If you are a user of Microsoft Azure, there is a breaking change coming. There is good news about this change and bad news.
Bad News
First, the bad news is that this is a breaking change that requires some changes to your Azure environment. The change is that unless you have a specific method of getting Internet access, such as one of the following, the Virtual Machine(s) will lose Internet Access. Those options are:
- Azure NAT gateway
- Azure Load Balancer outbound rules
- Public IP address attached to the VM
If you have one of those three configurations within your Azure environment, there’s nothing else to do. If you are using the default outbound Internet access that is available today (in 2023), then you will need to make a change.
Good News
You’ve got until September 30, 2025, to make this change. So there’s plenty of time.
The Changes to Make
The changes to make to solve this in most environments are going to be pretty straightforward in that you need to add a NAT gateway. This Gateway will give your machines within the Azure environment access to the Internet through the NAT gateway and get you prepared for the change, which is coming at the end of Q3 2025.
Adding a NAT gateway is a relatively straightforward operation. There are a couple of requirements to add the NAT gateway. The first requirement is that you have an internal IP address range available to create a new subnet on your Azure vNet. The subnet that you create for the NAT gateway can be very small if you want. I created a subnet as a /29 (8 IP Addresses, 3 to use, and 4 for Microsoft Azure), and I could put a NAT gateway within this subnet.
The second requirement is that you need some public IP addresses for the NAT gateway to use. For smaller environments, this can be a single IP address, and for larger environments, a public IP prefix can be used. By using a public IP prefix, you increase the number of connections that the NAT gateway can maintain. (If you want more information as to which you need, or you just want to geek out on the SNAT options available, I’d recommend the documentation for SNAT within the NAT gateway.) (Technically, you don’t need to create the NAT gateway its own subnet, but I typically pre-stage the gateway, and the portal doesn’t let you complete the process without selecting a subnet.)
Once you have the subnet created and the public IP address or the public IP address range, you can create the NAT gateway. Once the NAT gateway is created, the NAT gateway needs to be associated with each subnet, which contains virtual machines within the Microsoft Azure platform. This is done by editing the properties of each subnet and changing the NAT gateway setting to the NAT gateway you created. You’ll need a NAT gateway within each region where you have virtual machines.
When you assign a NAT gateway to a subnet, this will redirect all outbound network traffic from the VM to the Internet through the NAT gateway. This becomes important for any vendors that your virtual machines are connecting to, for which you have configured the existing public IP addresses of the machines on the vendors’ whitelist. Once the NAT gateway is configured, the IP address that the VM is using to talk to the vendor will change to the IP address (or range) that the NAT gateway is configured to use. So, these whitelists with the vendor will need to be changed. The process will be different for each vendor, so you’ll need to contact each vendor that has whitelisted your IP addresses and see what their process will be to change the IP addresses on the whitelist.
The upside to this change is that all outbound connectivity from the configured subnets will go out from known IP addresses, not the random IP address that is assigned to you, which is what is being done today.
Costs
There is a small cost to having a NAT gateway. Having a NAT gateway costs $0.045 per hour to run the NAT gateway. This comes to about $32.50 monthly (720 hours per month). An additional cost for the NAT gateway is the bill for any data that is processed by the NAT gateway, which is billed at $0.045 per GB. The data cost will be variable based on the amount of processed data. Public IP Addresses and public IP prefixes also have a small cost associated with them. Static public IP Addresses (NAT gateways require static IP addresses) cost $0.005 per hour (~$3.60 per month), while a public IP range costs $0.006 per hour (~$4.32 per month). This means that creating a NAT gateway will cost you a minimum of $36.10 per month ($36.82 if you use a public IP prefix). While this is a pretty small amount for most Microsoft Azure environments, it is worth noting that there is a cost associated with this change.
Conclusion
This is a change that most companies will need to make at some point. The good news is that we have just a few days under two years to make this change (Microsoft actually announced the change a few days ago). So we’ve got plenty of time to make the change.
If you need assistance adding a NAT gateway (or anything else in your Azure tenant) to your Azure Subscription, our Azure experts can assist you. Just contact our team, and we can get the process scheduled.
Denny
