Microsoft Security Change for Azure Creates Pitfalls TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityMalicious NPM Packages Disguised With 'Invisible' DependenciesMalicious NPM Packages Disguised With 'Invisible' DependenciesbyRob WrightOct 29, 20254 Min ReadApplication SecurityAI-Generated Code Poses Security, Bloat ChallengesAI-Generated Code Poses Security, Bloat ChallengesbyRobert Lemos, Contributing WriterOct 29, 20256 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLСloud SecurityCyber RiskCybersecurity OperationsVulnerabilities & ThreatsNews, news analysis, and commentary on the latest trends in cybersecurity technology.Microsoft Security Change for Azure VMs Creates PitfallsMicrosoft Security Change for Azure VMs Creates PitfallsMicrosoft Security Change for Azure VMs Creates PitfallsFirms using Azure infrastructure gained a reprieve from a security-focused switch that could have broken apps that relied on public Internet access.Robert Lemos, Contributing WriterOctober 29, 20254 Min ReadSource: BigTunaOnline via ShutterstockLast month, Microsoft delayed the implementation of a planned change for Azure virtual networks, which could break the cloud infrastructure of unprepared companies. Experts are urging cloud-operations teams to take the time to plan for the switchover.A year ago, Microsoft announced that it would be shifting the current default for virtual machines (VMs) from public outbound access to using private subnets for any virtual network created after the deadline. Originally, the company planned to implement the change on Sept. 30 but pushed it off to March 2026, citing customer feedback.The change makes sense to improve the security of cloud workloads that use the default network, but it could break applications that rely on the default behavior, says Brian Anderson, global field CTO at Cato Networks, a secure cloud networking provider."The impact can result in unintended or unexpected behavior changes that can impact how applications work," he says. "If I have a new network that before defaulted to have access to the Internet and now does not, that may break workloads that I have built and that I expect to behave in a certain way."The change is part of Microsoft's efforts to identify potential weaknesses in its Azure cloud infrastructure and to pursue a zero-trust architecture across its cloud offerings. As part of its Secure Future Initiative, Microsoft has focused on six engineering "pillars" and 28 security-related objectives in those areas. In the "protect tenants and isolate production systems" pillar, Microsoft aims to remove legacy systems that pose a risk to security, secure devices used for access, and secure all tenants and their resources, all of which could be considered related to the enforcement of private subnets.Related:Microsoft Adds Agentic AI Capabilities to SentinelDuring attacks, threat actors typically follow some common steps — a unified kill chain — that starts with infiltration, then lateral movement through the network and cloud resources, followed by the escalation of privileges, and finally, exfiltration, says Benson George, senior principal product marketing manager at Aviatrix, a cloud network security firm."That exfiltration is where [outbound access] really comes into play, and so what's happening is that Azure has recognized that this is a pretty major risk and something that they could do about it," he says. "The reality is a lot of security threats are leveraging this outbound access."Better Security for VMsAfter the new March deadline, cloud users creating a new VM in Azure with a new virtual network will see that the network won't automatically connect to the Internet. Instead, engineers would have to explicitly connect to an outbound device or resource.Related:The Cloud Edge Is the New Attack SurfaceMicrosoft emphasized that the change will not affect existing virtual networks or the VMs within those networks, and that customers who do not want the private-subnet behavior can also configure their virtual networks to retain the previous behavior."Default public networking exposes VMs to the Internet, which contradicts zero-trust principles and increases security risk," a Microsoft spokesperson stated in response to questions from Dark Reading. "Making private networking the default ensures outbound access is explicitly configured, reducing the risk of unintended exposure and reliance on ephemeral, system-assigned IPs that aren't managed or owned by the customer."The change is not about blocking access to workloads by external actors but about blocking workloads from accessing the Internet without adequate security controls, says Cato Networks' Anderson."This is your workload accessing things that would go out to the Internet, and so you wouldn't have a path to the Internet unless you would explicitly allow that with this new change," he says. "Whereas by default, historically, a network — and anything running on this network within Azure — could access the Internet as the default behavior."Related:An NVIDIA Container Bug & Chance to Harden KubernetesInfrastructure as CodeFinding and mitigating the issue in existing infrastructure is not necessarily straightforward. A similar — and related — transition away from Basic Load Balancers caused significant issues for some companies, as not having default access to the Internet meant figuring out the rules needed to allow appropriate traffic, according to a thread on Reddit.Microsoft has outlined two ways of finding Azure resources that use default outbound Internet access, depending on the specific situation. The company recommends that companies modify their network access methods to use an Azure Firewall, a network virtual appliance (NVA), a NAT gateway, a Public Standard Load Balancer with specific outbound rules, or — for HTTP traffic — a centralized HTTP proxy to forward requests. (Microsoft noted that Basic Load Balancers are being retired on Sept. 30, 2025.)"Azure customers that want to take advantage of private subnets need to ensure that their virtual machines are in a subnet that has an explicit method of outbound specified," Microsoft's spokesperson said.Having an agile deployment process that includes configuration through configuration files — using an approach such as infrastructure as code (IaC) — can make the transition much smoother and more easily managed, says Cato Networks' Anderson."If customers have [a process based on] IaC, it would be easy to systematically change the networking across their entire environment," he says. "IaC makes it easier to manage or mitigate cloud resources, so that they can have a modular systematic approach to change all of their configurations."About the AuthorRobert Lemos, Contributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert Lemos, Contributing WriterMore InsightsIndustry ReportsMiercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsHow Enterprises Are Harnessing Emerging Technologies in CybersecurityWorldwide Security Information and Event Management Forecast, 2025--2029: Continued Payment for One's SIEMsAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.Latest Articles in DR TechnologyAI-Generated Code Poses Security, Bloat ChallengesOct 29, 2025|6 Min ReadLevelBlue Announces Plans to Acquire XDR Provider CybereasonOct 15, 2025|2 Min ReadFinancial, Other Industries Urged to Prepare for Quantum ComputersOct 13, 2025|5 Min ReadMicrosoft Adds Agentic AI Capabilities to SentinelOct 10, 2025|4 Min ReadRead More DR TechnologyDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Microsoft has postponed a significant security-related update for Azure virtual machines (VMs), delaying the implementation of a shift from default public outbound access to private subnets for new virtual networks. Originally scheduled for September 30, 2025, the change was pushed to March 2026 following customer feedback. This adjustment aims to enhance cloud security by aligning with zero-trust principles, but it risks disrupting applications that rely on the previous default configuration. The shift reflects Microsoft’s broader Secure Future Initiative, which prioritizes six engineering pillars and 28 security objectives, including isolating production systems and removing legacy vulnerabilities. Brian Anderson, global field CTO at Cato Networks, emphasized that the change could lead to unintended behavioral shifts in applications designed for public internet access, as new networks would no longer automatically enable outbound connectivity. This could break workloads that assume default public access, requiring administrators to explicitly configure outbound paths through tools like Azure Firewall, NAT gateways, or HTTP proxies.

The policy update is framed as a response to the growing threat landscape, where adversaries often exploit outbound access during attacks. Benson George, senior principal product marketing manager at Aviatrix, noted that Azure recognized the risk of uncontrolled outbound traffic, which is a critical step in many attack chains. By making private subnets the default, Microsoft seeks to reduce reliance on ephemeral, system-assigned IP addresses and enforce explicit configuration for internet access. However, the company clarified that existing virtual networks and their VMs remain unaffected, with customers retaining the option to maintain public networking if desired. A Microsoft spokesperson stated that default public networking contradicts zero-trust principles by exposing VMs to unnecessary risks, while the new approach ensures that outbound access is intentionally managed.

The transition poses challenges for organizations, particularly those with legacy systems or inflexible deployment processes. Microsoft outlined methods to identify resources using default public access, recommending tools like Azure Firewall or centralized HTTP proxies to replace outdated configurations. The article highlights lessons from a prior shift away from Basic Load Balancers, which caused disruptions for companies unprepared to redefine traffic rules. Cato Networks’ Anderson stressed the importance of infrastructure-as-code (IaC) practices, which enable systematic adjustments across cloud environments. By codifying network configurations, organizations can streamline the transition and adopt a modular approach to managing cloud resources.

The delay provides time for enterprises to audit their infrastructure and adapt to the new defaults, though experts caution that the shift requires proactive planning. Microsoft’s move underscores its commitment to securing cloud workloads amid evolving threats, even as it acknowledges the complexity of balancing security with operational continuity. The update aligns with broader industry trends toward zero-trust architectures and tighter control over network access, reflecting the increasing emphasis on minimizing attack surfaces in cloud environments. For organizations using Azure, the change necessitates a reevaluation of network strategies, with a focus on explicit outbound configurations and robust security controls to mitigate risks while maintaining application functionality.

The article also touches on related cybersecurity topics, such as the challenges of AI-generated code and the evolving threat landscape in regions like the Middle East and Asia Pacific. However, its primary focus remains on Microsoft’s Azure policy shift, which highlights the tension between enhancing security and ensuring compatibility with existing systems. As cloud infrastructure becomes more complex, the need for proactive management of network configurations and security practices grows, particularly as enterprises adopt hybrid and multi-cloud strategies. Microsoft’s decision to delay the change acknowledges the practical realities of large-scale cloud migrations while reinforcing its commitment to long-term security improvements. For IT teams, the lesson is clear: adapting to such changes requires not only technical expertise but also a strategic approach to infrastructure design and risk management.