Navigating Private Subnets in Azure: A Guide to Outbound Connectivity

This article explores how to configure outbound connectivity for virtual machines (VMs) deployed in private subnets within Azure. As of September 30th, 2025, the default outbound internet access functionality will be retired. This guide will equip you with the knowledge to establish outbound connections for your VMs even after this change.

Understanding Private Subnets

By default, VMs deployed in Azure virtual networks receive outbound internet access through a platform-assigned public IP address. However, for enhanced security, Microsoft recommends using private subnets. These subnets lack the default outbound access, requiring explicit configuration for VMs to connect to the internet or Azure services.

Configuring Outbound Connectivity

Here are the methods to establish outbound connectivity for VMs in private subnets:

1. Azure Firewall: This central firewall offers a solution for consistent outbound traffic control. All outbound traffic is SNATed (Source Network Address Translated) through the firewall’s public IP, enabling centralized monitoring and governance.

2. NAT Gateway: This service translates private IP addresses of VMs in a subnet to a public IP address, allowing outbound connections.

3. Azure Load Balancer with Outbound Rules: By defining outbound rules in a load balancer, you can control how specific traffic is routed for outbound connections.

4. Dedicated Public IP Address: Attaching a dedicated public IP address to a VM grants it a unique outbound IP for internet access.

Hands-on Lab: Exploring Connectivity Options

This section delves into a practical example demonstrating how to configure outbound connectivity for a VM in a private subnet. The lab utilizes Infrastructure as Code (IaC) with Terraform to deploy the necessary resources and explore different methods for outbound communication.

The lab explores the following scenarios:

1. Limited Connectivity in Private Subnet: Initially, the VM lacks outbound connectivity, resulting in timeouts when attempting to reach the internet or Azure services.

2. Outbound Traffic through Azure Firewall: The lab configures the route table to direct outbound traffic to the Azure Firewall’s private IP. This allows internet access and communication with Azure services, with both calls appearing to originate from the firewall’s public IP address.

3. Optimizing Management Plane Traffic: A more specific route is added to the route table, directing traffic destined for the Azure Resource Manager service tag to the Azure Load Balancer. This offloads management plane communication from the central firewall, improving efficiency. However, for the communication to work, the VM’s network interface card (NIC) needs to be associated with the outbound rule of the load balancer.

4. Leveraging Virtual Network Service Endpoints: For optimized and secure communication with specific Azure services, service endpoints can be deployed. This lab demonstrates deploying a service endpoint for Azure Key Vault, resulting in traffic directly reaching the service from the VM’s private IP address, bypassing the firewall and load balancer.

5. Understanding Effective Routes: Finally, the lab explores how different connectivity methods are reflected in the VM’s NIC’s effective routes. This provides insights into the actual path taken by outbound traffic.

Conclusion

By understanding the concepts of private subnets and the available outbound connectivity options, you can effectively manage outbound communication for your Azure VMs while prioritizing security. This guide provides a practical foundation for navigating the upcoming changes to default outbound access and ensuring seamless connectivity for your workloads.

Sources: Web Developers Forum, Internet Archive, Wikipedia, Undercode Ai & Community, Techcommunity.microsoft.com
Image Source: OpenAI, Undercode AI DI v2Featured Image