Update default-outbound-access.md

davmhelm · web-flow · commit 5a0d229578ba · 2025-06-17T16:46:53.000-05:00
Add detail around impact of UDRs with next hop type Internet in Private subnets
diff --git a/articles/virtual-network/ip-services/default-outbound-access.md b/articles/virtual-network/ip-services/default-outbound-access.md
@@ -159,7 +159,15 @@ az network vnet subnet update --resource-group rgname --name subnetname --vnet-n
  
 * To activate or update virtual machine operating systems, such as Windows, an explicit outbound connectivity method is required.
 
-* In configurations using a User Defined Route (UDR) with a default route (0.0.0.0/0) that sends traffic to an upstream firewall/network virtual appliance, any traffic that bypasses this route (for example, to Service Tagged destinations) breaks in a Private subnet.
+* In configurations using User Defined Routes (UDRs), any configured routes with [next hop type `Internet`](../virtual-networks-udr-overview.md#next-hop-types-across-azure-tools) will break in a Private subnet.
+
+  * A common example is the use of a UDRs to steer traffic to an upstream network virtual appliance/firewall, with exceptions for certain Azure Service Tags to bypass inspection.
+
+    * A default route for the destination 0.0.0.0/0, with a next hop type of Virtual Appliance applies in the general case.
+
+    * One or more routes are configured to [Service Tag destinations](../virtual-networks-udr-overview.md#service-tags-for-user-defined-routes) with next hop type `Internet`, to bypass the NVA/firewall. Unless an [explicit outbound connectivity method](#add-an-explicit-outbound-connectivity-method) is also configured for the source of the connection to these destinations, attempts to connection to these destinations will fail, because defaullt outbound access is not available.
+
+  * This limitation does not apply to the use of Service Endpoints, which use a different next hop type `VirtualNetworkServiceEndpoint`. See [Virtual Network service endpoints](../virtual-network-service-endpoints-overview.md).
 
 * Private Subnets aren't applicable to delegated or managed subnets used for hosting PaaS services. In these scenarios, outbound connectivity is managed by the individual service.
  
