@Andy Yang Thanks for reaching out to Microsoft Q&A, apologize for any inconvenience caused on this.
Based on the shared information, I have understood that you want to create a access restriction rule that your Azure DevOps pipelines need to access the app service across the world using Service Tags.
A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
To achieve your requirement to restrict the inbound access to App service from Azure Devops Pipelines you can create an access restriction rule using the Service Tag AzureDevOps which can restrict inbound traffic only and also this service tag support regional restrictions as well.
Refer to this documentation for more information about Service Tags and also Available Service Tags.
If I create an Access Restriction allowing incoming traffic based on the 'AzureCloud' service tag - will that encompass any possible Microsoft-hosted agent from ADO?
If you use the Service Tag Azure Cloud
which means that your resource can be accessible from all the datacenter public Ip's either in both direction Inbound or outbound.
We have experimented with adding individual CIDR ranges from the weekly JSON file where we would only use the ranges defined for "AzureCloud.eastus2". If we created a rule by service tag, is that going to be for all AzureCloud hosts around the world? Or just whatever region our organization is defined in?
AzureCloud.eastus2
means that you are allowing only eastus2 datacenter public IP's to access your resource.
Feel Free to reach back to me if you have any further questions on this.