By default, virtual machines (VMs) created in a virtual network without explicit outbound connectivity are assigned a default outbound public IP address. This IP address enables outbound connectivity to the internet.
Why disable default outbound access?
Security: Following the zero trust network security principle, it is not recommended to expose a virtual network to the internet by default.
Explicit Connectivity: It is better to use explicit methods of connectivity rather than implicit ones for granting internet access to VMs.
Ownership and Stability: The default outbound access IP is managed by Microsoft, and its ownership or address might change, potentially causing disruptions.
Enabling the private subnet feature on a subnet prevents VMs within that subnet from using default outbound access to connect to public endpoints.
This also applies to VMs within a scale set configured with uniform orchestration mode.
Existing rule
No response
Suggested rule
By default, virtual machines (VMs) created in a virtual network without explicit outbound connectivity are assigned a default outbound public IP address. This IP address enables outbound connectivity to the internet.
Why disable default outbound access?
Enabling the private subnet feature on a subnet prevents VMs within that subnet from using default outbound access to connect to public endpoints.
This also applies to VMs within a scale set configured with uniform orchestration mode.
This feature is currently in preview.
Pillar
Security
Additional context