Securing Outbound Access in Azure

On 30 September 2025, Microsoft will retire default outbound access for Virtual Machines in Azure. Organizations will require outbound access through Azure Firewall, 3^rd Party Network Virtual Appliances (NVAs), NAT Gateways, or other methods.

Please note that while directly attaching a Public IP Address (PIP) to a VM will enable outbound access, this is a practice that should not be employed except where absolutely required (such as for an NVA which provides traffic filtering and outbound access).

Organizations should prepare for this change by ensuring any VMs in Azure have explicit outbound connectivity before this requirement is in place. While existing workloads won’t be immediately impacted by this retirement, if history is any judge, it’s only a matter of time before Microsoft requires this across existing Azure resources across the board.

It’s also just good security practice.

Helient can help your organization prepare for this change by conducting an audit of your existing infrastructure and network architecture, make recommendations for changes to bolster security, and rearchitect/deploy solutions to meet these requirements.

Getting ahead of this change now will ensure your organization’s continued smooth operation in Azure. Contact our Azure team for more information and to get started.

Reference: Default outbound access in Azure - Azure Virtual Network | Microsoft Learn