Bytes - Smarter together
Bytes - Smarter together

Microsoft changes default connectivity for VMs in Azure Cloud

Sunday 15th October 2023

Writer: Giusepper Damiano, Contributor: Gennaro Migliaccio, Editor: Daniela Miccardi

--------------------

The news

From the 30th of September 2025 onward, new Virtual Machines (or VMs) created in Azure Cloud will no longer have unrestricted outbound access to the internet by default. Existing VMs will not be affected by the change.

“After this date, all new VMs that require internet access will need to use explicit outbound connectivity methods such as Azure NAT Gateway, Azure Load Balancer outbound rules, or a directly attached Azure public IP address.” ¹

Perhaps not everybody knew…

“In Azure, VMs that are created in a virtual network without a defined explicit outbound method are assigned a default public IP address that enables internet connectivity. Your existing VMs that use default outbound access will continue to work after this retirement.” ¹

Additionally, a VM without a network security group assigned, directly or through the corresponding virtual network, also lacks restrictions on traffic inbound from the internet.

Default settings in Azure Cloud have caught out many people in the past as they were not as restrictive as they assumed. This is not Microsoft’s fault because some internet connectivity may be required by VMs, and it is the customer’s responsibility, as per the shared responsibility model, to ensure connectivity is limited to only what is required.

Considerations

The news has come as a bit of a surprise for some as the expectation of security equalled that of functionality in this environment. More people are now concerned about the situation as it is, more than what it would be after the change.

While not as dangerous as unrestricted inbound access, default outbound access to the internet carries the risk of missing suspicious or malicious activity with imaginable consequences. Aside from the obvious communications to Command & Control sites, it is worth noting that a compromised VM could exploit the unrestricted access to open a communication channel towards a malicious destination and allow traffic to be sent back into that VM as a result.

Conclusions

The news contributes to highlighting the constant need to take ownership of the security of cloud environments as well as on-premises ones. On top of the recommendations provided by Microsoft, technologies like Cloud Security Posture Management (CSPM) and Next-Generation Firewalls are key to provide the necessary visibility and control over how the cloud environment is setup, and the necessary protection it deserves. 

Cloud environments constantly change, so understanding of the changes impact your environment is crucial to maintaining your infrastructure secure. 

Want to keep informed? Sign up to our Newsletter

Connect