You may have read or heard about the recent announcement from Microsoft that default outbound access for VMs in Azure will be retired on 30th September 2025, and that you will need to use explicit outbound connectivity methods such as Azure NAT Gateway, Azure Load Balancer outbound rules, or a directly attached Azure public IP address.
Yes, when you deploy a virtual machine in Azure, outbound internet connectivity is enabled by default allowing you to browse the Internet. This default configuration is changing.
What happens to my Virtual Machines default outbound connectivity if I don’t make this change? According to the announcement your existing VMs that use default outbound access will continue to work after this retirement, however, Microsoft strongly recommend transitioning to an explicit outbound method.
I posted the announcement on LinkedIn and this retirement notice was welcomed by techies. Here are a few comments. Let me know what you think in the comments section below,
Now, to the main reason why I posted this announcement. If you’re wondering what is Azure NAT Gateway, continue to the next paragraph.
What is Azure NAT Gateway? One of the recommended methods mentioned to allow outbound Internet connectivity for your VMs is to use Azure NAT Gateway, but what is this service. If you wish to learn more about Azure NAT Gateway, check out my post Azure NAT Gateway Explained
In this blog post I will go through a demo of setting up Custom Security Attributes in Microsoft Entra ID.
What are Custom Security Attributes? Custom Security Attributes are an Entra ID P1 or P2 license feature and can be created in Microsoft Entra ID to extend user profiles, such as adding employee hourly salary, certifications and other secure attributes to an employees profile. We can also add custom security attributes to Azure Applications (Service Principles) and resources. These secure attributes are not visible to anyone by default unless assigned a particular role within Entra ID. The Global Administrator can not see these values by default either.
Which role can create these custom security attributes? To be able to add or activate or deactivate a custom security attribute definition, the admin will require the built in role Attribute Definition Administrator assigned. By default, the Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.
Here are built in custom security attributes roles (shown below),
Implement Custom Security Attributes step by step
Notes: – I have assigned my account the Attribute Administrator Role. I was not automatically granted this role by being a member of the Global Administrators group. – Once you add a custom security attribute definition, you can’t delete it. However, you can deactivate a custom security attribute definition. – This feature is still in preview at the time of writing this post
Demo description: In this demo I will create an attribute set and add an attribute named SecurityCleared with the values BPSS, SC, CTC and DV (National security vetting clearance levels in the UK). I will then assign one of these levels to one of my demo users and demonstrate how I can search for users assigned one of these security levels in Entra ID.
Login to entra.microsoft.com, expand Protection from the left pane and click Custom security attributes. You can also access this feature via Entra ID (formerly Azure AD) through portal.azure.com
2. Click Add attribute set
An attribute set contains a collection of security attributes. All custom security attributes must be included in an attribute set.
6. Click roles and administrators from the left pane. Here you can assign roles at the attribute set level so anyone assigned permissions here will only be able to manage attributes inside this attribute set. For example, if you require for another admin to create attributes inside this attribute set, here is where you configure the permissions, and that admin would only be able to manage this attribute set and not any others you may create in the future. I won’t be adding any additional admins to these built in roles.
7. Next, I add attributes inside my newly created attribute set, click Add attribute
8. Here is my attribute. It is one for Staff Security Clearance.
Attribute Name: SecurityCleared Description: Levels of Security Clearance Allow multiple values to be assigned: I have set to no as in this example I only wish to assign one of the four values to employees. However, if there was a requirement to assign more than one of these values to an employee, I would enable this option. Only allow predefined values to be assigned: I only wish to assign one of the four values I have defined below. BPSS, SC, CTC and DV are the national security vetting clearance levels in the UK.
9. Click save
10. Next, I need to assign one of the four security levels to a user. For this example, my demo user called Lynne Robbins has a security clearance of SC so I would like to apply this to the account. I locate Lynne’s account in Entra ID and click Custom security attributes as shown below.
11. I receive a permissions error. I have the role of Attribute Definition Administrator. I can create custom security attributes but can not assign them to users. For the purpose of this demo, I assign my account the Attribute Assignment Administrator role which will allow me to assign custom security attributes to users.
12. I try again after assigning the required role. Log out and back into the portal if needed. Click Add assignment,
13. I assign the SC security clearance attribute to Lynne. Because I initially configured the attribute to only allow the assignment of one value, I can not add multiple values to Lynne. Click save.
Done. Let’s search for all users who have security clearance of SC. It should only be Lynne.
14. In Entra ID, click users
15. Click Add filter
16. Click Custom security attributes from the filter list.
17. I select value of SC and click apply
18. One user found, it’s Lynne. Lynne is the only employee who is SC cleared
If anyone in the organisation attempts to access the Custom Security Attribute filter without the required permissions, they will not be able to access and receive an access denied message. These secure attributes can only be searched by admins with the assigned roles as mentioned earlier.
I hope this helps.
If you wish to learn more about custom security attributes, add them to an application or use in conditional access policies, visit the Microsoft Learn links below,
If you are new to Azure, you might be wondering what is a NAT gateway and why do you need one. In this blog post, I will explain the basics of Azure NAT Gateway and how it can help you connect your Azure resources to the internet.
SNAT – Source Network Address Translation
Before diving into Azure NAT Gateway, have you ever wondered how your devices or services can access the internet using a single public IP address? This is possible thanks to a technique called SNAT, which stands for source network address translation. SNAT changes the original IP address and port of your outgoing packets to match the public IP address and a unique port. Let’s dig deeper.
At home, your Internet Service Provider provides you with a router to which all your devices connect to via wireless or a physical cable as demonstrated in the drawing below,
In most cases the devices connecting to your home router are issued with an IP address automatically using a built in DHCP service built into the router, see example below. Each device has an IP address.
The above assigned IP addresses are private and can only be used on your home network, these IP addresses are not internet routable so can not access the Internet. Yet, we know that your devices at home can access the Internet. How do your devices access the internet? via the router.
To allow access to the internet, your Internet Service Provider assigns you a public IP address, allocated to your router. As shown in the diagram below. (Public IP selected for demo purposes).
When your home devices connect to the Internet via the router, the router has a built in SNAT (Source Network Translation) which translates to allow traffic from a private network (your home network) to go out to the internet. All your devices use the public IP address assigned to your router to gain access to the internet. If you were to visit each one of your devices, open an internet browser (ensure you’re connected to your home router wirelessly or a cable) and visit the website https://whatismyip.com/ you will find that the public IP address is the same for all your devices (mobiles, ipads, laptops). This is because your devices are using the same Public IP to access the internet.
Now that you have a basic idea of SNAT (Source Network Address Translation), let’s move onto understand what a Azure NAT Gateway is.
What is a Azure NAT Gateway? An Azure Network Gateway is similar to your home router but more intelligent and built for larger networks. An Azure Network Gateway allows your private resources (such as Virtual Machines) located in Azure to connect to the internet through a central, managed and highly resilient Network Address Translation (NAT) service.
But a Azure virtual machine can get out to the Internet by default, right?
Correct, and let’s understand how Virtual Machines in Azure access the internet (outbound) without the implementation of an Azure NAT Gateway.
Important Announcement: Default outbound access for vm’s in Azure will be retired September 2025
In Azure, virtual machines without explicit outbound connectivity defined are assigned a default outbound public IP address via the Azure platform. This IP address enables outbound connectivity from your virtual machine to the Internet. This access is referred to as default outbound access. This auto assigned public IP address belongs to Microsoft and is subject to change so it’s not recommended to depend on this default public IP address for production workloads. Customers don’t own the default outbound access IP and have no control over it. This IP may change, and any dependency on it could cause issues in the future. Logon to a virtual machine in Azure without a public IP address explicitly assigned and try accessing the Internet or browse to https://whatismyip.com/ and take a note of the automatically assigned default public IP address.
Can I assign an explicit outbound connectivity method by manually assigning an instance level public IP address to a Virtual Machine?
Yes, this is another option. You could create a Public IP address in Azure which you will have more control over such as ensuring it is static and doesn’t change, and then assign this public IP address to your Virtual Machine. Creating a public IP address will also allow Internet resources to communicate inbound to your Azure virtual machine and enable your virtual machine to communicate to the Internet. You dedicate the public IP address to the resource until you unassign/remove it, you’re in control.
A resource without a public IP assigned can communicate outbound to the Internet as we now know but inbound access is not allowed until you assign your own created public IP address and configure the required NSG/Firewall rules to allow inbound access from the Internet. Therefore, you could assign your virtual machines a public IP address but ask yourself a question, am I only granting these virtual machines a public IP to allow access to the internet? how many virtual machines do you have that require access to the internet? is it a good idea assigning each virtual machine a dedicated public IP address to allow access to the Internet? there is definitely another layer of management overhead as an accidental configuration could allow access to your resources from the outside world, such as accidentally allowing RDP from the outside world would trigger a brute force attack in no time.
So what do Microsoft recommend for resources in Azure requiring outbound Internet access without assigning each resource a public IP address?
Azure NAT Gateway
Azure NAT Gateway is a fully managed and highly resilient Network Address Translation (NAT) service. You can use Azure NAT Gateway to allow your resources in your Virtual Network subnets connect outbound to the internet while remaining fully private, as there is no need to assign all your resources a public IP address. Unsolicited inbound connections from the internet aren’t permitted through a NAT gateway, the service is secure by default. A NAT Gateway allows traffic to flow outbound to the Internet only. However, only packets arriving as response packets to an outbound connection can pass through a NAT gateway.
In the diagram above we have a NAT Gateway connected to two subnets inside a VNET (Virtual Network). The NAT gateway assumes the subnet’s default next hop type for all outbound traffic directed to the internet. No extra routing configurations are required. Outbound Internet traffic for Virtual Machines in Subnet A and Subnet B, along with the Virtual Machine Scale Set (VMSS) will flow through the NAT Gateway. The NAT gateway can be configured with up to 16 public IP addresses which can scale automatically as demand increases.
In the diagram below, we introduce a Load balancer, so how does traffic flow outbound when a Azure load balancer comes into the picture? traffic being distributed to a backend pool of servers via a load balancer will open the flow to allow traffic to return outbound via the Load balancer, so packets arriving as response packets to an inbound connection can pass back through the load balancer and not outbound via the NAT Gateway. Yes, the NAT Gateway has this intelligence built in.
What about a Virtual machine with a public IP assigned? Exactly the same as inbound traffic via a load balancer (mentioned above), packets arriving as response packets to an inbound connection can pass back through the public IP address assigned to the Virtual Machine and will not flow outbound via the NAT Gateway.
Azure NAT Gateway benefits
Secure by default
Scalable – Each NAT gateway public IP address provides 64,512 SNAT ports, and NAT gateway can scale to use up to 16 public IP addresses, reducing the chances of SNAT Port Exhaustion. NAT gateway solves the problem of SNAT port exhaustion by providing a dynamic pool of SNAT ports so ports are only allocated to virtual machines when needed instead of a pool based SNAT allocation where a number of ports are assigned to a virtual machine from which some are used and others remain available but not used by the virtual machine. The virtual machines would keep hold of the additional assigned ports, which can cause SNAT port exhaustion.
Another cool feature of Azure NAT Gateway is that it selects SNAT ports at random from it’s available inventory to make new outbound connections and it only assigns ports to virtual machines as and when needed. As mentioned in the earlier paragraph, virtual machines are not being assigned additional ports when they will not be used.
Also, Azure NAT Gateway allows a SNAT port to be reused to connect to the same destination endpoint. However, before doing so, NAT Gateway places a reuse cooldown timer on the port after the initial connection closes, which prevents ports from being selected too quickly.
When NAT gateway cannot find any available SNAT ports to make new outbound connections, it can reuse a SNAT port that is currently in use so long as that SNAT port connects to a different destination endpoint.
Performance – each NAT Gateway can process up to 50 Gbps of data. A NAT gateway can support up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet for TCP and UDP. The NAT gateway can process 1M packets per second and scale up to 5M packets per second. The total number of connections that a NAT gateway can support at any given time is up to 2 million. While it’s possible that the NAT gateway can exceed 2 million connections, you have increased risk of connection failures.
NAT gateway takes precedence over other outbound connectivity methods, including Load balancer, instance-level public IP addresses (assigning a public IP address to a Virtual Machine), and Azure Firewall.
NAT gateway automatically replaces the default Internet public IP assigned by the Azure platform.
No traffic routing configurations are required to use NAT gateway.
In this blog post I will discuss Microsoft Entra Privileged Identity Management (PIM) Alerts and not the process of setting up Azure Privileged Identity Management. If you wish to learn about Microsoft Entra PIM, visit the following link What is Privileged Identity Management? Microsoft Learn
Note: Azure Active Directory is being rebranded to Microsoft Entra ID
Azure Entra ID Privileged Identity Management Alerts (PIM) alerts are security notifications that Privileged Identity Management (PIM) generates when there is suspicious or unsafe activity in your Microsoft Entra ID organisation, such as,
Entra ID Roles (Previously known as Azure AD Roles) – Your organisation doesn’t have Entra ID (Azure AD) Premium P2 licenses which is a requirement for you to use PIM – Roles don’t require multi-factor authentication for activation – Eligible administrators aren’t activating their privileged role – Roles are being assigned outside of Privileged Identity Management – Roles are being activated too frequently – There are too many global administrators – Potential stale accounts in a privileged role
Azure Resources – Too many owners assigned to a resource – Too many permanent owners assigned to a resource – Duplicate role created – Roles are being assigned outside of Privileged Identity Management
The above are built into Privileged Identity Management and will generate an alert if the condition is met.
Let’s take a look where these built in alerts are located in Privileged Identity Management (PIM),
Login to entra.microsoft.com or access Entra ID from the Azure portal.
Expand Identity Governance
Click Privileged Identity Management
Under manage click Azure AD roles (Being rebranded to Entra ID Roles)
5. Click Alerts
6. Click Settings
7. Here are the built in rules which will trigger an alert if the condition is met
8. Go back to check if any alerts have been generated. Click the scan button if nothing is visible. I have two alerts generated as per the image below,
9. If I click on the alert Potential stale accounts in a privileged role I have one account which is assigned a privileged role, and the user has not signed into Entra ID (Azure AD) for over 30 days (Click the image below if you need to enlarge).
The image above shows that a user named Alex is assigned to a privileged administrator role, however, has not signed in for over 2 months. Therefore the alert Potential stale accounts in a privileged role has triggered.
I have two options, Dismiss and Fix.
Dismiss – This would dismiss/hide the alert, however if I was to run another scan, the alert would return. This is not dismissing Alex having a privileged stale role but as mentioned it will hide/suppress the alert from your view. You’ll find that the dismiss option is available to select even though you have not selected any users (via the checkbox). After clicking dismiss, if you were to return to the alerts pages, the alert would not be visible but running another scan would return the alert.
Fix – as you can see from the image above, the option to fix is greyed out. If I click the checkbox by the account of Alex as shown in the image below, the option to fix becomes available. What does this fix option do? It will automatically remove the privileged role from Alex. You could also remove the role manually if you wish. Once, fixed, the alert will disappear within a couple of seconds.
Note: Ensure that the role is not required before attempting to fix.
What does the below status symbol mean?
The blue symbol under the status column means that the alert is pending or requires resolving.
When you fix a issue, you’ll find that the blue symbol switches to a green check mark for a second before the alert is actioned and removed. In my case, the alert disappeared and the privileged role was unassigned from Alex.
Azure resource alerts
You will also find a number of alerts available for Azure resources,
1. Go back to the main page for PIM and click Azure Resources
2. Click your subscription
3. Click alerts under manage from the left pane and click settings. These are the alerts which will be triggered if the condition is met.
If an access denied error appears the first time you click settings, refresh the page and try again.
I hope this helps. As always, please feel free to drop a comment below if you have any feedback.
In this blog post, I will document the three cloud models: public cloud, private cloud and hybrid cloud.
Kicking off the post with Public cloud which has become popular and widespread in recent years, though its been around for decades. Thanks to the advances in technology, connectivity, and demand, cloud computing is now used by millions of people and organisations around the world, for various purposes. There is no one type of cloud computing that’s right for everyone. There are several different cloud computing models, types, and services which have evolved to meet the rapidly changing technology needs of organisations including Public, Private and Hybrid Cloud.
What is Public Cloud? In general the cloud refers to a network of servers that are connected over the Internet and provide various services and resources to users. Let me simply further, public cloud is a type of cloud computing in which a third party service provider makes computing resources available to users over the Internet. These resources can include software, platforms, or infrastructure that you can access on demand and pay only for what you use. For example, deploying virtual machines on the service providers physical hardware whilst not having to invest in your own hardware. Another example of a cloud service is Office 365 (Word, Excel, Powerpoint, Outlook etc). These services are accessed over the internet and reside on servers located in the third party service providers data centres located around the world.
There are three types of Cloud models including Public Cloud. Here they are,
Public Cloud: Public cloud is owned by a hosting provider such as Microsoft Azure, one of the largest cloud providers in the world. Microsoft Azure is a public cloud service offering resources and services to organisations and individuals around the world. Most people can get started with Microsoft Azure in a matter of minutes. A public cloud is accessed via a secure network connection, or over the internet. There are also other providers who provide cloud services such as Amazon Web Services (AWS), Google Cloud and Ali Baba Cloud.
Private Cloud: A private cloud belongs to an organisation who have built an infrastructure in their own datacentres. This is known as a private cloud and not accessible to anyone outside of the organisation. It’s accessible by the organisations employees only, therefore it’s private and not available to the public.
Hybrid Cloud: A hybrid cloud combines on-premises infrastructure, or a private cloud with a public cloud. Hybrid clouds allow data and apps to move between the two environments. Many organisations choose a hybrid cloud approach due to a number of reasons including meeting regulatory and data sovereignty requirements, taking full advantage of on-premises technology investment, addressing low latency issues or to gradually migrate to a public cloud.
So what are the benefits of the three models above. Let’s dig deeper.
Comparison ofCloud Models
No capital expenditure (CapEx) is required by an organisation. Organisations don’t need to invest in expensive hardware to run their services, such as physical servers, networking equipment and datacentres, therefore, no capital expenditure (no upfront investment). In simple terms, you’re using someone else’s datacentre and hardware to run your services instead of managing and maintaining your own datacentres and hardware. The cloud provider is responsible for purchasing, maintaining and managing the physical hardware including physical servers, switches, cabling and maintenance of the datacentres. So what do organisations or individuals pay for? You pay for building/deploying resources such as virtual servers and other applications on the cloud providers hardware on a pay as you go model.
Advantages of public clouds: Lower costs: no need to purchase hardware or software, and you pay only for the service you use. No maintenance: your service provider is responsible for maintaining the underlying infrastructure. Near unlimited scalability: on demand resources are available to meet your business needs. High reliability: a vast network of servers across the world ensures against failure.
With a private cloud, an organisation is responsible for purchasing hardware, such as physical servers, switches, cabling, storage, air conditioning, CCTV, backup power generators and more. The organisation is also responsible for managing and maintaining the hardware including failures with physical disks, cabling, racks, power etc. Organisations are also responsible for refreshing/recycling the hardware to ensure they’re utilising the latest technology as demands increase and hardware becomes out dated and slow. A private cloud can also be hosted by a third party service provider, but in a private cloud, the services and infrastructure are always maintained on a private network and the hardware and software are dedicated solely to your organisation.
Advantages of a private cloud: More flexibility: your organisation can customise its cloud environment to meet specific business needs. More control: resources are not shared with others, so higher levels of control and privacy are possible.
Hybrid Cloud – Gives the most flexibility
As an organisation you decide where to run your resources, either in your own datacentre or in the public cloud. Because you have services running on-premises and in the public cloud, the public cloud becomes an extension of your on-premises infrastructure, known as a Hybrid cloud solution.
Advantages of the hybrid cloud: Control: your organisation can maintain a private infrastructure for sensitive assets or workloads that require low latency. Flexibility: you can take advantage of additional resources in the public cloud when you need them. Cost effectiveness: with the ability to scale to the public cloud, you pay for extra computing power only when needed. Ease: transitioning to the cloud doesn’t have to be overwhelming because you can migrate gradually, phasing in workloads over time.
What is the difference between Operational Expenditure (OpEx) and Capital Expenditure (CapEx)? Operational Expenditure (Opex) and Capital Expenditure (Capex) are two different types of expenses that a business may incur. Opex refers to the ongoing costs that a business has to spend to run its day to day operations, such as salaries, rent, utilities, and supplies. Capex refers to the money that a business invests in fixed assets or intangible assets, such as datacentres, physical servers and other physical assets.
Now think about whether running your services on the Microsoft Azure public cloud falls under capital expenditure or operational expenditure? Operational Expenditure, right? because there is no up front cost, you deploy your services in Azure datacentres and on their hardware, therefore no upfront cost to purchase hardware or invest in physical datacentres. You pay to run your services on Azure servers and pay for what you use, therefore this ongoing cost is an operational expense to your business, not capital expenditure.
I hope this short post helps gives you a basic understanding of the difference between Public, Private and Hybrid Cloud.
If you’re interested in learning Azure, I would recommend getting started with a free Azure Fundamentals learning path available at the following link Microsoft Learn – Azure Fundamentals
As always, all feedback is welcome. Please comment below. Thank you
Subscribe to new tech posts.
We will never send you spam email or forward your details to third parties.
This will close in 0 seconds