Skip to Content

How do I enable outbound internet access for a new Azure VNet after March 31, 2026?

By: Author Alex Lim

Posted on

Categories Microsoft

Home » Microsoft » How do I enable outbound internet access for a new Azure VNet after March 31, 2026?

What should I configure when Azure “default outbound access” is off for new VNets in 2026?

Azure is changing a quiet default that many workloads rely on. After March 31, 2026, new VNets are created with private subnets by default, which means you must enable an explicit outbound method before resources can reach public endpoints (including Microsoft endpoints that are reached via public routing).

This matters because “default outbound access” previously let many resources reach the internet without you configuring an outbound route. In the new model, Azure will no longer generate default outbound IPs for virtual machines in those private-by-default subnets, so anything that needs outbound connectivity must have a deliberate design.

The change applies when you create a new VNet using deployment methods like the Azure portal, ARM templates, PowerShell, or CLI. It is also tied to API versions: templates or tools that use older API versions can keep defaultOutboundAccess as null, which implicitly allows outbound access, so two “similar” environments can behave differently if they were created with different API versions.

What this means for Windows 365 ANC

If your Windows 365 Azure Network Connection (ANC) process creates new VNets after March 31, 2026, plan for explicit outbound connectivity from day one so cloud PC provisioning and first-boot tasks can reach required external endpoints. Ensure your design covers Windows activation, updates, telemetry, identity flows, and any vendor dependencies that expect outbound access.

Recommended actions

  1. Action: Decide your outbound pattern per subnet (for example: NAT gateway-style egress for general internet access, firewall-based egress for tighter control, or no egress for isolated workloads).
  2. Update IaC defaults: review how new VNets/subnets are created, and ensure the subnet outbound behavior is set intentionally rather than inherited from old defaults.
  3. Add validation: enforce a rule that “any subnet that hosts workloads needing outbound must include an explicit outbound method,” and test it in a fresh VNet created after the cutoff date.