Do you have your Azure egress covered?

You have made the leap to Azure. Most of your workloads have been successfully migrated to your Azure landing zones and everything runs smoothly. This summer you will migrate your last application to the cloud. You feel confident and are ready to go! 

The landing zone has been created, and you start migrating your last application to Azure. To your surprise the application is unable to connect to important supporting services needed for your application. Why is this happening to this application? Our other applications worked right after deployment?? 

Be prepared for the changes coming to default outbound egress on Azure virtual machines this September. On the September 30, 2025, default outbound egress on virtual machines will be retired for new virtual machines. This means that new virtual machines will no longer have internet acces when deployed in Azure.  This can result in problems with patching and connecting to Microsoft’s services necessary for the basic functioning of your virtual machines. 

To prepare for these possible problems, your Azure landing zones will need an outbound gateway created in your Azure network. This exit point for your connectivity in your Azure network can be created in multiple ways. Ranging from the most comprehensive solutions to easier but less secure fixes. Let’s starts with the least secure and move to the most secure options.  

Public IP 

An internet facing NIC in Azure. This will directly connect your virtual machine with access to the internet. Easy to set up and inexpensive. However, these great benefits come with big risks. By directly connecting your virtual machine to the internet, you are also inviting all sorts of uninvited guests to your virtual machine. This is considered bad practice by Microsoft and Cloudnation advises strongly against it.  

Load balancer 

An Azure load balancer is used to create redundant workloads. The load balancer will direct your consumers to your dedicated backend services. But you can also use your load balancer with outbound rules. Outbound rules allow you to define SNAT for a public standard load balancer. This configuration allows you to use the public IP(s) of your load balancer to provide outbound internet connectivity for your backend services. 

NAT gateway 

Azure NAT Gateway is a fully managed and highly resilient Network Address Translation (NAT) service. This is a great scalable solution to enable your Azure resources to access the internet privately. Inbound access from the internet is prohibited which as well makes this a much safer solution. Nat gateway also provides you with SNAT port capabilities with up to 64000 snat ports for each ip which can prove beneficial in larger Azure environments.  

Azure firewall 

Azure firewall is the most complete and recommended cloud native method of granting your Azure resources outbound and even inbound internet access. Multiple out of the box features make Azure firewall your first choice when security is important for your organization.  

Azure firewall does not only protect your Azure environment from bad actors and other potential threats. It will also serve as your single point of truth as it logs all network traffic that passes through it.  

When using a Hub/Spoke network topology Azure firewall will also log all internal Azure traffic which enables you to have complete awareness over your Azure network traffic. This will help you and your company to keep control over all your data inside and outside of your environment. 

Third party solutions 

Cloudnation has partnered up with Aviatrix to broaden our network offerings. Aviatrix brings various network features in one package due their extensive history and expertise. By combining Azure and Aviatrix’s firewall you can benefit from the best of both worlds. 

Aviatrix cloud firewall 

Aviatrix cloud firewall combines the capabilities of Azure firewall and NAT gateway into 1 package. It provides premium firewall features and is a great choice for multi cloud setups where customers use Azure together with AWS or Google’s cloud platform. This is because Aviatrix’s cloud firewall integrates seamlessly with its counterparts. When comparing the price of Aviatrix cloud firewall to a combination of Azure firewall and NAT gateway, customers can save up to 25% in costs. These cost savings and the integration of enterprise features in 1 offering makes Aviatrix cloud firewall a great choice. 

At Cloudnation we have deployed dozens of Azure cloud native and Aviatrix environments with Hub/Spoke topology through infra as code. Feel free to contact us if you have any questions.