Share via

What azureportal service tag mean?

Ravikiran Srini 5 Reputation points
2023-04-05T17:06:02.72+00:00

What does the service tag AzurePortal, PowerBI, and marketplace mean? For example, I created an NSG that blocked access to the service tag AzurePortal. But I was able to access the Azure portal from the VM. So, what does it exactly affect? Similarly, for Power BI. Does it affect entire website access or its effects can be seen only when I import data? Here is the NSG I created: NSG

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,498 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee
    2023-04-05T22:07:46.5933333+00:00

    @Ravikiran Srini Thank you for reaching out. Based on you question above I understand you want to know what service tags AzurePortal, PowerBI, and marketplace mean and what they can be used for. Firstly A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. The table listed here includes all the service tags available for use in network security group rules.

    • AzurePortal : This tag is currently not supported by NSG i.e. although you can list it in the nsg rule but it will not have the desired effect which coincides with your observation above. If you wish to block access to Azure Portal from your VM you can do it via Azure Firewall. Azure Firewall offers FQDN filtering functionality as shown here. You can also take a look at Web Categories of Azure Firewall.
    • PowerBI : This tag is supported by NSG for inbound/outbound traffic and ideally should allow/deny inbound outbound connections from the Power BI service. You can refer to the example here. Please let us know if your observation differs.
    • marketplace: Represents the entire suite of Azure 'Commercial Marketplace Experiences' services and can be used for inbound/outbound traffic.

    If it interests you, here is file containing list of Azure IP Ranges and Service Tags which is updated every week. Hope this helps! Please let us know if you have any questions. Thank you!

    0 comments
  2. Ravikiran Srini 5 Reputation points
    2023-04-06T03:34:56.8266667+00:00

    Thanks for the explanations: Here is what I found out w.r.t. the PowerBI service tag: a. When I blocked access with the Power BI service tag (higher priority) and enabled access to the Internet, I could not access the report (Expected behavior). When I remove the service tag, I was able to access the report. b. But when I enabled access with the Power BI service tag (higher priority) and blocked access to the Internet, I could not access anything. If the Power BI and the Internet service tags have separate IP ranges, I should be able to access Power BI reports, even when the Internet is blocked. So, I just want to understand how this works. Note: I dig deeper and found that some IP ranges of PowerBI service tag and Internet match. For example, 20.36.0.0/14 is an address prefix for the Internet which include a subset of IPs defined for the PowerBI service tag with the prefix 20.36.120.208/29

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.