Share via

Questions about service tags

AZLearner 96 Reputation points
2020-07-16T02:22:16.713+00:00

I have a couple of questions about service tags:

https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

  1. If I want a quick way to allow all outbound traffic to Azure services such as Storage Account, Key Vault, Recovery services vault, Azure SQL, etc, will adding an outbound rule with destination = service tag and destination service tag = "AzureCloud" sufficient? That is, the link says AzureCloud includes "All datacenter public IP addresses" so it seems to me it's catch-all tag to ensure outbound traffic to other Azure services are not blocked? If so, any risks to use this?
  2. there is a service tag "sql" but when I try to add an outbound rule, it shows there are many other sql.[regions] service tags as well. Does "sql" include all "sql.[regions]"?

Thank you.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,762 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2020-07-16T14:01:17.75+00:00

    Hello @AZLearner-5762 ,

    Yes, you can allow all outbound traffic to Azure services such as Storage Account, Key Vault, Recovery services vault, Azure SQL, etc, by adding an outbound rule with destination = service tag and destination service tag = "AzureCloud". There is no risk to allow this service tag because Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules and providing network isolation and protecting your Azure resources from the general Internet.

    AzureCloud Service tag can be regional which means if you would like to access a few regional Azure Public resources such as SQL, Storage etc, you can refine your NSG to only allow those regional Azure clouds and not all.

    SQL represents Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and Azure SQL Data Warehouse service for all regions. You may add SQL to allow all region IP addresses or can select specific regional SQL service tag as per your requirement.
    You can see the list of IP addresses for the whole SQL service as well as the parts of regional SQL service here.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.