The Containment Era is here. →Explore

aviatrix logoAviatrix

Overview

Threat intelligence hub

Command Center

Visualize blast radius & threats

Under Active Attack
Summarize with:
ChatGPTClaudePerplexityGoogle AIGrok

Note: Microsoft has extended this deadline from September 30, 2025 to March 31, 2026, giving customers more time to prepare.

Mark your calendars: March 31, 2026 will bring a major change to Azure networking. Microsoft is retiring default outbound internet access for new virtual machines (VMs), and this change could significantly impact your cloud infrastructure if you’re not prepared.

At the moment, any new VM can access the internet automatically using default source network address translation (SNAT). With Azure retiring default internet outbound access in March 2026, this change means that every VM created in your Azure tenant from that date forward needs an explicit outbound access method to connect to the internet.

What You’ll Learn:

  • Why Azure is retiring default outbound internet access and what this means for your security

  • How to prepare your environment for this critical change before March 31, 2026

  • Key comparison of available outbound access methods (NAT Gateway, Public IPs, and Outbound Rules)

  • Cost-effective alternatives that can enhance your cloud security

The Good News: Why Removing Default Outbound Access Improves Azure Network Security

The good news about this configuration change is that it’s ultimately healthy for your network security.

Today, default outbound internet access can get around important security protocols, including your organization’s content filtering or internet controls for outbound or egress traffic. Filtering egress traffic is critical because threat actors could exfiltrate data from these traffic streams as part of their attack, and you would be none the wiser.

The rest of the good news is that this configuration change won’t affect existing deployments as long as they do not require new VMs. You’ll need to redesign your network policies and procedures for new deployments, and likely have a plan for dealing with existing deployments, but you won’t have to rebuild internet access from scratch for your existing Azure VMs.

Your Action Plan: Preparing For the 2025 Changes

Though the end of default outbound access for new Azure VMs is a good thing, it does require networking teams to redesign and reconfigure their Azure networking infrastructure and policies. You’ll need to choose among a series of options for how new Azure VMs in your network access the internet.

Comparing Your Options: Available Azure Access Methods

When planning for the 2025 Azure outbound access changes, you have several options for connecting VMs to the internet:

  • Instance-level public IPs: Assigns a dedicated public IP address directly to individual VMs, providing straightforward internet connectivity but requiring careful management of public IP resources and potentially increasing security risks through direct exposure.

  • Outbound rules: Configure Load Balancer rules to control and manage outbound connections from VMs, offering more granular control over traffic flow but requiring additional configuration and management overhead.

  • Azure NAT Gateway: Acts as a shared gateway service for outbound connectivity, providing a managed solution that allows multiple VMs in a subnet to share outbound IP addresses. This option offers the best balance of scalability and manageability for most deployments, with simplified IP management and consistent connectivity.

The downside of Azure NAT Gateways is something that all Cloud Service Provider (CSP)-native NAT gateways share: they don’t inspect egress traffic. These gateways leave your outbound traffic vulnerable to data exfiltration.

In addition, cloud providers charge you for all the data that’s being transferred from that NAT gateway, this can make your cloud bill high and also highly variable, making it difficult to predict the future costs for egress charges.

For a detailed comparison of these Azure outbound access options and their implementation, including configuration steps and best practices, see Microsoft’s technical documentation.

Alternative Solutions: Beyond Native Azure Tools

Curious about a better cloud network security solution for secure, high-performance internet access for your Azure VMs?

  • Aviatrix‘s Cloud Firewall Solution offers capabilities designed to boost your security and enhance performance, whether your environment uses a single cloud, hybrid-cloud, or multicloud architecture.

  • Aviatrix’s Secure NAT Gateway, available in the Azure marketplace, provides egress filtering, cost optimization, and reliable connectivity.

Aviatrix’s Cloud Firewall Boosts Security and Performance

Aviatrix’s Cloud Firewall Solution includes:

  • Secure egress: Establish a zero-trust framework for outbound traffic with features such as URL filtering, geo-blocking, geolocation-based monitoring, advanced threat detection, and network segmentation. This solution also recommends internet egress security policies and helps with constant monitoring and routine management.

  • Cost controls: This solution offers flat-rate billing, or an “all-you-can-eat” model with no additional throughput costs. Unlike metered billing, this gives you full cost transparency. Customers save an average of 25% in savings or more compared to first-party NAT gateway solutions.

Conclusion

Key Takeaways:

  • Start planning now: don’t wait until March is approaching

  • Existing VMs won’t be affected, but new deployments will need explicit configuration

  • Consider security and cost implications when choosing your new outbound access method

  • Evaluate third-party solutions that can provide additional security features and cost benefits

The change to Azure VM internet access is an opportunity, not an inconvenience. You now have an indisputable excuse to redesign your Azure environment to enhance security, boost performance, ensure resiliency, and optimize costs. Consider your alternatives, the Azure options, and our Aviatrix solution, to find the best fit for your organization.

Ready to prepare your Azure environment for this change? Download our free guide or schedule a consultation with our cloud networking experts to assess your specific needs.

Learn more about the new Aviatrix Secure NAT Gateway available in the Azure marketplace.

Share This Article
Connect With Us

Ready to see Aviatrix in action?

Get a personalized live demo walkthrough or explore our latest deep-dive cloud threat research intelligence.

Get a DemoThreat Research Center
Recent Articles
Cisco Multicloud Fabric I Led Cisco-s Cloud Networking Software. Here-s My Honest Read.

Cisco Multicloud Fabric: I Led Cisco's Cloud Networking Software. Here's My Honest Read.

Jun 16, 202610 min read
Aviatrix Containment Plugin for Microsoft Agent Control Specification - Blog

Containment Plugin for Microsoft Agent Control Specification

Jun 10, 20267 min read
What is Lateral Movement

Lateral Movement in Cybersecurity: How Attackers Move and How to Stop Them

Jun 09, 202610 min read
Contain. Detect. Eliminate. Aviatrix Deepens Its Investment in the Full Model.

Contain. Detect. Eliminate. Aviatrix Deepens Its Investment in the Full Model.

Jun 08, 20265 min read
View All Articles
Bryan Woodworth
About the Author

Bryan Woodworth

Principal Solutions Strategist

Bryan leads the strategy and GTM of partner-driven solutions at Aviatrix, focusing on how to leverage the most exciting, innovative technologies at both companies. He helps build solutions that solve real-world challenges, while delivering an experience customers will love. In his former role at Microsoft Azure, he was an Azure Global Black Belt.

View Full Biography
Learn Center

Keep Reading

Related Articles

Advanced Zero Trust for Workloads: Latest Aviatrix Release Delivers Runtime Protection
Advanced Zero Trust for Workloads Latest Aviatrix Release Delivers Runtime Protection
Zero Trust
Advanced Zero Trust for Workloads: Latest Aviatrix Release Delivers Runtime Protection
Madhuri Kaniganti
Madhuri Kaniganti

Dec 22, 2025

5 min read
Read More
Cloud Network Security, Simplified: The High-Rise Apartment Analogy
Cloud Network Security, Simplified The High-Rise Apartment Analogy card image
Cloud Native Security Fabric
Cloud Network Security, Simplified: The High-Rise Apartment Analogy
Jason Haworth
Jason Haworth

Dec 29, 2025

9 min read
Read More
2025 Threat Review: Risks, Exposures, and Attack Surfaces
2025 Threat Review Risks, Exposures, and Attack Surfaces card image
Zero Trust
2025 Threat Review: Risks, Exposures, and Attack Surfaces
Matt Snyder
Matt Snyder

Dec 30, 2025

9 min read
Read More
Introducing the Aviatrix Threat Research Center: AI-Powered Breach Intelligence
Threat Research Center
Zero Trust
Introducing the Aviatrix Threat Research Center: AI-Powered Breach Intelligence
John Qian
John Qian

Jan 15, 2026

5 min read
Read More
VoidLink And the Cloud Workload Attack Playbook
Voidlink And the Cloud Workload Attack Playbook
Cloud Native Security Fabric
VoidLink And the Cloud Workload Attack Playbook
Matt Snyder
Matt Snyder

Jan 21, 2026

9 min read
Read More
Incident Response in the Age of AI
The CISO’s Guide to Incident Response in the Age of AI
Zero Trust
Incident Response in the Age of AI
Sachin Saurabh
Sachin Saurabh

Jan 27, 2026

7 min read
Read More

Featured Categories

95a2292256ee0f5750aa745fc7d21d39c8ae2870

ACE Program

Explore Category
Rectangle 3966

Customers

Explore Category
5a9318112c7cc265fab072924a2acaa2122a1c9f

Cloud Network Security

Explore Category
Aws-card

AWS

Explore Category
partner_card

Partners

Explore Category
cloud networking heroes

Cloud Networking Heroes

Explore Category
azure_card

Azure

Explore Category
events_card

Events

Explore Category

Secure The Connections Between Your Clouds and Cloud Workloads

Leverage a security fabric to meet compliance and reduce cost, risk, and complexity.

Request Executive BriefingUnder Active Attack?
Cta pattren Image