receive default outbound internet access. This marks a significant departure from a long-standing Azure behaviour and signals a deeper commitment to Zero Trust security principles.

What is the Azure Networking Changes?

Historically, Azure virtual machines were assigned a default public IP address. This mechanism allowed outbound traffic without requiring explicit configuration, using public IPs from a reserved Azure pool.

From September 30, 2025, new VMs will require explicit outbound connectivity configuration. Any existing virtual machines with a public IP address or virtual machines connected to existing VNETs that use default outbound access will remain unaffected, but any new deployments must be architected with outbound access in mind from September the 30^th.

Why the Shift?

This change is rooted in Microsoft’s adoption of Zero Trust a security model that assumes breach and requires verification for every access request.

Currently Virtual machines can reach the internet, even if no one explicitly set that up. By requiring teams to intentionally configure internet access, Microsoft is helping prevent accidental exposure of sensitive data or systems.

By removing implicit internet access, Azure is:

• Reducing attack surfaces by eliminating unmanaged outbound paths.
• Improving governance with customer-owned IPs and predictable traffic flows.
• Aligning with industry best practices that favour explicit over implicit permissions
• This change makes it easier to prove compliance because every internet connection must be documented and deliberate

What Should You Do?

IT managers and administrators must proactively plan for this transition. Here’s how:

1. Assess Your Current Deployments

Review existing virtual machine configurations and identify any dependencies on default outbound access. While these virtual machine’s won’t be affected immediately, future scaling or redeployment could introduce issues.

2. Choose Your Connectivity Strategy

Microsoft offers several alternatives to default outbound access:

• Public IP Assignments
  Ideal for small deployments. Assign a public IP directly to a virtual machines NIC. Cost-effective (€3/month per IP) but introduces security risks if not properly managed by exposing your virtual machines to the public.
• Azure NAT Gateway
  Azure NAT Gateways offer explicit control over outbound traffic by assigning dedicated public IPs, ensuring consistent and predictable internet access. The NAT Gateway allows your virtual machines in a private subnet to access the internet via this IP address.
• Network Virtual Appliances (NVAs)
  These are virtual machines in Azure that perform network functions like routing, firewalling, traffic inspection etc. These appliances are typically provided by third party vendors such as Cisco, Fortinet, Sonicwall etc. and are deployed in your virtual network to manage and secure your traffic as they would your on-premise network. Costs are dependent on the licence provided by your provider.

3. Next Steps:

• Choose the solution that best suits your needs and plan your migration to this solution.
• Testing outbound connectivity with your chosen solution.
• Updating infrastructure-as-code templates to reflect new networking requirements.
• Training your team on the implications of the change.
• Be aware of the new costs going forward.

The Azure networking changes are more than a technical tweak – they represent a strategic evolution in how cloud infrastructure is secured, governed, and scaled. This shift compels organisations to rethink their network design, moving away from convenience-based configurations toward intentional, policy-driven connectivity. By preparing now for these Azure networking changes, organisations can ensure their Azure environments remain resilient and compliant in a Zero Trust world.

Contact our team of experts at asktheexpert@enterprise-solutions.ie to a arrange a call where you can discuss, technical details, implementation strategies, and best practices to help you stay ahead of the curve.

Cormac De Róiste

An experienced Senior Microsoft 365 engineer, specializing in cloud services such as Intune, Entra/Azure as well Microsoft’s Security products. Cormac has years of experience protecting companies against Data breach’s or dealing with the aftermath and can help your company protect its data from attacks from both outside or within.

cormac-deroiste Cormac De Róiste

An experienced Senior Microsoft 365 engineer, specializing in cloud services such as Intune, Entra/Azure as well Microsoft's Security products. Cormac has years of experience protecting companies against Data breach's or dealing with the aftermath and can help your company protect its data from attacks from both outside or within.

Recent posts

PowerShell Scripting Using AI: A Brilliant Way to Automate 

PowerShell is a trusted tool for managing systems, automating tasks, and streamlining workflows. But is PowerShell Scripting with AI possible?

New features to Citrix DaaS Monitor