2026-03-31 Azure changes to default outbound connectivity

Announcement

Microsoft Azure has recently announced that support for default access to the internet will end for new virtual machines (VMs) created after March 31, 2026. For more details, see Feature Update: Default behavior for newly created virtual networks will be private.

This change will not affect existing VMs, however, any VM built after this date will require an explicit method to allow outbound internet access.

This change specifically targets subnets within Azure virtual networks. Any resource connected to a subnet will use the subnet's defined outbound access to send traffic. All subnets created before the deadline have a built-in route to the internet, allowing VMs and other resources to connect to the internet and other public-facing endpoints. However, any subnet created after the deadline will not have this enabled by default. This change aligns with Microsoft's vision to ensure all cloud resources are secure by default. To enable this, Azure provides several options for allowing VMs to connect to public endpoints, such as instance-level public IPs, Azure Load Balancer outbound rules, the Azure NAT Gateway, and vendor-based or Azure-native firewall solutions.

Impact on customers

For most large and enterprise customers, a network solution is typically in place to manage outbound traffic, usually through an Azure or third-party firewall. These customers must ensure that all resource subnets requiring outbound access are defined in this firewall after the deadline.

For small and medium-sized enterprise (SME) customers, an Azure or third-party firewall may not be in place. In such cases, an Azure NAT Gateway would likely be the most suitable solution, as it can be used on all subnets within a single virtual network to route traffic via a defined SNAT public IP address.

We do not recommend instance-level public IPs or Load Balancer outbound rules, as these can create significant security concerns, especially for production workloads.

Challenges

One challenge for all customers is in determining which services require outbound internet access. While a VM may only need to reach internal or Azure services, many, including Microsoft-managed services, are only accessible via public endpoints. Azure PaaS offerings like Storage, Key Vault, and SQL, often fall into this category without configured private endpoints. This is especially critical for AVD administrators using Entra ID Join. Entra’s join process relies entirely on public endpoints, and without internet access, cloud join will fail. Many VM extensions also depend on internet-based endpoints, such as DSC, or the Monitoring Agent. These VM extensions will fail to deploy if outbound connectivity isn’t configured, leading to broken automation and failed host setup. In these cases the subnet that the host is connected to will need internet access to complete the build process.

How Nerdio can help

Nerdio Manager provides a scripted action to create a NAT gateway and attach it to a desired subnet or subnets.

In addition, Nerdio Manager has network management tools for natively creating and linking Azure virtual networks Network Security Groups (NSGs). See Azure Environment: linked networks and resource groups for details.

Future outlook

While Microsoft says this change will only affect newly created subnets, it is believed that this change will eventually be retrofitted to all existing subnets. Therefore, implementing a sensible solution for all resources within Azure makes good long-term sense. If you have questions or need assistance with designing and implementing an outbound internet access solution, please contact us to schedule a call with us.