What is Default Outbound Access?

Default Outbound Access is essentially a fallback mechanism. If a subnet did not have any explicit outbound configuration such as:

• Instance level Public IP

• NAT Gateway

• NVA/Firewall

• Load Balancer outbound rules

Azure would automatically perform Source Network Address Translation using a Microsoft managed public IP address to allow outbound internet connectivity.

This public IP was platform managed, not visible as a resource in the Azure Portal, and not directly associated with the virtual machine or its network interface.

What Is Changing?

With the upcoming API update, the defaultOutboundAccess property for subnets will be set to false by default.

This means:

• Newly created subnets will automatically be private

• No default public IP will be assigned

• Outbound access must be configured intentionally

The changes aims for:

• Improve overall network security posture

• Reduce unintended internet exposure

• Align with zero trust principles

• Prevent disruption caused by non customer owned IP changes

Impact on Existing Virtual Networks

There is no immediate impact on existing Virtual Networks or subnets.

They will continue to function as they do today.

The update only applies to newly created Virtual Networks and subnets after March 31, 2026.

That said, it is advisable for organizations to start planning explicit outbound management even for existing environments.

Applicability to Windows 365

In Windows 365, networking depends on how the environment is configured.

Microsoft Hosted Network

In this model, Cloud PCs are provisioned in a Microsoft managed network.

Customers do not manage the backend Virtual Network. There is no impact from this announcement and no action is required.

Azure Network Connection

If Windows 365 is configured using Azure Network Connection, the behavior depends on the subnet.

Existing subnets will continue to work without issue.

However, for any new subnet created in the future, outbound connectivity must be configured explicitly.

If internet routing is not defined properly:

• Azure Network Connection validation checks will fail

• Cloud PC provisioning will fail

Some services such as Windows Activation require direct internet connectivity, so proper outbound routing becomes critical.

Impact on Azure Virtual Desktop

For existing Azure Virtual Desktop environments, there is no immediate impact. Customers can continue adding virtual machines to existing host pools.

However, when creating new Virtual Networks or new subnets for expansion, outbound traffic must be explicitly managed.

Even though existing networks are unaffected, it is a good practice to proactively disable Default Outbound Access and implement controlled outbound architecture.

How to Disable Default Outbound Access

Default Outbound Access is configured at the subnet level.

To disable it for an existing subnet:

1. Navigate to the Virtual Network

2. Select the desired subnet

3. Click the checkbox to Enable the Private Subnet.

   

4. Save the configuration

Default Outbound Access should be disabled only when a controlled and explicitly designed egress path is already in place to avoid unintended loss of internet connectivity.

Managing Outbound Traffic Explicitly

Azure NAT Gateway

Azure NAT Gateway is Microsoft’s recommended solution for most outbound connectivity scenarios.

It enables secure and scalable outbound internet access while keeping virtual machines private and unreachable from inbound internet traffic.

Benefits

• Predictable static Public IP or Public IP Prefix

• No inbound exposure

• Fully managed and highly available

• Simple subnet level association

How It Works

In the depicted Topology:

DOA-VNET represents the Virtual Network
default represents the private subnet
NATgateway represents the NAT Gateway
PIP represents the Public IP Prefix

When VM sends a request to the internet, the subnet routes the traffic to the associated NAT Gateway.

The NAT Gateway translates the private IP address of the VM into a public IP address from the Public IP Prefix and sends the request to the destination.

When the response returns, the NAT Gateway validates the session using its state table and maps the response back to the original private IP address of the VM.

The VM remains private throughout the process while still having secure outbound connectivity.

Azure Firewall

Azure Firewall is a cloud native security service deployed inside a Virtual Network.

It sits between your Azure environment and the internet or on premises network to centrally inspect and control traffic.

It is suitable when you require:

• Layer 3 to Layer 7 filtering

• FQDN based rules

• Threat intelligence protection

• TLS inspection in Premium SKU

• Intrusion Detection and Prevention

Azure Firewall is available in Basic, Standard, and Premium SKUs.

Considerations

• Higher cost compared to NAT Gateway

• Possible additional latency due to inspection

• Requires proper routing configuration

Other Outbound Connectivity Options

Azure Load Balancer can provide outbound connectivity using outbound rules. In some cases, instance level Public IP addresses may also be used for direct outbound access.

However, each option should be evaluated carefully based on security, scalability, and operational requirements.

Conclusion

The upcoming change to Default Outbound Access reflects Microsoft’s continued focus on strengthening secure and intentional network design in Azure.

For many organizations, this update may have little to no impact, as explicit outbound connectivity using NAT Gateway, Azure Firewall, or other controlled methods is already a common best practice.

However, it remains a good opportunity to review existing environments, confirm there is no reliance on implicit outbound access, and ensure outbound traffic is aligned with security and governance standards.

Overall, this update reinforces structured network architecture without introducing disruption for well designed environments.

Windows 365 Business and Enterprise

Windows 365 Business and Enterprise provide a dedicated Cloud PC per user, licensed on a per-user, per-month basis.

In these models:

• Each Cloud PC is permanently assigned to a single user

• The desktop experience is persistent across sessions

• Users can securely access their Cloud PC from supported endpoints

These models are best suited for scenarios where users require a full-time, persistent virtual desktop, similar to a physical laptop or workstation.

For an official and detailed comparison between Windows 365 Business and Windows 365 Enterprise, refer to Microsoft Learn: https://learn.microsoft.com/en-us/windows-365/business-enterprise-comparison

Windows 365 Frontline Overview

Microsoft introduced Windows 365 Frontline to support organizations with shift-based or frontline workers where users do not require concurrent access.

Key characteristics of Windows 365 Frontline:

• Licenses are not permanently assigned to users

• A license is consumed only while a user session is active

• Licensing is based on concurrent usage, not total user count

This model helps organizations optimize costs in environments where multiple users access Cloud PCs across different shifts.

Example Scenario: 24/7 IT Service Desk

Consider an IT Service Desk in a organization with the following setup:

• Total administrators: 90

• Shifts: 3

• Administrators per shift: 30

• Maximum concurrent users: 30

Business / Enterprise Licensing

Using Windows 365 Business or Enterprise:

• The organization would need 90 licenses

• Each administrator receives a dedicated Cloud PC

• Licenses are required regardless of shift patterns or active usage

Frontline Licensing

Using Windows 365 Frontline:

• The organization needs only 30 Frontline licenses

• Licenses are consumed only by active sessions

• All 90 administrators can share the same license pool across shifts

Windows 365 Frontline Deployment Models

Windows 365 Frontline supports two deployment models: Dedicated and Shared.

Frontline Dedicated Model

• One Frontline license allows provisioning of up to three Cloud PCs

• Only one Frontline Cloud PC user session can be active per license at any given time

• Cloud PCs are assigned to individual users

• The desktop experience is persistent, similar to Business and Enterprise

In this scenario:

• 30 Frontline licenses can provision up to 90 Cloud PCs

• A maximum of 30 users can be signed in concurrently

• Additional sign-ins are not possible until an active session ends and a license becomes available

This model is suitable for shift-based users who still require a persistent desktop experience.

Frontline Shared Model

• Cloud PCs are provisioned as a shared pool

• Cloud PCs are not assigned to specific users

• Users are assigned via an Entra ID group

• At sign-in, users are connected to an available Cloud PC

• At sign-out, the Cloud PC is signed out and returned to its original state

This model behaves like a non-persistent virtual desktop environment:

• User-specific data and local changes are not retained by default

• Each session starts with a clean environment

User Experience Sync

Microsoft has introduced User Experience Sync to improve usability in Windows 365 Frontline Shared environments.

User Experience Sync:

• Preserves user settings and profile experience

• Does not provide full desktop persistence

• Enhances user continuity without changing the non-persistent nature of shared Cloud PCs

A detailed technical discussion on User Experience Sync can be covered in a separate article.

Conclusion

• Windows 365 Business / Enterprise
  Best suited for users who require a full-time, persistent Cloud PC without dependency on shift-based usage.

• Windows 365 Frontline Dedicated
  Suitable for shift-based users who need a persistent desktop while optimizing licensing costs through concurrency.

• Windows 365 Frontline Shared
  Appropriate when users require temporary access to applications or corporate resources and full user data persistence is not required.

This article is based on publicly available Microsoft documentation and personal experience. It does not represent official Microsoft guidance.

Azure Virtual Desktop (AVD), previously known as Windows Virtual Desktop, is Microsoft’s platform for delivering virtualized desktops and applications. With AVD, organizations can publish individual applications using RemoteApp or provide users with a complete virtual desktop experience.

Windows 365 takes a different approach. It is a SaaS-based desktop solution that integrates directly with Microsoft Intune. The goal of Windows 365 is to simplify virtual desktop delivery by reducing infrastructure design, operational overhead, and ongoing management effort for IT teams.

Both solutions address similar use cases but are built on very different models. Choosing between them depends on how much control, flexibility, and operational responsibility a business wants to take on.

Azure Virtual Desktop (AVD)

Azure Virtual Desktop offers organizations full control over how their virtual desktop environment is designed and operated. Depending on business needs, AVD can be configured to deliver only specific applications or full desktops, using either persistent or non-persistent session hosts.

A key capability of AVD is support for Windows 10 and Windows 11 multi-session, which is available exclusively in Azure. Multi-session allows multiple users to connect to a single Windows client virtual machine, helping organizations reduce costs while maintaining a familiar end-user experience.

This capability is particularly useful for application virtualization scenarios, where multiple users need access to the same set of client-based applications.

Advantages

• High level of control over infrastructure and configuration

• Flexible design aligned with specific business requirements

• Support for persistent and non-persistent desktops

• Ability to leverage Windows 10/11 multi-session for better cost efficiency

Limitations

• Larger deployments can become complex to design and manage

• Cost optimization depends heavily on correct scaling and capacity planning

Windows 365

Windows 365 is a SaaS VDI solution where desktops referred to as Cloud PCs are provisioned and managed through Microsoft Intune. Unlike AVD, Windows 365 focuses on simplicity and consistency rather than infrastructure customization.

There are two main deployment approaches:

1. Microsoft-hosted configuration

   • Uses standard marketplace images

   • Networking and infrastructure are fully managed by Microsoft

2. Customer-managed networking configuration

   • Allows the use of custom images

   • Azure virtual networks and subnets are managed by the customer

In both cases, the Cloud PC itself runs on Azure infrastructure hosted within Microsoft-managed Azure subscriptions. As a result, administrators do not have direct access to the underlying virtual machines through the Azure portal. Instead, all management actions such as restart, reprovision, and monitoring are performed via the Intune admin center.

Cloud PCs are typically created by assigning a Windows 365 license to a user. Licensing follows a fixed, per-user monthly pricing model, making cost forecasting straightforward.

Microsoft continues to expand the Windows 365 ecosystem with features such as:

• Frontline editions for shift-based workers

• Windows 365 Cloud Apps

• Windows 365 Link devices designed for Cloud PC access

These capabilities open up additional use cases that are worth exploring separately.

Advantages

• Simplified deployment and administration

• Rapid provisioning of Cloud PCs

• Predictable and transparent pricing

Limitations

• Reduced flexibility compared to Azure Virtual Desktop

• Limited visibility and control over the underlying infrastructure

Conclusion

Azure Virtual Desktop and Windows 365 are both powerful solutions, but they are designed with different priorities in mind. AVD is best suited for organizations that require maximum flexibility and control, while Windows 365 is ideal for those looking for simplicity, speed, and predictable costs.

Understanding the customer’s requirements such as scalability, management overhead, and cost model is the key factor in selecting the right solution