Skip to main content

On September 30, 2025, Microsoft will retire the default outbound access method for Azure VMs. This means any new deployments without an explicitly configured egress path (like a NAT gateway or public IP) will no longer have outbound Internet access by default.

 

Why does this matter?
 

Default outbound access is:

  • Implicit and brittle — IPs are assigned by Microsoft and can change without notice
  • Insecure — Opens potential paths to the internet that may go unnoticed
  • Deprecated — Will soon be unavailable for new resources

 

Microsoft recommends using explicit outbound connectivity, such as:

  • Subnets associated with a NAT Gateway
  • VMs in the backend pool of a standard Load Balancer with outbound rules
  • VMs with explicitly assigned public IPs

      Read Microsoft’s official guidance

 

How to Audit Your Azure Subnets for Missing NAT Gateways

 

With Forward Networks, you can identify Azure subnets that have Internet-bound routes but no associated NAT Gateway — a risky configuration in today’s Zero Trust world.

Here’s a Forward Networks query (NQE) you can use:

 

/**
 * Find Internet routes whose subnet has no NAT Gateway
 */

foreach cloudAccount in network.cloudAccounts
where cloudAccount.cloudType == CloudType.AZURE

foreach vpc in cloudAccount.vpcs
foreach subnet in vpc.subnets
foreach routeTable in vpc.routeTables
foreach route in routeTable.routes

where route.subnetIdMatch == subnet.id

where isPresent(route.nextHop)
where when route.nextHop is
        internet -> true;
        otherwise -> false

where length(
  foreach natGw in vpc.natGateways
  foreach natGwSubnet in natGw.publicSubnets
  foreach subnetAddress in subnet.addresses
  where toString(natGwSubnet) == toString(subnetAddress)
  select natGwSubnet
) == 0

where length(
  foreach natGw in vpc.natGateways
  foreach natGwSubnet in natGw.privateSubnets
  foreach subnetAddress in subnet.addresses
  where toString(natGwSubnet) == toString(subnetAddress)
  select natGwSubnet
) == 0

select {
  vpcId: vpc.id,
  subnetId: subnet.id,
  routeTableId: routeTable.id,
  note: "Internet route found, but no NAT Gateway"
}

 

This query surfaces dangerous gaps — for instance, a VM in a subnet with an internet route and no NAT Gateway may suddenly lose connectivity or expose your network to unnecessary risk.

 

Final Thoughts

As you prepare for the September 30, 2025 cutoff, use Forward Networks to:

  • Proactively identify misconfigured subnets
  • Validate that explicit egress mechanisms are in place
  • Enforce Zero Trust and document your transition

 

Need help building this query into your automated change checks?

Reach out — we’d love to collaborate!

 

Be the first to reply!

Reply


Badge winners

  • Community Contributor
    AricaFNhas earned the badge Community Contributor
  • NQE Collaborator
    gbaronhas earned the badge NQE Collaborator
  • Community Contributor
    CarlBhas earned the badge Community Contributor
  • Community Contributor
    gbaronhas earned the badge Community Contributor
  • Community Contributor
    Christopherhas earned the badge Community Contributor
Show all badges
Terms of UseCookie settings