Table of Contents
Summary
- Newly created Azure VNets will have no default outbound internet access, requiring explicit configuration for Cloud PCs deployed via Azure Network Connection.
- Cloud PC provisioning will fail without a configured outbound connectivity method like a NAT Gateway.
- Existing VNets created before the change date will remain unaffected and will continue with their current outbound configuration.
- Microsoft hosted network (MHN) deployments are not impacted and require no changes.
- Admins should review deployment strategies and ensure teams are aware of the new requirements for Azure Network Connections.
Admin Impact: Medium
User Impact: Low
Release Start: 31 Mar 2026
Release End: 31 Mar 2026
Services: Windows 365
Category: Plan for change
Tags: Admin Action
History
2/26/2026 Item Added to Message Center
Microsoft Message
After March 31st, 2026, newly created Azure Virtual Networks (VNets) will no longer include default outbound internet access.
Windows 365 customers who deploy Cloud PCs using an Azure Network Connection (ANC) connected to a VNet created on or after this date must explicitly configure outbound connectivity for the Cloud PCs.
Windows 365 deployments using Microsoft hosted network (MHN) are not affected.
How will this affect your organization?
If your organization deploys Cloud PCs using an Azure Network Connection that is connected to a VNet created on or after March 31, 2026:
- New VNets will default to private subnets with no outbound internet access.
- Without an explicitly configured outbound connectivity method (such as a NAT Gateway), Cloud PC provisioning will fail.
- ANCs using existing VNets created through March 31, 2026, are not impacted and will continue to function with their current outbound configuration.
- Deployments using Microsoft hosted network (MHN) require no changes.
This change only applies when new VNets are created for Azure Network Connection after March 31, 2026. Existing provisioning policies that use VNets created before this date will continue to work as expected.
What you need to do to prepare
Admins should review their Windows 365 deployment approach and ensure internal teams, including help desks and support staff are aware of this change.
Recommended actions:
- Use Microsoft hosted network (MHN) where possible. MHN is the recommended deployment option for Windows 365 and includes fully managed outbound connectivity.
- If continuing to use Azure Network Connection, ensure all new VNets linked in new or existing ANCs include a supported outbound access method:
- NAT Gateway (recommended)
- Azure Standard Load Balancer
- Azure Firewall or a supported third-party Network Virtual Appliance (NVA)*
- *NVAs that automatically scale may interrupt persistent connections such as RDP. A direct outbound method like NAT Gateway is preferred.
- Validate outbound connectivity to ensure Windows 365 service endpoints are reachable and ANC health checks succeed.
- Review deployment automation (ARM, Bicep, Terraform) to confirm it no longer relies on legacy default outbound access behavior.
Compliance considerations
No compliance considerations identified, review as appropriate for your organization
Additional Information:
Azure Default Outbound Access Changes: Guidance for Windows 365 ANC Customers | Microsoft Community Hub
Azure updates | Microsoft Azure