DEV Community

Cover image for Upcoming Breaking changes in Azure Network, implicit outbound connectivity will be retired
Olivier Miossec
Olivier Miossec

Posted on • Edited on

4

Upcoming Breaking changes in Azure Network, implicit outbound connectivity will be retired

In Azure, when you create a VM, it must be connected to a subnet from a VNET. The VM automatically can connect to the Internet. No configuration is needed in the VM, the subnet, or the VNET. It is the implicit outbound connectivity. Azure manages the public IP and the NAT configuration. It is convenient, but you don’t manage the outbound public IP, it can change without notice, and it can be very complex to manage security rules and you have no control over how the VM connects to the Internet.

You can manage an explicit outbound connectivity to have better control. It could be a Load Balancer with outbound configuration, a NAT gateway, a firewall (Azure Firewall or NVA), or a Public IP.

The implicit connectivity is on a path to retirement. On the 30th of September 2025, the implicit outbound access will be retired, link. After this date, VM will no longer be connected to the Internet if there is no explicit outbound connectivity (like in AWS). Without preparation, it will ruin your 26th of September morning.

Two main options are using a standard load balancer or a Nat Gateway.

With the load balancer, you have to set up a public IP, a backend pool, and an outbound rule. There are two problems. First, the configuration of the backend pool is by IP or by vNic, each time you create a VM you will need to add vNic to the backend pool. The second problem is more complex, the load balancer will use ephemeral ports to associate privateIP-PublicIP flow, and you can run out of this port (SNAT port exhaustion) leaving you with no connection.

With the Nat Gateway, you associate it with a public IP, then associate a subnet to the outbound configuration, so every new VM connected to the subnet will use the Nat Gateway. But if you create a new subnet you will need to associate it to the Nat Gateway. You can also manage the SNAT port exhaustion by adding a new public IP to the Nat Gateway.

Postmark Image

Speedy emails, satisfied customers

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay