168.63.129.16 adding NSG details

There seems to be quite some confusion around this topic.
- "The following ports at least must be opened to allow communication with WireServer: 80, 443 and 32526." => does not clearly mention in which direction. Which is often desired information for people configuring firewalls.
-"It is allowed by the default network security group rule" => it's not that black and white as I tried to clarify in the information I tried to provide. Moreover there's multiple "default" rules. This statement does not explain which rule.
- Other article, but similar feedback: NSG and 168.63.129.16 can use some clarity: https://github.com/MicrosoftDocs/azure-docs/issues/41045

Author: tvuylsteke

articles/virtual-network/what-is-ip-address-168-63-129-16.md

@@ -31,10 +31,11 @@ IP address 168.63.129.16 is a virtual public IP address that is used to facilita
 
 ## Scope of IP address 168.63.129.16
 
-The public IP address 168.63.129.16 is used in all regions and all national clouds. This special public IP address is owned by Microsoft and will not change. It is allowed by the default network security group rule. We recommend that you allow this IP address in any local firewall policies in both inbound and outbound directions. The communication between this special IP address and the resources is safe because only the internal Azure platform can source a message from this IP address. If this address is blocked, unexpected behavior can occur in a variety of scenarios.
-The following ports at least must be opened to allow communication with WireServer: 80, 443 and 32526.
+The public IP address 168.63.129.16 is used in all regions and all national clouds. This special public IP address is owned by Microsoft and will not change. We recommend that you allow this IP address in any local firewall policies in both inbound and outbound directions. The communication between this special IP address and the resources is safe because only the internal Azure platform can source a message from this IP address. If this address is blocked, unexpected behavior can occur in a variety of scenarios. 168.63.129.16 is a [virtual IP of the host node](https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#azure-platform-considerations) and as such it is not subject to user defined routes.
 
-[Azure Load Balancer health probes](../load-balancer/load-balancer-custom-probe-overview.md) originates from this IP address. If you block this IP address, your probes will fail.
+- The VM Agent requires outbound communication over ports 80, 443, 32526 with WireServer (168.63.129.16). These should be open in the local firewall on the VM. The communication on these ports with 168.63.129.16 is not subject to the configured network security groups.
+- 168.63.129.16 can provide DNS services to the VM. If this is not desired, this traffic can be blocked in the local firewall on the VM. By default DNS communication is not subject to the configured network security groups unless specifically targeted leveraging the [AzurePlatformDNS](https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags) service tag.
+- When the VM is part of a load balancer backend pool, [health probe](../load-balancer/load-balancer-custom-probe-overview.md) communication should be allowed to originate from 168.63.129.16. The default network security group configuration has a rule that allows this communication. This rule leverages the [AzureLoadBalancer](https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags) service tag. If desired this traffic can be blocked by configuring the network security group however this will result in probes that fail.
 
 In a non-virtual network scenario (Classic), the health probe is sourced from a private IP and 168.63.129.16 is not used.