Microsoft is about to retire default outbound access for VMs in Azure In September, Microsoft will retire default outbound access for VMs in Azure. "It's not quite a Y2K moment," says Aviatrix CPO Chris McHenry, "but things will break." Deploying applications in the cloud usually requires some form of internet access. Sure, a company might create an Azure Virtual Network (vnet) to roll out their …
If only that were true - I worked as outsourced AzNet EU support for past 1.5 years and the amount of CSPs who failed so much as read through the notification, not to mention the links in it was staggering to the point that sheer amount of bull I've had to deal with makes me think clickers will just graduate to the noble job of creating as many SRs as they can and wanting support to design the entire networking scheme (cause why bother thinking for yourself when you can bother someone else). Funnily enough smaller companies with internal IT somehow managed to sort their crap out fairly easily in my experience even if the questions were basic or people had little to no expertise - it's the large enterprises that rely on chancers and people with resumes written by ChatGPT and I doubt that will change. Cannon fodder might be detrimental to a lot of aspects of how corpos work, but for them it's just better business to employ fodder than invest in full times or, god forbid, educating someone with little experience but who actually is able to learn on the job and could stay with the company for a couple of years to handle tasks properly.
All PCs and phones come with outbound Internet working a d the world keeps on spinning.
Cloud operators blocking the cloud access by default seems preset nuts.
Obviously people will have to enable it in everything that uses an Api of any sorts.
"Don't break userland"
They could ask and announce it over one year for example.
Secbods consider access denied to be fully functioning security.
Businesses consider sales and operating to be their security.
They're all doomed, I say. The admins will be doomed because the devs will have been Happy Clickers(tm) and will have Just Clicked Here and not paid any attention to what and where they were clicking. (Because devs are ALWAYS Happy Clickers. Without exception.) The admins will have to slog through lots and lots and lots of settings and actually set security properly; the devs will scream because stuff no longer Just Works, the users will scream because nothing works anymore, management will scream because the devs and users will be screaming at management. The admins will get stuff working, with real security, given time (a week, two weeks, a month, longer, longer still.)
The devs and users will be doomed because the admins will kill them to get some peace and quiet while they fix the problems. Management will be doomed because now nothing will get done.
All doomed.
Popcorn time.
Azure Virtual Network Manager is the solution for giving developers a subscription with owner permissions; it applies security rules at the management group level (one above subscription and they're nestable). Set that up and nothing they do will permit their RDP endpoint to accept traffic from the internet.
(I work for Team Blue, but they're not paying me nearly enough to comment for work.)
On the other hand, if you have been running Azure with its avoid-security defaults (to make it Windows compatible?) you deserve all the trouble coming your way.
A VERY large portion of exposures comes from unsecured defaults, so I'm glad Microsoft finally does something about that, it has only taken, what?
Years? Decades?
> developers don't typically understand networking
This isn’t about developers not understanding networking, it’s about Microsoft not understanding security.
Having the default set to allowing access was never a good idea, it should always have been an opt-in not opt-out. But Microsoft have always favoured short-term convenience over security. This is, after all, a company that is still having to patch dozens of security holes in their OS every month.
It is incredible the number of open and freely accessible cloud servers, with PII data and who knows what, which can be accessed by anyone. So making the default more secure and making those setting up the servers actually think about what they are doing for a second is sensible, even if it is going cause some devs to actually have to know what they are trying to accomplish.
I've said for over 25 years now, all new systems should default to secure and you should have to explicitly weaken the configuration to the point you need and is acceptable for your security posture. Defaulting to wide-open and hoping the person configuring the system even has a clue what security is, is totally the wrong way to go about these things, especially if these things are on the Internet in the first place.
A new server or database set up on premises, behind the firewall that defaults to an insecure default state is bad, but at least you usually have time to deal with the settings, before it goes on line. When it is an Internet facing server, it verges on the criminal to default it to an insecure state.
Yes, it means that those setting up these services need to know what they are doing, but, so, what? You can't drive a car until you have learnt to drive, either.
Key word there, learned... I learnt sitting on my fathers lap, driving his car when I was 8 or so, driving up the 2 mile long private road to the farm where my uncle worked.
But, I learnt to drive, my dad didn't just give me the keys, I had to learn how the steering worked and later, how the pedals worked and how to shift gear. I was taught cadence braking, how to handle a slide etc. long before I was old enough to drive on the road and take my test.
My first driving lessons I was put in the driver seat with cars left and right on a busy, very small road. I never drove anything else than a bicycle. The instructor gave me 2 minutes instruction how the three pedals and gear worked. Within 50 meters I knew how to drive, the non,-automatic car... Just don't hit anyone...
That besides, windows 12 be a free install but internet access will only be enabled to windows.com to install and activate for outbound security reasons. Beyond that you need to buy the additional internet bundle from Microsoft store for US$ 100 per month....
"There is, of course, a fourth response to the change, which comes from organizations with mature architectures and a good handle on their network security. They might not be affected at all."
To be perfectly honest, in my experience (1.5y as outsourced AzNet support), that's maybe around 15 percent of MS customers at best. Typically with internal staff rather than underpaid outsourced "techs" who can't so much as put in correct IP in the local network gateway field when setting up VPN (back when the cases were easier on the desk, this was the majority of VPN issues reported, not joking). Way too many people were using default outbound with NSGs and maybe NVA/AzFW on top of that to secure the environ. And no amount of reasoning with them when troubleshooting default outbound access could make them reconsider even if it'd save them issues in the long run.
I pity my ex-colleagues who remain with the company I worked for, come deadline, there is going to be a massive flood of shite coming their way - as usual any time there is any change on MS part. You'd think that with reminders having been sent out from iirc mid-2024, there would be at least some awareness of the shift, but I've seen couple of those events and I have scars to prove how insipid the customers can be once the change is live.
,So to make that easy for developers - because developers don't typically understand networking - Azure's model has been if you deploy an app, by default, it has internet access," says McHenry, "You don't have to do anything.".
Ah, yes, the bane of my existence since 1988, with no signs of improvement expected.
In more than a good portion of corporates I've worked in who use Azure, it astonishes me how many leave the config to devs. It isn't always that devs don't know what they are doing, many do, many do not.
They don't want to go granular, they want the path of least resistance.
I've witnessed storage accounts that are fully open, storage accounts that are locked, but have all client data in them, then a client is given access - allowing that client to see all competing client data.
The mind is now over-boggled.
I often know more about upcoming changes like these than the CSPs we pay shedloads to. I probably am not alone in that regard.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
