Add a Network Security Group tag for Azure Service
Add a Network Security Group tag for Azure Services. Currently, if I create a rule blocking outbound internet traffic for a VNet or Subnet, blob.core.windos.net is blocked, causing all sorts of issues. The only work around now is to create rules to allow MS datacenter public IP’s and this list can change at any time. Having all these services in one tag would allow us to block outbound internet traffic without blocking access to Azure resources.
Thanks for the feedback, service tag is called AzureCloud and it’s already available in all regions
a service tag for the service Cloud Shell would be great
Any idea how to add using powershell ? the normal resource tags which we generally add on other resources?
Lester Waters commented
Any idea when we can expect these tags? It is untenable to manage the number of IP addresses for Azure in each region. To make matters worse, it also means opening to ANY tenant subscription within the region -- when we really only want to open up those IPs that are required for the Azure infrastructure.
Ben Stull commented
Azure Services + Windows Update are the two pieces that are painfully blocked when disallowing INTERNET on an NSG
Stephane Fouchereau commented
Pedram Sanayei commented
This is a big problem in enterprises where outbound internet access is forbidden, but access to Azure services is still required.
Please add an "Azure Services" tag similar to the tag already in place for Load Balancers and VNets so traffic to these services can still be allowed but the general internet is blocked.
Adding all of the IP ranges in the Azure region isn't really feasible as there are a lot of addresses, and it opens up access to IP addresses that are potentially in use by other consumers of Azure
Jeroen Verhoeven commented
would love it