The default outbound policy for Azure virtual networks will be retired on September 30th. After this date, VMs will no longer connect to the Internet unless you deploy a public IP, a Load balancer, a Firewall, or a NAT gateway see.
What will happen when the new rule is enforced, will your workload be affected?
Fortunately, you can test the behavior of your workload with Azure Private Subnet. Azure Private Subnet creates the same condition you will have after September 30th by removing the default outbound policy so you can see what happened and test several different scenarios to anticipate the change.
I will show what happens with a private subnet using a simple architecture: a Virtual Network with one subnet, a VM, PaaS services, one Azure Key Vault, and one Storage Account.
Without a private subnet, the VM can connect to the storage account and access secrets in the key vault, it can connect to the Internet and perform updates (and potentially download harmful files).
None of these actions will be possible with a private subnet (or after September 30th, 2025), but some alternatives remain.
There are two solutions to access PaaS services without using the Internet, Service Endpoint and Private Link.
Service Endpoint is an option where routes to PaaS services is managed through the Microsoft backbone. This is a virtual network route where the next hop is not the Internet but the VirtualNetworkServiceEndpoint. It acts like the endpoint is part of the Virtual Network, so you can connect to the PaaS service even if it still uses a Public IP and your workload don't have access to the Internet.
Private Link is the solution if you want to keep the VM out of the Internet and use your Virtual Network private IPs. Azure Private link creates a vNIC in a subnet for the PaaS so your workload uses a private IP to connect to the service.
Service Endpoint and Private Link can be used with the private subnet feature to access Azure PaaS services. Service endpoint is not available for all Azure services and requires a configuration on each subnet. Private Link requires that you manage a private DNS zone for each service (privatelink.blob.core.windows.net for blob storage for example), it is easy for a standalone subscription using Azure DNS, but for organizations with their own DNS resolvers, the configuration is much more complex.
For accessing the Internet with Privat Subnet there are also several options you can choose.
If you have a single VM in an isolated dev environment, you can choose to associate it with a public IP. The public IP will serve as a NAT gateway to access the Internet. But it means that you expose the VM to Internet threats as the VM is open to the Internet. It is not a solution for production environments and it doesn't scale well.
A better solution would be to use a load balancer for outbound connectivity. The load balancer public IP and outbound rule allow SNAT to the internet. But you need to work on SNAT port allocation, you will need to allocate a number of ports for each VM manually and monitor port exhaustion. You will have the responsibility to monitor the Load balancer to avoid connectivity issues.
Another solution is to use a NAT gateway. A NAT Gateway is fully managed and highly resilient. The Nat gateway is associated with a subnet; all VMs/VMSS will use it as a default outbound. It reduces the risk of SNAT port exhaustion (it can scale up to one million SNAT ports), but does not eliminate it; you may still have to monitor it.
Nat Gateway can be used with VMs/VMSS, AKS, Azure Functions, and Azure Web App. This is one of the best options for multiple landing zones, you can deploy the Nat Gateway with the landing zone VNET and associate it with a subnet.
The last option, using a Firewall, Azure Firewall, or an NVA, is more complex and costly. To use a firewall to access the Internet, every subnet needs to have a route for 0.0.0.0/0 to the NVA. You need to take care of the SNAT port exhaustion on the firewall side too.
These are the options you can test with the private subnet feature before September 30th. The most logical is the Nat Gateway. It is easy to deploy in landing zones and it can be very effective. You also need to understand that PaaS services will not be accessible via public endpoints and you need to prepare your DNS infrastructure to handle private links.
You will need to prepare for the September 30th; it is less than one year.
Top comments (0)