How can we improve Azure Networking?

Add a Network Security Group tag for Azure Service

Add a Network Security Group tag for Azure Services. Currently, if I create a rule blocking outbound internet traffic for a VNet or Subnet, blob.core.windos.net is blocked, causing all sorts of issues. The only work around now is to create rules to allow MS datacenter public IP’s and this list can change at any time. Having all these services in one tag would allow us to block outbound internet traffic without blocking access to Azure resources.

125 votes
Vote
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
You have left! (?) (thinking…)
Travis Roberts shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

9 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    Any idea how to add using powershell ? the normal resource tags which we generally add on other resources?

  • Lester Waters commented  ·   ·  Flag as inappropriate

    Any idea when we can expect these tags? It is untenable to manage the number of IP addresses for Azure in each region. To make matters worse, it also means opening to ANY tenant subscription within the region -- when we really only want to open up those IPs that are required for the Azure infrastructure.

  • Ben Stull commented  ·   ·  Flag as inappropriate

    Azure Services + Windows Update are the two pieces that are painfully blocked when disallowing INTERNET on an NSG

  • Pedram Sanayei commented  ·   ·  Flag as inappropriate

    This is a big problem in enterprises where outbound internet access is forbidden, but access to Azure services is still required.

    Please add an "Azure Services" tag similar to the tag already in place for Load Balancers and VNets so traffic to these services can still be allowed but the general internet is blocked.

    Adding all of the IP ranges in the Azure region isn't really feasible as there are a lot of addresses, and it opens up access to IP addresses that are potentially in use by other consumers of Azure

Feedback and Knowledge Base