微软宣布，Azure VM默认的出站访问方式（隐式公网IP地址）将于2025年9月30日停止使用。这意味着所有新的虚拟机将无法再使用隐式公网IP地址访问互联网。现有的虚拟机不受影响，但需要注意的是，当虚拟机被删除或恢复备份时，新的虚拟机将不会拥有隐式公网IP地址。微软此举旨在提高Azure的安全性和可控性，并鼓励用户使用更加安全的出站访问方式，例如NAT网关或Azure防火墙。

😢 **默认出站访问将被弃用:** 微软宣布，Azure VM默认的出站访问方式（隐式公网IP地址）将于2025年9月30日停止使用。这意味着所有新的虚拟机将无法再使用隐式公网IP地址访问互联网。现有的虚拟机不受影响，但需要注意的是，当虚拟机被删除或恢复备份时，新的虚拟机将不会拥有隐式公网IP地址。

🤔 **安全隐患:** 隐式公网IP地址缺乏安全控制，容易受到恶意软件控制和数据泄露的攻击。因此，微软希望通过弃用隐式公网IP地址来提高Azure的安全性和可控性。

💡 **缓解措施:** 用户可以通过以下几种方式来缓解默认出站访问被弃用带来的影响： 1. 为虚拟机分配公网IP地址，这是最经济实惠的选项，但没有提供出站安全保障。 2. 使用NAT网关，允许将单个IP地址（或来自Azure公共IP地址前缀的范围）共享到整个子网。但需要注意的是，如果跨越可用性区域，则需要重新设计VNet和工作负载。 3. 使用下一跳，可以使用设备（虚拟机或Marketplace网络虚拟设备）或Azure防火墙作为下一跳访问互联网（0.0.0.0/0）或特定互联网IP前缀。这是安全选项，防火墙可以阻止不需要的出站流量。

🎯 **积极应对:** 虽然2025年9月30日距离现在还有很长时间，但用户需要提前规划并采取行动。不要等到最后才发现自己被影响，现在就开始研究和规划吧。

🚀 **未来展望:** 微软此举旨在推动Azure网络和安全架构的改进，鼓励用户使用更安全、更可控的出站访问方式。这将有助于提高Azure的整体安全性和可靠性，并为用户提供更好的体验。

Microsoft has announced that the default route, an implicit public IP address, is being deprecated 30 September 2025.

Background

Let’s define “Internet” for the purposes of this post. The Internet includes:

The actual Internet.Azure services, such as Azure SQL or Azure’s KMS for Windows VMs, that are shared with a public endpoint (IP address).

We have had ways to access those services, including:

Public IP address associated with a NIC of the virtual machineLoad Balancer with a public IP address with the virtual machine being a backend A NAT GatewayAn appliance, such as a firewall NVA or Azure firewall, being defined as the next hop to Internet prefixes, such as 0.00.0/0

If a virtual machine is deployed without having any of the above, it still needs to reach the Internet to do things like:

Activate a Windows license against KVMDownload packages for UbuntuUse Azure services such as Key Vault, My SQL for Azure SQL, or storage accounts (diagnostics settings)

For that reason, all Azure virtual machines are able to reach the Internet using an implied public IP address. This is an address that is randomly assigned to SNAT the connection out from the virtual machine to the Internet. That address:

Is random and can changeOffers no control or security

Modern Threats

There are two things that we should have been designing networks to stop for years:

Malware command and controlData exfiltration

The modern hack is a clever and gradual process. Ransomware is not some dumb bot that gets onto your network and goes wild. Some of the recent variants are manually controlled. The malware gets onto the network and attempts to call home to a “machine” on the Internet. From there, the controllers can explore the network and plan their attack. This is the command and control. This attempt to “call home” should be blocked by network/security designs that block outbound access to the Internet by default, opening only connections that are required for workloads to function.

The controller will discover more vulnerabilities and download more software, taking further advantage of vulnerable network/security designs. Backups are targeted for attack first, data is stolen, and systems are crippled and encrypted.

The data theft, or exfiltration, is to an IP address that a modern network/security design would block.

So you can see, that a network design where an implied public IP address is used is not a good practice. This is a primary consideration for Microsoft in making its decision to end the future use of implied public IP addresses.

What Is Happening?

On September 30th, all future virtual machines will no longer be able to use an implied public IP address. Existing virtual machines will be unaffected – but I want to drill into that because it’s not as simple as one might think.

A virtual machine is a resource in Azure. It’s not some disks. It’s not your concept of “I have something called X” that is a virtual machine. It’s a resource that exists. At some point, that resource might be removed. At that point, the virtual machine no longer exists, even if you recreate it with the exact same disks and name.

So keep in mind:

Virtual networks with existing VMs: The existing VMs are unaffected, but new VMs in the VNet will be affected and won’t work. Scale-out: Let’s say you have a big workload with dozens of VMs with no public IP usage. You add more VMs and they don’t work – it’s because they don’t have an implied IP address, unlike their older siblings.Restore from backup: You restore a VM to create a new VM. The new VM will not have an implied public IP address.

Is This a Money Grab?

No, this is not a money grab. This is an attempt by Microsoft to correct a “wrong” (it was done to be helpful to cloud newcomers) that was done in the original design. Some of the mitigations are quite low-cost, even for small businesses. To be honest, what money could be made here is pennies compared to the much bigger money that is made elsewhere by Azure.

The goal here is to:

Be secure by default by controlling egress traffic to limit command & control and data exfiltration.Provide more control over egress flows by selecting the appliance/IP address that is used.Enable more visibility over public IP addresses, for example, what public address should I share with a partner for their firewall rules?Drive better networking and security architectures by default.

What Is Your Mitigation?

There are several paths that you can choose.

Assign a public IP address to a virtual machine: This is the lowest cost option but offers no egress security. It can get quite messy if multiple virtual machines require public IP addresses. Rate this as “better than nothing”.Use a NAT Gateway: This allows a single IP address (or a range from an Azure Public IP Address Prefix) to be shared across an entire subnet. Note that NAT Gateway gets messy if you span availability zones, requiring disruptive VNet and workload redesign. Again this is not a security option.Use a next hop: You can use an appliance (virtual machine or Marketplace network virtual appliance) or the Azure Firewall as a next hop to the Internet (0.0.0.0/0) or specific Internet IP prefixes. This is a security option – a firewall can block unwanted egress traffic. If you are budget-conscious, then consider Azure Firewall Basic. No matter what firewall/appliance you choose, there will be some subnet/VNet redesign and changes required to routing, which could affect VNet-integrated PaaS services such as API Management Premium.

September 2025 is a long time away. But you have options to consider and potentially some network redesign work to do. Don’t sit around – start working.

In Summary

The implied route to the Internet for Azure VMs will stop being available to new VMs on September 30th, 2025. This is not a money grab – you can choose low-cost options to mitigate the effects if you wish. The hope is that you opt to choose better security, either from Microsoft or a partner. The deadline is a long time away. Do not assume that you are not affected – one day you will expand services or restore a VM from backup and be affected. So get started on your research & planning.

The post Default Outbound Access For VMs In Azure Will Be Retired first appeared on Aidan Finn, IT Pro.