Azure VM Outbound Traffic: From Microsoft's Hidden IP to Your Own Controlled Connection

⚠️ Important: This article only applies if you are NOT routing all traffic through a firewall like Azure Firewall or a Network Virtual Appliance (NVA). If you already have a firewall handling your outbound traffic, you can ignore this alert.

If you've received a security alert about your Azure virtual machine using "default outbound access," you might be confused about what this actually means—especially if your VM only has a private IP address and no public IP attached. Let me clarify what this alert is really about and how to fix it.

Outbound Traffic from Azure VMs is changing

Important: This alert has absolutely nothing to do with inbound connections to your VM. If your VM has a private IP and works fine behind a load balancer for inbound traffic, that setup will continue to work exactly as it does now.

What's Actually Happening

Even though your VM has no public IP address, it can still reach the internet for outbound connections. Here's how:

1. Your VM has only a private IP (e.g., 10.0.1.4)
2. When your VM makes an outbound connection (Windows Update, package downloads, etc.)
3. Azure automatically provides a hidden "default outbound access IP"
4. This hidden IP is owned by Microsoft, not you
5. This IP can change without notice, potentially breaking your applications

This implicit connectivity contradicts Zero Trust security principles and will be retired on September 30, 2025, this is the flowchart from the Microsoft site here - the green box shows the option we will be using in this blog post.

The Azure Outbound Connectivity Decision Tree

Azure uses a priority order to determine how your VM connects outbound to the internet:

1. Virtual Appliance/Firewall (highest priority)
2. NAT Gateway
3. Instance-level Public IP (attached directly to VM)
4. Load Balancer with Outbound Rules
5. Basic Load Balancer (deprecated)
6. Default Outbound Access

Note : If your VM doesn't have options 1-5 configured, it falls back to the problematic "Default Outbound Access."

Solution : Add Load Balancer with Explicit Outbound Rules

To fix this, I need to move my VM from using "Default Outbound Access" to "Explicit SNAT by the outbound rule" in the decision tree. This means configuring a Standard Load Balancer with outbound rules.

Phase 1: Create or Configure Standard Public Load Balancer

If you already have a load balancer for inbound traffic:

• Skip to Phase 3 to add outbound rules
• Ensure it's a Standard SKU (Basic doesn't support outbound rules)

If you need to create a new load balancer:

1. Navigate to Load Balancers in Azure Portal

   • Go to "Create a resource" → "Networking" → "Load Balancer"
   • Choose "Standard" SKU (required for outbound rules)
   • Select "Public" type
     
     

2. Configure Frontend IP

   • Create a new public IP address or select an existing one
   • Use "Standard" SKU for the public IP
   • Choose "Static" assignment method
     
     
     

Phase 2: Set Up Backend Pool (If Not Already Done)

1. Create Backend Pool

   • In your load balancer, go to "Backend pools"
   • Click "Add"
   • Virtual network: Select your VM's VNet
   • Backend Pool Configuration: Choose "IP address"

2. Add Your Virtual Machine

   • Click "Add" in the backend pool configuration
   • Select your virtual machine
   • Choose the appropriate network interface
   • Specify the private IP address of the VM
     
     
     
     
     
     

Phase 3: Create Outbound Rule

This is the critical step that fixes the default outbound access issue:

1. Navigate to Outbound Rules

   • In your load balancer, click "Outbound rules"
   • Click "Add"

2. Configure the Outbound Rule

• Name: explicit-outbound-access
• Frontend IP address: Select your load balancer's public IP
• Protocol: All (allows all outbound traffic like current setup)
• Idle timeout: 4 minutes
• Backend pool: Select your backend pool
• Port allocation: Use default port allocation
3. Number of outbound ports: 1024 (adjust based on your needs)
   
   
   
   

   
   
   

Outbound Rules not available (at setup)

I was not able to create the outbound pool with the setup of the load balancer so I had to create the load balancer without the outbound rules after the initial load balancer was created, we could then add the outbound rules, so lets do that now:

This will then be confirmed as an outbound rule as you can see below:

Phase 4: Make Subnet Private (Recommended)

To completely disable default outbound access at the subnet level:

Using Azure Portal:

1. Navigate to your Virtual Network
2. Select the subnet containing your VM
3. Check the "Private subnet" checkbox
4. Save the configuration
   
   
   

Phase 5: Restart Virtual Machine (Critical Step)

You must restart your VM for these changes to take effect:

1. Go to Virtual machines → Select your VM
2. Click "Stop" and wait for "Stopped (deallocated)" status
3. Click "Start" and wait for the VM to fully boot

Testing and Verification

From inside your VM, verify outbound access works and uses the correct IP which should be return in the response of the command below:

Linux : curl ifconfig.me
Windows : curl ifconfig.me/ip | Select Content

Troubleshooting Common Issues

VM Can't Access Internet After Configuration

• Did you restart the VM after creating outbound rules?
• Is the outbound rule using "Protocol: All"?
• Are NSG rules blocking outbound traffic?

Outbound Rule Not Working

• Is your VM actually in the backend pool?
• Did you disable outbound SNAT on inbound load balancing rules?
• Is the load balancer Standard SKU (not Basic)?