Hi @James Adams ,
you are right. At the moment there is no service tag for "windows update". But Microsoft is working in it:
https://feedback.azure.com/forums/217313-networking/suggestions/32260814-add-a-network-security-group-tag-for-windows-updat
We are almost done with work for this tag and it should be available early 2021.
-Allegra [MSFT]
Whatever "early 2021" means.
At the moment I see the option to use WSUS if the Azure VMs are not allowed to download updates directly from internet.
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten