Important Update for Azure Users: What You Need to Know About Public IPs and NAT Gateways

Starting September 30, 2025, Microsoft Azure is ditching the default public IP addresses for virtual machines (VMs). While this is a win for security (goodbye accidental exposure!), it’s going to make things trickier for anyone relying on VMs for outbound internet access.

In this post, we’ll break down what this change means, walk you through your options to keep things running smoothly, and share a cost comparison so you can make the best choice for your setup.

What’s Changing?

Currently, Azure assigns a default public IP for outbound internet access from VMs. This simplifies workflows by enabling VMs to communicate with external services (e.g., APIs, websites) without extra configuration. However, starting September 2025:

• Default public IPs will no longer be assigned to new or existing VMs.
• Outbound traffic will require explicit configuration using a NAT Gateway, Azure Firewall, Load Balancer, or a dedicated public IP.

This change impacts both cost and ease of use, especially for workloads that rely heavily on external internet connectivity.

Why Is This Change Happening?

Microsoft’s decision to remove default public IPs from Azure VMs might seem like a hassle at first, but it’s actually a big win for cloud security—and at Enforza, we’re fully behind it. This move reduces the risk of accidental exposure, helping businesses secure their environments more effectively.

Think about it: when a public IP is automatically assigned, it’s easy to overlook the security implications. A developer might spin up a VM for testing and forget to lock it down. Suddenly, that machine—and potentially your entire network—is exposed to the internet, where attackers are constantly scanning for vulnerabilities. RDP anyone?!

By requiring you to explicitly configure outbound access, Azure is encouraging more deliberate and secure setups. Sure, it means a bit more work upfront, but it forces teams to think about how they’re managing their traffic and to avoid leaving critical resources unnecessarily exposed.

Real-World Lessons in Security

We’ve seen countless examples of how default public IPs can lead to serious problems. Imagine a database spun up for a short-term project, left with an open public IP. No one remembers it’s there until an attacker finds it and gains access to sensitive customer data.

Or consider SSH and RDP ports left open on a public IP—perfect targets for brute force attacks.

One of the most common scenarios we’ve come across is old VMs that no one remembers. These “zombie resources” sit there quietly racking up charges, often with public IPs exposed. They’re an easy entry point for attackers, and when they’re compromised, the fallout can be costly—both financially and reputationally.

Removing default public IPs eliminates these risks by making exposure a conscious decision, not the default.

Why We Support This Change

At Enforza, we see this as a step in the right direction. It aligns with our philosophy that cloud environments should be secure by design. When businesses are required to configure internet access explicitly, it naturally reduces mistakes and forces a more thoughtful approach.

We know this can feel like extra work, but it’s worth it. Reviewing your architecture and implementing proper controls is critical for staying ahead of potential threats. And the good news is, you don’t have to navigate this alone.

Your Options

1. Standard Public IP

You can assign a Standard SKU Public IP to each VM to enable direct internet access; this is effectively enabling what Microsoft have disabled by default.

Monthly Cost:

• Static Public IP: ~$3.65 per IP
• Outbound Data Transfer: ~$0.087/GB

Benefits:

• Direct and simple outbound connectivity
• Best for small-scale workloads needing limited internet access

Limitations:

• Exposes VMs directly to the internet unless secured with Network Security Groups (NSGs)
• No centralized management for multiple VMs
• Lacks advanced security features like traffic inspection or filtering

2. Azure NAT Gateway

Azure NAT Gateway is a native solution that centralizes outbound internet connectivity for VMs in a private subnet.

Monthly Cost:

• Fixed monthly fee: ~$38
• Outbound data processing: ~$0.045/GB

Benefits:

• Centralizes outbound traffic for multiple VMs in a subnet
• Keeps VMs private by hiding them behind a single public IP

Limitations:

• Provides connectivity but no traffic inspection, firewalling, or FQDN/URL filtering
• Lacks visibility into traffic patterns, requiring additional tools for security and monitoring
• Only suitable for Azure

3. Azure Firewall (Basic SKU)

Azure Firewall adds security features like L3/L4 firewalling and FQDN filtering for outbound connectivity.

Monthly Cost:

• Fixed hourly subscription: ~$490/month
• Data processing: ~$0.065/GB

Benefits:

• Includes L3/L4 firewalling and FQDN filtering
• Centralized security for internet-bound traffic

Limitations:

• High monthly costs, especially for smaller workloads
• Requires Azure expertise for setup and ongoing management
• Minimal traffic visibility and inspection compared to third-party solutions
• Only suitable for Azure

4. Enforza: A Comprehensive, Cost-Effective Alternative

An all-in-one solution combining outbound connectivity, advanced security, and visibility. It provides equivalent functionality to Azure NAT Gateway plus Azure Firewall Basic SKU at a significantly lower cost.

Monthly Cost:

• Subscription cost: $59/month per gateway
• Users can choose VM sizes to match their specific performance and scaling needs (additional costs, but we recommend resilient B2 VMs at ~$30/month)

Benefits:

• NAT Gateway functionality for outbound connectivity
• L3/L4 firewalling for traffic control
• FQDN/URL filtering for granular domain access management
• Full traffic inspection and analytics for visibility
• Intuitive, centralized management dashboard
• Scalable pricing based on your workload and choice of VM size
• Truly multi-cloud — deploy your policies across all clouds or on-prem simultaneously

Capability Comparisons

Cost Comparisons

Scenario: An Azure VNET connected to the internet that has 5,000GB of data processed, using the 80/20 rule of 80% ingress, 20% egress (Azure only charges for egress data).

• Enforza includes resilient pair of gateways and compute costs.

Key Observations

• Dedicated Public IP is still the cheapest but lacks any advanced security features.
• Azure NAT Gateway is moderately priced for basic NAT functionality but does not include inspection or filtering.
• Azure Firewall (Basic) is the most expensive, primarily due to its high base cost and data processing fees.
• Enforza Firewall offers a competitive balance between cost and functionality, with robust features like traffic inspection and URL filtering. In this scenario, it’s cheaper than Azure NAT Gateway, which lacks essential security features.

Planning Your Strategy

If you’re relying on Azure VMs for outbound traffic, it’s critical to plan for this change. Consider:

• Your Security Needs: Do you need traffic inspection, URL filtering, or logging?
• Your Budget: How much are you willing to spend on outbound traffic management?
• Your Workloads: Do you have predictable traffic patterns that can guide your choice?
• Your Clouds: Do you need this capability across your other clouds (i.e., AWS)?

Why Enforza Is the Best Alternative

Enforza simplifies outbound connectivity while offering advanced security features like traffic inspection and URL filtering. With transparent pricing and a realistic traffic model, Enforza is a tested, reliable solution that helps you save costs without compromising on functionality.

Conclusion

Microsoft’s removal of default public IPs is a significant change, but it’s also an opportunity to evaluate and optimize your network strategy. Whether you choose a dedicated public IP, NAT Gateway, Azure Firewall, or Enforza, understanding the trade-offs is key to making the right decision.