FQDN tags overview

An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services. You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall.

For example, to manually allow Windows Update network traffic through your firewall, you need to create multiple application rules per the Microsoft documentation. Using FQDN tags, you can create an application rule, include the Windows Updates tag, and now network traffic to Microsoft Windows Update endpoints can flow through your firewall.

You can't create your own FQDN tags, nor can you specify which FQDNs are included within a tag. Microsoft manages the FQDNs encompassed by the FQDN tag, and updates the tag as FQDNs change.

The following table shows the current FQDN tags you can use. Microsoft maintains these tags and you can expect more tags to be added periodically.

Current FQDN tags

FQDN tag Description
WindowsUpdate Allow outbound access to Microsoft Update as described in How to Configure a Firewall for Software Updates.
WindowsDiagnostics Allow outbound access to all Windows Diagnostics endpoints.
MicrosoftActiveProtectionService (MAPS) Allow outbound access to MAPS.
AppServiceEnvironment (ASE) Allows outbound access to ASE platform traffic. This tag doesn’t cover customer-specific Storage and SQL endpoints created by ASE. These should be enabled via Service Endpoints or added manually.

For more information about integrating Azure Firewall with ASE, see Locking down an App Service Environment.
AzureBackup Allows outbound access to the Azure Backup services.
AzureHDInsight Allows outbound access for HDInsight platform traffic. This tag doesn’t cover customer-specific Storage or SQL traffic from HDInsight. Enable these using Service Endpoints or add them manually.
WindowsVirtualDesktop Allows outbound Azure Virtual Desktop (formerly Windows Virtual Desktop) platform traffic. This tag doesn’t cover deployment-specific Storage and Service Bus endpoints created by Azure Virtual Desktop. Additionally, DNS and KMS network rules are required. For more information about integrating Azure Firewall with Azure Virtual Desktop, see Use Azure Firewall to protect Azure Virtual Desktop deployments.
AzureKubernetesService (AKS) Allows outbound access to AKS. For more information, see Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments.
Office365

For example: Office365.Skype.Optimize
Several Office 365 tags are available to allow outbound access by Office 365 product and category. For more information, see Use Azure Firewall to protect Office 365.
Windows365 Allows outbound communication to Windows 365, excluding network endpoints for Microsoft Intune. To allow outbound communication to port 5671, create a separated network rule. For more information, see Windows 365 Network requirements.
MicrosoftIntune Allow access to Microsoft Intune for managed devices.
citrixHdxPlusForWindows365 Required when using Citrix HDX Plus.

Note

When you select FQDN Tag in an application rule, the protocol:port field must be set to https.

Next steps

To learn how to deploy an Azure Firewall, see Tutorial: Deploy and configure Azure Firewall using the Azure portal.