Azure: Breaking change coming for Azure VM Internet connectivity

Azure: Breaking change coming for Azure VM Internet connectivity

I want to call attention to an upcoming change that I’m surprised I haven’t heard a lot more comments about. When you deploy an Azure VM, by default, they’ve always had the ability to connect outbound to the Internet.

That’s going to change.

Note the contents of this official notice: Default outbound access for VMs in Azure will be retired— transition to a new method of internet access.

The TLDR version of this, is that after the change date, when you deploy an Azure VM, it will not have outbound connectivity to the Internet.

I’m not sure how I feel about this. I understand that Microsoft want to raise the bar on secure by default thinking but I can see this one having signficant impacts.

It’s not just another switch that you’ll need to enable. You will need to use explicit outbound connectivity methods such as:

  • an Azure NAT Gateway
  • Azure Load Balancer outbound rules
  • a directly attached Azure public IP address.

Note also that every one of those options involves additional costs.

Phasing the change in

The article makes it clear that it won’t affect VMs that are already deployed. While that seems simple enough, it’s not. It’s not just a case that something already deployed will continue to work.

If someone has scripted their reinstalls, that they’ll work one day, but at a day in the future, the scripts they have depended upon (or haven’t tested for some time) won’t work as expected. Or if they have used scripts to install hosts, when they go to add another one, there will be a day where that won’t work as expected any more. And quite a bit of CI/CD code will need to change. Processes that involve exporting ARM templates and deploying VMs will break, etc. etc.

I can see people having lots of scripts, CD processes, etc. that will need revisiting because of this change.

Even for myself, I know that I have PS scripts that I use to roll out VMs if I’m teaching an online class. They’ll have to change and will have to deploy additional items and set up different configuration.

Be Prepared

I really just wanted to call this out, as I think it’s a huge change, and seems to have been flying under most peoples’ radars.

I am hoping that at the very least, Microsoft make it obvious to anyone using the GUI, about what they need for outbound connectivity, perhaps even with an option to deploy it automatically for them.

If this change will affect you though, it’s time to plan to migrate to an explicit connectivity option.

2023-10-04