configure default_outbound_access_enabled property for upcoming azure changes in March 2026 (#4757)

JC-wk · web-flow · commit 6c53cdeddc70 · 2026-03-10T09:43:39.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,7 +1,8 @@
 <!-- markdownlint-disable MD041 -->
 ## (Unreleased)
 
-* _No changes yet_
+ENHANCEMENTS:
+* Specify default_outbound_access_enabled = false setting for all subnets ([#4757](https://github.com/microsoft/AzureTRE/pull/4757))
 
 ## (0.28.0) (March 2, 2026)
 **BREAKING CHANGES**
diff --git a/core/terraform/network/network.tf b/core/terraform/network/network.tf
@@ -7,15 +7,17 @@ resource "azurerm_virtual_network" "core" {
   lifecycle { ignore_changes = [tags] }
 
   subnet {
-    name             = "AzureBastionSubnet"
-    address_prefixes = [local.bastion_subnet_address_prefix]
-    security_group   = azurerm_network_security_group.bastion.id
+    name                            = "AzureBastionSubnet"
+    address_prefixes                = [local.bastion_subnet_address_prefix]
+    security_group                  = azurerm_network_security_group.bastion.id
+    default_outbound_access_enabled = false
   }
 
   subnet {
-    name             = "AzureFirewallSubnet"
-    address_prefixes = [local.firewall_subnet_address_space]
-    route_table_id   = var.firewall_force_tunnel_ip != "" ? azurerm_route_table.fw_tunnel_rt[0].id : null
+    name                            = "AzureFirewallSubnet"
+    address_prefixes                = [local.firewall_subnet_address_space]
+    route_table_id                  = var.firewall_force_tunnel_ip != "" ? azurerm_route_table.fw_tunnel_rt[0].id : null
+    default_outbound_access_enabled = false
   }
 
   subnet {
@@ -24,6 +26,7 @@ resource "azurerm_virtual_network" "core" {
     private_endpoint_network_policies             = "Disabled"
     private_link_service_network_policies_enabled = true
     security_group                                = azurerm_network_security_group.app_gw.id
+    default_outbound_access_enabled               = false
   }
 
   subnet {
@@ -33,6 +36,7 @@ resource "azurerm_virtual_network" "core" {
     private_link_service_network_policies_enabled = true
     security_group                                = azurerm_network_security_group.default_rules.id
     route_table_id                                = azurerm_route_table.rt.id
+    default_outbound_access_enabled               = false
 
     delegation {
       name = "delegation"
@@ -50,6 +54,7 @@ resource "azurerm_virtual_network" "core" {
     private_endpoint_network_policies = "Disabled"
     security_group                    = azurerm_network_security_group.default_rules.id
     route_table_id                    = azurerm_route_table.rt.id
+    default_outbound_access_enabled   = false
   }
 
   subnet {
@@ -58,6 +63,7 @@ resource "azurerm_virtual_network" "core" {
     private_endpoint_network_policies = "Disabled"
     security_group                    = azurerm_network_security_group.default_rules.id
     route_table_id                    = azurerm_route_table.rt.id
+    default_outbound_access_enabled   = false
   }
 
   subnet {
@@ -66,6 +72,7 @@ resource "azurerm_virtual_network" "core" {
     private_endpoint_network_policies = "Disabled"
     security_group                    = azurerm_network_security_group.default_rules.id
     route_table_id                    = azurerm_route_table.rt.id
+    default_outbound_access_enabled   = false
 
     delegation {
       name = "delegation"
@@ -84,7 +91,7 @@ resource "azurerm_virtual_network" "core" {
     address_prefixes                  = [local.airlock_notifications_subnet_address_prefix]
     private_endpoint_network_policies = "Disabled"
     security_group                    = azurerm_network_security_group.default_rules.id
-
+    default_outbound_access_enabled   = false
     delegation {
       name = "delegation"
 
@@ -102,6 +109,7 @@ resource "azurerm_virtual_network" "core" {
     private_endpoint_network_policies = "Disabled"
     security_group                    = azurerm_network_security_group.default_rules.id
     route_table_id                    = azurerm_route_table.rt.id
+    default_outbound_access_enabled   = false
   }
 
   subnet {
@@ -110,13 +118,15 @@ resource "azurerm_virtual_network" "core" {
     private_endpoint_network_policies = "Disabled"
     security_group                    = azurerm_network_security_group.default_rules.id
     route_table_id                    = azurerm_route_table.rt.id
+    default_outbound_access_enabled   = false
 
     service_endpoints = ["Microsoft.ServiceBus"]
   }
 
   subnet {
-    name             = "AzureFirewallManagementSubnet"
-    address_prefixes = [local.firewall_management_subnet_address_prefix]
+    name                            = "AzureFirewallManagementSubnet"
+    address_prefixes                = [local.firewall_management_subnet_address_prefix]
+    default_outbound_access_enabled = false
   }
 }
 
diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.16.15"
+__version__ = "0.16.16"
diff --git a/templates/shared_services/databricks-auth/terraform/network.tf b/templates/shared_services/databricks-auth/terraform/network.tf
@@ -9,10 +9,11 @@ resource "azurerm_virtual_network" "ws" {
 }
 
 resource "azurerm_subnet" "host" {
-  name                 = local.host_subnet_name
-  resource_group_name  = local.resource_group_name
-  virtual_network_name = azurerm_virtual_network.ws.name
-  address_prefixes     = [local.host_subnet_address_space]
+  name                            = local.host_subnet_name
+  resource_group_name             = local.resource_group_name
+  virtual_network_name            = azurerm_virtual_network.ws.name
+  address_prefixes                = [local.host_subnet_address_space]
+  default_outbound_access_enabled = false
 
   delegation {
     name = "db-host-vnet-integration"
@@ -29,10 +30,11 @@ resource "azurerm_subnet" "host" {
 }
 
 resource "azurerm_subnet" "container" {
-  name                 = local.container_subnet_name
-  resource_group_name  = local.resource_group_name
-  virtual_network_name = azurerm_virtual_network.ws.name
-  address_prefixes     = [local.container_subnet_address_space]
+  name                            = local.container_subnet_name
+  resource_group_name             = local.resource_group_name
+  virtual_network_name            = azurerm_virtual_network.ws.name
+  address_prefixes                = [local.container_subnet_address_space]
+  default_outbound_access_enabled = false
 
   delegation {
     name = "db-container-vnet-integration"
diff --git a/templates/workspace_services/azureml/porter.yaml b/templates/workspace_services/azureml/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-azureml
-version: 1.1.3
+version: 1.1.4
 description: "An Azure TRE service for Azure Machine Learning"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
diff --git a/templates/workspace_services/azureml/terraform/network.tf b/templates/workspace_services/azureml/terraform/network.tf
@@ -61,10 +61,11 @@ resource "azapi_resource" "aml_service_endpoint_policy" {
 }
 
 resource "azurerm_subnet" "aml" {
-  name                 = "AMLSubnet${local.short_service_id}"
-  virtual_network_name = data.azurerm_virtual_network.ws.name
-  resource_group_name  = data.azurerm_virtual_network.ws.resource_group_name
-  address_prefixes     = [var.address_space]
+  name                            = "AMLSubnet${local.short_service_id}"
+  virtual_network_name            = data.azurerm_virtual_network.ws.name
+  resource_group_name             = data.azurerm_virtual_network.ws.resource_group_name
+  address_prefixes                = [var.address_space]
+  default_outbound_access_enabled = false
 
   # need to be disabled for AML private compute
   private_endpoint_network_policies             = "Disabled"
diff --git a/templates/workspace_services/databricks/porter.yaml b/templates/workspace_services/databricks/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-databricks
-version: 1.0.15
+version: 1.0.16
 description: "An Azure TRE service for Azure Databricks."
 registry: azuretre
 dockerfile: Dockerfile.tmpl
diff --git a/templates/workspace_services/databricks/terraform/network.tf b/templates/workspace_services/databricks/terraform/network.tf
@@ -88,10 +88,11 @@ resource "azurerm_network_security_group" "nsg" {
 }
 
 resource "azurerm_subnet" "host" {
-  name                 = local.host_subnet_name
-  resource_group_name  = data.azurerm_resource_group.ws.name
-  virtual_network_name = data.azurerm_virtual_network.ws.name
-  address_prefixes     = [local.host_subnet_address_space]
+  name                            = local.host_subnet_name
+  resource_group_name             = data.azurerm_resource_group.ws.name
+  virtual_network_name            = data.azurerm_virtual_network.ws.name
+  address_prefixes                = [local.host_subnet_address_space]
+  default_outbound_access_enabled = false
 
   delegation {
     name = "db-host-vnet-integration"
@@ -108,10 +109,11 @@ resource "azurerm_subnet" "host" {
 }
 
 resource "azurerm_subnet" "container" {
-  name                 = local.container_subnet_name
-  resource_group_name  = data.azurerm_resource_group.ws.name
-  virtual_network_name = data.azurerm_virtual_network.ws.name
-  address_prefixes     = [local.container_subnet_address_space]
+  name                            = local.container_subnet_name
+  resource_group_name             = data.azurerm_resource_group.ws.name
+  virtual_network_name            = data.azurerm_virtual_network.ws.name
+  address_prefixes                = [local.container_subnet_address_space]
+  default_outbound_access_enabled = false
 
   delegation {
     name = "db-container-vnet-integration"
diff --git a/templates/workspace_services/ohdsi/porter.yaml b/templates/workspace_services/ohdsi/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-service-ohdsi
-version: 0.3.6
+version: 0.3.7
 description: "An OHDSI workspace service"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
diff --git a/templates/workspace_services/ohdsi/terraform/atlas_database.tf b/templates/workspace_services/ohdsi/terraform/atlas_database.tf
@@ -100,10 +100,11 @@ resource "azurerm_network_security_group" "postgres" {
 }
 
 resource "azurerm_subnet" "postgres" {
-  name                 = "PostgreSQLSubnet${local.short_service_id}"
-  virtual_network_name = data.azurerm_virtual_network.ws.name
-  resource_group_name  = data.azurerm_resource_group.ws.name
-  address_prefixes     = [var.address_space]
+  name                            = "PostgreSQLSubnet${local.short_service_id}"
+  virtual_network_name            = data.azurerm_virtual_network.ws.name
+  resource_group_name             = data.azurerm_resource_group.ws.name
+  address_prefixes                = [var.address_space]
+  default_outbound_access_enabled = false
 
   delegation {
     name = "psql-delegation"
diff --git a/templates/workspaces/airlock-import-review/porter.yaml b/templates/workspaces/airlock-import-review/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-airlock-import-review
-version: 0.14.8
+version: 0.14.9
 description: "A workspace to do Airlock Data Import Reviews for Azure TRE"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 2.8.2
+version: 2.8.3
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
diff --git a/templates/workspaces/base/terraform/network/network.tf b/templates/workspaces/base/terraform/network/network.tf
@@ -16,6 +16,7 @@ resource "azurerm_subnet" "services" {
   # notice that private endpoints do not adhere to NSG rules
   private_endpoint_network_policies             = "Disabled"
   private_link_service_network_policies_enabled = true
+  default_outbound_access_enabled               = false
 }
 
 resource "azurerm_subnet" "webapps" {
@@ -26,6 +27,7 @@ resource "azurerm_subnet" "webapps" {
   # notice that private endpoints do not adhere to NSG rules
   private_endpoint_network_policies             = "Disabled"
   private_link_service_network_policies_enabled = true
+  default_outbound_access_enabled               = false
 
   delegation {
     name = "delegation"
diff --git a/templates/workspaces/unrestricted/porter.yaml b/templates/workspaces/unrestricted/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-unrestricted
-version: 0.13.6
+version: 0.13.7
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = "0.16.15"`
	`1`	`+__version__ = "0.16.16"`