[WIP] configure default_outbound_access_enabled property for upcoming azure changes in March 2026 #4757
Conversation
Unit Test Results0 tests 0 ✅ 0s ⏱️ Results for commit 309a8cc. ♻️ This comment has been updated with latest results. |
JC-wk
changed the title
|
@JC-wk not sure we need this as we use route tables with UDRs... "Add a Firewall or Network Virtual Appliance (NVA) to your virtual network and point traffic to it using a User Defined Route (UDR)." We need to check all core subnets have route tables defined. Thoughts? |
|
@marrobi it would only be needed on the subnets that explicitly need outbound access from the March 2026 date yes, however nothing is changing on the pre-existing subnets but the default will change. This could create a difference between old and new subnets (not sure how terraform will handle that but the default is to allow public outbound by default currently. I feel that it would be better to set it explicitly which also has an added benefit of making the terraform easier to understand (for me at least). E.g will new firewall deployments break if this is not set to true? Edit: I don't think so due to using public IP and the default is probably not changing in terraform |
|
@JC-wk it should probably be disabled on submets with UDRs configured. All traffic should be going out via the firewall. |
|
Ah. Ok, thats what you are doing in the PR? |
I am not sure if the Terraform Default will change in line with the Azure Defaults because default_outbound_access_enabled defaults to true at the moment. So it's possible nothing will change with terraform deployed subnets. However I think the TRE should align with the Microsoft best practice to disable the public outbound access option where it is not needed. The aim is to set all subnets that route towards the firewall as default_outbound_access_enabled = false (this is not the current default in Azure, but will be for new subnets from March, However terraform may still default to public access). The Firewall was probably a bad example as anything with a public ip associated should continue to work based on the table given so the firewall probably doesn't need the default outbound access but some of the other subnets may. It's ticking this box when you set it to false with the exception of the ones having public ip addresses which may still be able to be set to false. The ones with the route table should set to false and the ones without should be set to true. Public IPs I will set everything to private in my dev environment and see what happens |
2 participants
Resolves #4706
Why Draft
To enable discussion before time has been spent reviewing all of the required subnets.
There are many subnets and each one will should have the default_outbound_access_enabled property specifying I have made a start with the base workspace and will update others as time allows (contributions welcome)
What is being addressed
Subnets now show a banner relating to default outbound access
specifying default_outbound_access_enabled explicitly will also make it clear which subnets go directly out to the internet (if any).
How is this addressed