Share via

Clarification on Impact of Default Outbound Access Retirement for VMSS VMs

Koteru Reddy (LTIMindtree Limited) 20 Reputation points Microsoft External Staff
2025-08-22T08:26:40.8133333+00:00

Hi

We would like to confirm the impact of the upcoming retirement of Default outbound access for VMs in Azure on our Virtual Machine Scale Set (VMSS) workloads.

Currently, we are using VMSS-based VMs for on-demand deployments in conformance test validation (non-production use case) and need clarity on the following points:

Once default outbound access is retired, how will outbound internet connectivity be impacted for VMSS VMs?

  1. If we assign explicit public IPs to individual VM NICs within the VMSS, will this be a supported and recommended approach for outbound internet access for small scale deployments?

Alternatively, if we configure a NAT Gateway for the subnet, would this be the preferred method in terms of reliability and Azure best practices?

Which option (per-VM Public IP vs. subnet-level NAT Gateway) is recommended for ensuring uninterrupted connectivity in our test scenario?

Please advise on the best approach to keep our VMSS-based test workloads functional after the retirement deadline, specifically in terms of cost optimization and long-term support.

Note: These workloads are temporary and are destroyed automatically once the runtime validation completes.

Azure Virtual Machine Scale Sets
Azure Virtual Machine Scale Sets
Azure compute resources that are used to create and manage groups of heterogeneous load-balanced virtual machines.
Answer accepted by question author
  1. Satish Mada 425 Reputation points Microsoft External Staff Moderator
    2025-08-22T12:20:08.6+00:00

    Hi Koteru Reddy (LTIMindtree Limited),

    The retirement of default outbound access for Azure VMs, including those in Virtual Machine Scale Sets (VMSS), necessitates strategies to maintain outbound internet connectivity. Below are how this change impacts your workloads and recommended approaches to ensure continued functionality:

    Impact on workloads: 

    Loss of automatic outbound connectivity: VMSS instances will no longer automatically get outbound internet connectivity without alternative configurations, which could potentially disrupt your testing workflows.

    Outbound connectivity options:

    Explicit public IPs for VM NICs

    Supported: Assigning individual public IP addresses to each VM's network interface is a straightforward way to ensure outbound access.

    • Simple setup for small scale deployments.
    • Direct control over IP addresses for each VM.

    NAT gateway for the subnet:

    Preferred approach: Configuring a NAT gateway for the entire subnet can be a more scalable and cost-effective solution for managing outbound traffic.

    • A single NAT gateway can cover multiple VMs, simplifying IP management.
    • Improved reliability since NAT gateway offers better handling of outbound connectivity.
    • Reduces costs as you avoid paying for individual public IP addresses for each VM.

    Recommended approach for your test workloads

    NAT gateway configuration: Given that your workloads are temporary and automatically destroyed after validation, configuring a NAT gateway would likely be the best practice. It provides:

    • Reliable outbound connectivity.
    • Cost savings compared to provisioning multiple public IPs.
    • Scalability permitting you to easily adapt to changes in the number of VMs in your VMSS.

    Cost optimization and long-term support: 

    Cost management: Use Azure Pricing calculatorto estimate costs associated with NAT gateway vs individual public IPs to find the most cost-effective solution.

    Long-term considerations: As Azure cloud services evolve, employing standardized networking practices, such as NAT gateway, aligns with Azure's best practices, ensuring that your configurations remain valid and optimized as Azure continues to update its services.

    Please refer : https://free.blessedness.top/en-us/azure/nat-gateway/nat-overview
    https://free.blessedness.top/en-us/azure/virtual-network/ip-services/public-ip-addresses#outbound-connections
    https://free.blessedness.top/en-us/azure/virtual-network/ip-services/public-ip-addresses

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshu katara 17,875 Reputation points MVP Moderator
    2025-08-22T09:10:44.3533333+00:00

    Hello ,

    Given your scenario:

    • Temporary VMSS workloads for test validation
    • Small scale deployments
    • Cost sensitivity

    🔹 Recommended Approach:

    Use NAT Gateway at the subnet level if:

    • You want long-term support, scalability, and security.
    • You expect multiple VMs or frequent deployments.

    Use per-VM Public IPs if:

    Thanks

    Deepanshu

  2. Anusree Nashetty 6,395 Reputation points Microsoft External Staff Moderator
    2025-08-25T20:09:41.4466667+00:00

    Hi Koteru Reddy (LTIMindtree Limited),

    Thanks for getting back.

    For a small, short-lived validation environment with up to five worker nodes, assigning explicit public IPs to each VM is the better option, offering an easier setup and direct SSH access without Bastion's added complexity.

    Direct Public IPs are simple & Effective:
    Each VM receives its own public IP, allowing straightforward SSH access with minimal configuration steps.
    Eliminates the need for a Bastion host, reducing operational overhead and potential trouble spots for connectivity.
    Suitable for environments where security and compliance requirements do not strictly mandate private access only, especially given the limited scale.

    NAT Gateway with Bastion: Complexity vs Benefit
    While NAT Gateway is preferred for larger environments for outbound traffic management and cost optimization, it does not allow direct inbound SSH; Bastion is required for secure access.
    The dual setup (NAT + Bastion) increases configuration complexity and may add costs, which is unnecessary for fewer than five nodes deployed temporarily.

    If you have any further queries, let me know. If the information is helpful, please click on Upvote.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.