Add a Network Security Group tag for Windows Update
I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.
If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.
Thanks for your feedback, we are working on this.
- Anavi N [MSFT]
Jeremy Brun commented
Please provide an status on this?
Adrien Uwin commented
Untill today the service tag is still not implemented. Can you please give us a roadmap?
I'm trying to utilize Azure properly as a production environment but this is, honestly, laughable. I've seen requests for this going back to 2017! How can this not be available already? Every step forward I take in Azure feels like I simultaneously take 10 steps backwards. Awful.
This is a MUST for any customer who wants to secure his outbound communications while allowing Azure management update feature. Please implement the service tag with high priority.
any updates on this?
Ryen Tang commented
Any chance if we may know when it is happening? I have also logged a feature request of having RHUI NSG Service Tag too. https://feedback.azure.com/forums/217313-networking/suggestions/39860926-service-tags-for-windows-updates-wu-and-redhat-u
John Slattery commented
Not having this service tag severely limits the ability to use NSGs alone for limiting outbound traffic.
Any update available? It's still not on the published roadmap. Having to use WSUS to patch Azure servers is a nightmare.
Ralph Hardy commented
We really need a WindowsUpdate service tag created for this purpose. This is a must have when securing networks. With Crypto running rampant this is required. I hate having to disable an internet block just to enable windows update.
I got connected to windows update and able to download updates through Windows Services (blocking internet incoming)
The solution was making a new Outbound NSG rule opening ports 443 and 80 Source: Any destination: Any (ONLY OUTBOUND)
Why is this still not there. It's a very basic requirement and I'm wondering how all the people are doing updates without this option? It could be a decision to move away from Azure.
I noticed updates are deployed without configuration on Windows Virtual Servers in Azure (at least on Windows Server 2019).
And if you need to configure it, you can use 'Manage Updates' at the Operations level of the Virtual Machine. This should make installation possible, without changing the NSG.
Kent R commented
This is much needed feature
MS Cloud without "WindowsUpdate" service tag reduce the usecases to the internet facing ones and the synergy of a MS solution is missing. Please adding my name to the request
Micha Wets commented
Do you have an update on this? This is really blocking us in Automatic Updating deployments
Jethro Van Eetvelde commented
Is there any date for this? Without this it's basically impossible to implement Update Management in an environment using outbound NSG rules...
Dave Bakker commented
How is this not built-in from day 1?
Christopher Goff commented
Any updates on this? Still isn't in the Service Tag Destinations....
Marco Houben (VanRoey) commented
This would be very useful
Pradeep Chirakkal (CSV) commented
adding my name too.. yes we need this asap.