Microsoft Security Change for Azure VMs Creates Pitfalls

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.News, news analysis, and commentary on the latest trends in cybersecurity technology.Firms using Azure infrastructure gained a reprieve from a security-focused switch that could have broken apps that relied on public Internet access.October 29, 2025Last month, Microsoft delayed the implementation of a planned change for Azure virtual networks, which could break the cloud infrastructure of unprepared companies. Experts are urging cloud-operations teams to take the time to plan for the switchover.A year ago, Microsoft announced that it would be shifting the current default for virtual machines (VMs) from public outbound access to using private subnets for any virtual network created after the deadline. Originally, the company planned to implement the change on Sept. 30 but pushed it off to March 2026, citing customer feedback.The change makes sense to improve the security of cloud workloads that use the default network, but it could break applications that rely on the default behavior, says Brian Anderson, global field CTO at Cato Networks, a secure cloud networking provider."The impact can result in unintended or unexpected behavior changes that can impact how applications work," he says. "If I have a new network that before defaulted to have access to the Internet and now does not, that may break workloads that I have built and that I expect to behave in a certain way."The change is part of Microsoft's efforts to identify potential weaknesses in its Azure cloud infrastructure and to pursue a zero-trust architecture across its cloud offerings. As part of its Secure Future Initiative, Microsoft has focused on six engineering "pillars" and 28 security-related objectives in those areas. In the "protect tenants and isolate production systems" pillar, Microsoft aims to remove legacy systems that pose a risk to security, secure devices used for access, and secure all tenants and their resources, all of which could be considered related to the enforcement of private subnets.Related:Microsoft Adds Agentic AI Capabilities to SentinelDuring attacks, threat actors typically follow some common steps — a unified kill chain — that starts with infiltration, then lateral movement through the network and cloud resources, followed by the escalation of privileges, and finally, exfiltration, says Benson George, senior principal product marketing manager at Aviatrix, a cloud network security firm."That exfiltration is where [outbound access] really comes into play, and so what's happening is that Azure has recognized that this is a pretty major risk and something that they could do about it," he says. "The reality is a lot of security threats are leveraging this outbound access."After the new March deadline, cloud users creating a new VM in Azure with a new virtual network will see that the network won't automatically connect to the Internet. Instead, engineers would have to explicitly connect to an outbound device or resource.Related:The Cloud Edge Is the New Attack SurfaceMicrosoft emphasized that the change will not affect existing virtual networks or the VMs within those networks, and that customers who do not want the private-subnet behavior can also configure their virtual networks to retain the previous behavior."Default public networking exposes VMs to the Internet, which contradicts zero-trust principles and increases security risk," a Microsoft spokesperson stated in response to questions from Dark Reading. "Making private networking the default ensures outbound access is explicitly configured, reducing the risk of unintended exposure and reliance on ephemeral, system-assigned IPs that aren't managed or owned by the customer."The change is not about blocking access to workloads by external actors but about blocking workloads from accessing the Internet without adequate security controls, says Cato Networks' Anderson."This is your workload accessing things that would go out to the Internet, and so you wouldn't have a path to the Internet unless you would explicitly allow that with this new change," he says. "Whereas by default, historically, a network — and anything running on this network within Azure — could access the Internet as the default behavior."Related:An NVIDIA Container Bug & Chance to Harden KubernetesFinding and mitigating the issue in existing infrastructure is not necessarily straightforward. A similar — and related — transition away from Basic Load Balancers caused significant issues for some companies, as not having default access to the Internet meant figuring out the rules needed to allow appropriate traffic, according to a thread on Reddit.Microsoft has outlined two ways of finding Azure resources that use default outbound Internet access, depending on the specific situation. The company recommends that companies modify their network access methods to use an Azure Firewall, a network virtual appliance (NVA), a NAT gateway, a Public Standard Load Balancer with specific outbound rules, or — for HTTP traffic — a centralized HTTP proxy to forward requests. (Microsoft noted that Basic Load Balancers are being retired on Sept. 30, 2025.)"Azure customers that want to take advantage of private subnets need to ensure that their virtual machines are in a subnet that has an explicit method of outbound specified," Microsoft's spokesperson said.Having an agile deployment process that includes configuration through configuration files — using an approach such as infrastructure as code (IaC) — can make the transition much smoother and more easily managed, says Cato Networks' Anderson."If customers have [a process based on] IaC, it would be easy to systematically change the networking across their entire environment," he says. "IaC makes it easier to manage or mitigate cloud resources, so that they can have a modular systematic approach to change all of their configurations."Robert Lemos, Contributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.AI Security Agents Get Persona MakeoversSora 2 Makes Videos So Believable, Reality Checks Are RequiredOperational Technology Security Poses Inherent Risks for ManufacturersAI App Spending Report: Where Are the Security Tools?Copyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.