An Azure network security service that is used to protect Azure Virtual Network resources.
Hello Pittl Benedikt, Welcome to Microsoft Q&A
To directly answer your question: No, you do not need to explicitly enable default outbound access for the AzureFirewallManagementSubnet. It is fully supported and recommended to operate it as a private subnet (defaultOutboundAccess = false).
The March 31, 2026 retirement of Default Outbound Access (DOA) specifically targets Infrastructure-as-a-Service (IaaS) Virtual Machines that rely on implicit SNAT to reach the internet.
Azure Firewall, however, is a managed PaaS service. When you configure the AzureFirewallManagementSubnet (typically required for forced tunneling scenarios or Basic SKU firewalls), the firewall configuration strictly requires you to associate a dedicated Management Public IP address to it. Because the management traffic utilizes this explicit Public IP to communicate with the Azure control plane, it does not rely on or utilize the VM-style implicit "default outbound access" mechanism.
Therefore, setting the subnet to private has no negative impact on the Azure Firewall's ability to manage itself.
😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.