In seven days, on 31 March 2026, Microsoft is removing default outbound internet access for new Azure Virtual Networks. New VMs, Azure Virtual Desktop environments and Windows 365 ANC connections created after that date will be unable to reach the internet unless you explicitly configure outbound connectivity. What do you need to do now?
It sounds like a minor infrastructure change, but the consequences can be significant if you are not aware of it in time. From 31 March 2026, Microsoft will no longer provide default outbound internet access to newly created Azure Virtual Networks. Existing VNets are not affected, but all new VNets created after that date will run on private subnets with no outbound internet connection by default.
Until now, virtual machines in a new Azure VNet could connect to the internet without further configuration via a Microsoft-managed default gateway mechanism. This convenience had a downside: it increased the attack surface by allowing VMs to be unintentionally reachable or to initiate unwanted outbound connections.
After 31 March 2026, this default behaviour is disabled for new VNets. A VM in a new VNet without explicit outbound configuration cannot reach the internet. That means no Windows Update, no Intune communication, no Windows activation, no Azure Monitor agents, no OAuth authentication flows and no external API calls.
The impact is greatest for three categories. First, Azure Virtual Desktop (AVD): session host VMs provisioned after 31 March in a new VNet will fail to enrol in Intune, retrieve Group Policy or connect to Microsoft 365 services. Microsoft has published specific guidance for AVD customers to configure NAT Gateway or an explicit Public IP before the deadline.
Second, Windows 365 with Azure Network Connection (ANC): Cloud PC provisioning via an ANC created after 31 March will silently fail if the associated VNet has no explicit outbound connectivity. Third, Infrastructure-as-Code templates: Bicep, Terraform and ARM templates that create VNets without explicit outbound configuration will produce broken environments after 31 March. This can break deployment pipelines at a moment when no one expects the change.
There are three official options. Option 1 is a NAT Gateway: this is the recommended approach for most workloads. A NAT Gateway gives all VMs in a subnet a shared static IP address for outbound traffic, without individual VMs needing a Public IP. Option 2 is an Instance-level Public IP: each VM is assigned its own Public IP address. This works for smaller environments but is less scalable. Option 3 is an Azure Load Balancer with outbound rules: suitable for environments with an existing Load Balancer already distributing internal traffic.
For Azure Virtual Desktop, NAT Gateway combined with a Route Table is the recommended configuration. In your AVD host pool template, add a NAT Gateway to the session host subnet and ensure all outbound traffic is routed through the NAT.
If your organisation manages Azure environments via Bicep, Terraform or ARM, now is the time to review your templates. Look for all resource definitions of type Microsoft.Network/virtualNetworks and add a NAT Gateway or equivalent outbound connection to each new subnet as a standard part of the template. Do this before 31 March, even if you have no new environments planned right now: changes you make after 31 March already require an explicit outbound configuration to work correctly.
Existing environments do not need to be updated: the change only applies to newly created VNets. But every new resource group, new pilot environment or expansion project after 31 March falls under the new rules.
The deadline is 31 March 2026 — seven days from today. Check your Azure templates, your AVD host pool configurations and your Windows 365 ANC settings now. If you are unsure whether your environment is correctly configured, contact your Azure partner today.
Zarioh Digital Solutions offers Azure infrastructure reviews and guides organisations in updating their Bicep and Terraform templates to meet the new outbound requirements. Get in touch for an urgent review of your Azure configuration.
