Add a Network Security Group tag for Windows Update
I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.
If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.
Thanks for your feedback, we are working on this.
- Anavi N [MSFT]
Ralph Hardy commented
We really need a WindowsUpdate service tag created for this purpose. This is a must have when securing networks. With Crypto running rampant this is required. I hate having to disable an internet block just to enable windows update.
I got connected to windows update and able to download updates through Windows Services (blocking internet incoming)
The solution was making a new Outbound NSG rule opening ports 443 and 80 Source: Any destination: Any (ONLY OUTBOUND)
Why is this still not there. It's a very basic requirement and I'm wondering how all the people are doing updates without this option? It could be a decision to move away from Azure.
I noticed updates are deployed without configuration on Windows Virtual Servers in Azure (at least on Windows Server 2019).
And if you need to configure it, you can use 'Manage Updates' at the Operations level of the Virtual Machine. This should make installation possible, without changing the NSG.
Kent R commented
This is much needed feature
MS Cloud without "WindowsUpdate" service tag reduce the usecases to the internet facing ones and the synergy of a MS solution is missing. Please adding my name to the request
Micha Wets commented
Do you have an update on this? This is really blocking us in Automatic Updating deployments
Jethro Van Eetvelde commented
Is there any date for this? Without this it's basically impossible to implement Update Management in an environment using outbound NSG rules...
Dave Bakker commented
How is this not built-in from day 1?
Christopher Goff commented
Any updates on this? Still isn't in the Service Tag Destinations....
Marco Houben (VanRoey) commented
This would be very useful
Pradeep Chirakkal (CSV) commented
adding my name too.. yes we need this asap.
adding my name too. I got a few projects in small environments and will use the azure patch management service. Need to block outbound internet to comply. I Hope they create a NSG TAG for this.
@Anavi N [MSFT], This is not even a nice to have, it is essential in todays compliance driven world. When can we expect this to be delivered?
Jerrell Peters commented
Adding my name to this to. Currently have a case open with Microsoft where they said they are working on this. With no ETA still
This will never be implemented :))
Schubert Rodrigues commented
Has there been any update to this? It would be nice if we can just block all and add only the update services.
Jeff Miles commented
Prompting again because this is really holding us back from implementing simple IaaS within Azure - so many hurdles to go through to support this!
please add this service TAG to NSG's and Azure Firewall
Ruben Rico commented
This would be very useful