Microsoft maintained UDR for MS services
MS maintained UDR or firewall rule that enables traffic for MS services to allow outbound traffic from a host in a DMZ. Outbound traffic to all of 443 from a DMZ host to enable backups is a bad design - and using the MS provided IP List includes ALL services including other customers IAS servers - as an attacker all they would need to do to exfil data is to setup an azure host to send it to. It would be better enable outbound traffic for specific services such as backup and have MS maintain a list of that IPs are needed for that to work. Or enable some sort of tagging on the traffic, or a L7 firewall that can filter it.
Thanks for the feedback, this is a common request and we are working on a few options to optimize the security definition on NSG to include a Service Tag for all azure services.
REALLY need to extend this concept from NSGs to cover UDRs also in order to permit sending Azure services traffic towards next hop internet when you have a virtual appliance in place that you require all other default route traffic to hit. Very hard to maintain UDRs pointing to Azure regional IPs based on the weekly updating list... the service tag constructs would greatly simplify this
Track and publish Azure IP addresses by service, such as backups