Do Azure virtual machines located behind a Network Virtual Appliance require a NAT Gateway or Public IP to maintain default outbound internet access ?

Question

Do Azure virtual machines located behind a Network Virtual Appliance require a NAT Gateway or Public IP to maintain default outbound internet access ?

$@chin 150

Hi,

For Azure virtual machines behind a Network Virtual Appliance (such as Azure Firewall or a third-party firewall running on a virtual machine), will a NAT Gateway or Public IP still be required to maintain outbound internet connectivity, given the upcoming deprecation of the default outbound access feature ?
If so, does this mean existing VMs will need to be transitioned to a new method for internet access ?

2 answers

Your answer

Answer 1

Hello,

Welcome to Microsoft Q&A,

Yes, a NAT Gateway or a Public IP will still be required for Azure Virtual Machines (VMs) behind a Network Virtual Appliance (NVA), such as Azure Firewall or a third-party firewall, to maintain outbound internet connectivity, especially in light of the deprecation of the default outbound access feature.

Change:

The default outbound access (used when no explicit outbound method like a NAT Gateway or Public IP is configured) is being deprecated.
This impacts VMs without any explicit outbound configuration, meaning they won’t have internet access unless one is set up.

Action Required for Existing VMs:

Yes, you will need to transition to an explicit outbound method if:
- Your current setup relies only on Azure’s default outbound access, and
- You don’t have a NAT Gateway or a Public IP on the NVA or VM subnet.

Please Upvote and accept the answer if it helps!!

Answer 2

Praveen Bandaru 3,145 Microsoft External Staff Moderator

Hello $@chin

It looks like you're looking for clarification on the outbound internet connectivity for Azure virtual machines that are behind a Network Virtual Appliance (NVA), especially with the upcoming changes regarding default outbound access.

Here’s the information:

NAT Gateway Requirement: To maintain outbound internet connectivity, you will need to use a NAT Gateway or have Public IPs associated with your virtual machines. The default outbound access will be deprecated by September 30, 2025, so you need to transition to defined methods of outbound connectivity.
Transitioning for Existing VMs: If you're existing VMs rely on the default outbound access, you’ll need to update their configurations to use either a NAT Gateway or associate them with a Public IP to ensure continued internet access. The Azure documentation recommends using the NAT Gateway for a more secure and reliable connection while allowing you to use your static public IP addresses.

Consider associating a NAT Gateway with your subnets. Alternatively, attach public IP addresses directly to your VMs for outbound traffic.

You need to adopt explicit outbound connectivity solutions like NAT Gateway or public IPs for proper internet access, as the default method will no longer be available.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

$@chin 150 Reputation points

2025-05-06T14:03:28.8+00:00

Hi ,

If the NVA is an Azure Firewall or an Azure Virtual Machine that already has a public IP address, is it still necessary to assign an additional public IP or use a NAT Gateway for other virtual machines located behind the NVA ?

Since the outbound traffic from those VMs is routed through the NVA, their public IP appears as that of the NVA when communicating with external services - correct?
Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-06T17:56:54.24+00:00

Hello $@chin

If the NVA is an Azure Firewall or an Azure Virtual Machine that already has a public IP address, is it still necessary to assign an additional public IP or use a NAT Gateway for other virtual machines located behind the NVA ?

No additional public IP or NAT gateway is necessary when a VM already has a public IP.

Since the outbound traffic from those VMs is routed through the NVA, their public IP appears as that of the NVA when communicating with external services - correct?

Yes, you are correct. When the outbound traffic from the VMs is routed through the NVA, the public IP appears and communicates with the external services.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
$@chin 150 Reputation points

2025-05-07T15:07:02.58+00:00

Hi @Praveen Bandaru ,

Just to clarify: the VM itself will not have a public IP. Only the Network Virtual Appliance such as an Azure Firewall or a VM acting as an NVA, will have a public IP.
In that case, assigning a public IP to the VM is not required. correct ?
Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-07T18:26:14.65+00:00

Hello $@chin

Yes, that's correct. When outbound traffic from the VMs is routed through the NVA, the public IP of the NVA is used to communicate with external services.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-08T13:55:38.3766667+00:00

Hello $@chin

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-09T15:33:06.9733333+00:00

Hello $@chin

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
$@chin 150 Reputation points

2025-05-09T16:31:32.3266667+00:00

Hi Praveen,Thank you for clarification. Do we have any official documentation from Microsoft for this ?
Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-09T20:36:35.32+00:00

Hello $@chin
Please refer to the screenshot and the public document below for reference. In the diagram, you can see that at the first point, the next hop of the traffic is directed to a virtual appliance or firewall.

Check the reference document: Default outbound access in Azure

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Share via

Do Azure virtual machines located behind a Network Virtual Appliance require a NAT Gateway or Public IP to maintain default outbound internet access ?

2 answers

Your answer