Use service tags to restrict access to Azure Sphere Security Service
Azure Sphere devices communicate with Azure Sphere Security Services (AS3) over the public Internet to provide continuous, renewable security. You can restrict access to AS3 from your resources or Azure Sphere devices by using the service tag name AzureSphere as the source or destination of a security rule to allow or deny traffic for the corresponding service.
A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. Service tags are available for network security groups or Azure Firewall.
Restrict virtual network access with a service tag
Log in to your Azure account.
In your Azure dashboard, enter "Network security groups" in the search box at the top of the page.
In Network security groups, select an existing group, or select Create to create a new one. If you have created a new network security group, click Go to resource after it is deployed.
To restrict access on inbound addresses:
a. Select Inbound security rules, then Add.
b. In Add inbound security rule, set Source to Service Tag and Source service tag to AzureSphere.
c. Set Destination to Any.
d. Set the rest of the fields as needed. We recommend that you leave Protocol set to Any.
To restrict access on outbound addresses:
a. Select Outbound security rules, then Add.
b. In Add outbound security rule, set Source to Any.
c. Set Destination to Service Tag and set Destination service tag to AzureSphere.
d. Set the rest of the fields as needed. We recommend that you leave Protocol set to Any.