question

BenjaminCady-7918 avatar image
0 Votes"
BenjaminCady-7918 asked srbhatta-msft edited

VM default outbound access blocked if another VM has explicit outbound configured?

Is it expected that if multiple VMs on the same subnet that use default outbound access(no public IP, no load balancer, no NAT gateway) would stop functioning if one of the VMs on the subnet is configured with an explicit outbound access method?

https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access

I have 2 scenarios where I am seeing that VMs are unable to access the Internet through the default outbound access. In both scenarios, there is no NAT gateway configuration for the subnet they are on.

Scenario 1: there are 3 VMs that used default outbound access, they were primarily accessed over Azure VPN so they do not need public IPs or load balancers. They were working just fine with all 3 having Internet access using a Microsoft controlled IP. One of the VMs is now running a small workload that needs public access so it was given a public IP address. As soon as that VM was given a public it now had an explicit outbound access method according to the link above. But the other 2 VMs immediately lost Internet access, they cannot reach outbound to the Internet for anything despite no changes having occurred directly on them.

Scenario 2: there is a DMZ subnet with web servers that use a public load balancer, there are 2 servers currently in it that work fine. The load balancer pool is going to be expanded by adding 2 more web servers. The 2 new web servers have been added but they do not have any public Internet access. There are programs, management and security tools that need to be installed on the 2 web servers before they are ready to be deployed and added to the load balancer backend pool. Since they are not in the backend pool of the load balancer they should be able to use default outbound access but this is not working. They can't be added to the backend pool until they are prepared and ready to handle the traffic.

The document on default outbound access, from what I can tell, does not make any statement that defining an explicit outbound access method for one VM should have any effect on another. Except for the NAT gateway resource which applies to an entire subnet, adding a public IP address to one VM has nothing to do with another. If a VM is not in the backend pool of a load balancer, why would it be affected by its existence on the same subnet?

I can see the advantage of implementing NAT gateways to resolve this but this is an added cost that doesn't really seem justifiable if I don't require it.


azure-virtual-networkazure-load-balancer
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ChaitanyaNaykodiMSFT-9638 avatar image
0 Votes"
ChaitanyaNaykodiMSFT-9638 answered

Hello @BenjaminCady-7918, welcome to the Microsoft Q&A forum.

As per the documentation here the default outbound access IP is disabled when either a public IP address is assigned to the VM or the VM is placed in the back-end pool of a standard load balancer, with or without outbound rules. As per the documentation here Default outbound connectivity method is NOT recommended for production workloads as it adds risk of exhausting ports. Please refrain from using this method for production workloads to avoid potential connection failures. Adding a static or a dynamic public IP address has nominal charge.

In your 1st scenario the VM's with default outbound access should not loose internet access when a VM in the same subnet is associated with a public IP address. I think there might be another issue here. Can you validate below mentioned steps and see if it helps pinpoint the issue.
1. As default outbound access utilizes default SNAT which has limited port assignment. You can validate if ports are not exhausted.
2. Can you validate if any NSG or UDR's are not interrupting the connectivity? You can perform IP flow verify to determine the connectivity and also Next Hop capability of Network Watcher

For your 2nd scenario, the outbound connectivity will not work if you have a NAT Gateway configured on your backend pool subnet as the default outbound access IP is disabled in this case. If this is not the case, you can try the troubleshooting steps mentioned above.

If this does not help resolve the issue, I will suggest that you create a support ticket in this case. If you do not have a support plan, please refer to my private comment below. Please let me know if you have any additional questions. Thank you!

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.