Azure Private Subnets are now Generally Available (GA) – it is time to re-assess your Azure outbound network strategy. The "default connectivity" of Azure Virtual Networks has certainly has its controversies over the years.
As of May 2025, Azure has finally moved toward secure-by-default networking. The networking redesign which has been in Preview since November 2023 finally paves the way for:
- Security: Default Internet access contradicts Zero Trust principles.
- Clarity: Explicit connectivity is preferred over implicit access.
- Stability: The default outbound IP isn't customer-owned and may change, leading to potential disruptions.
Subnets can now be created without default outbound internet access, resulting in a requirement for controlled egress rather than having to force it and confirm it's not bypassing controls.
Before this update, when you deployed virtual machines in a virtual network without specifying outbound connectivity, Azure assigned them a default public IP address for outbound traffic. These implicit IP addresses can change unexpectedly, and not tied to your subscription, complicate troubleshooting, and undermine Azure’s “secure by default” approach—which is designed to provide strong security protections automatically, without requiring extra configuration from customers.
How to egress now: Add your explicit outbound method with any of the following services or solution:
- Azure Firewall
- NAT Gateway
- Azure Load Balancer
- Static IP Resource
- Custom routing to NVA appliances of your choice e.g. Fortinet or Cisco
Important Note: Default outbound access is being deprecated for new subnets on September 30th, 2025. If you’re still relying on it, now’s the time to plan your transition.
Known Limitations: This is an opportunity to modernise your network architecture and continue your alignment with zero-trust principles, but it is no panacea. There are several limitations that need to be accounted for in any architecture updates as Private Subnets:
- Activating or updating virtual machine operating systems like Windows requires explicit outbound connectivity.
- With User Defined Routes (UDRs), any route using an Internet next hop breaks in a private subnet; this does not affect Service Endpoints.
- Private subnets do not apply to delegated or managed subnets for PaaS services, as those services handle their own outbound connectivity.
What should I do?
If you are interested in reviewing your networking architecture to improve alignment with Zero Trust Security Principles and the private networking changes, then reach out to your Advania UK account manager.
