Service tags work for all SKUs, however can only be used for VNET integration in the premium SKU

EldertGrootenboer · web-flow · commit 5db3eda9fcc4 · 2025-04-15T15:11:16.000-07:00
diff --git a/articles/service-bus-messaging/network-security.md b/articles/service-bus-messaging/network-security.md
@@ -23,11 +23,11 @@ You can use service tags to define network access controls on [network security
 
 | Service tag | Purpose | Can use inbound or outbound? | Can be regional? | Can use with Azure Firewall? |
 | --- | -------- |:---:|:---:|:---:|:---:|:---:|:---:|:---:|
-| **ServiceBus** | Azure Service Bus traffic that uses the Premium service tier. | Outbound | Yes | Yes |
+| **ServiceBus** | Azure Service Bus traffic. | Outbound | Yes | Yes |
 
 
 > [!NOTE]
-> You can use service tags only for **premium** namespaces. If you are using a **standard** namespace, use the FQDN of the namespace instead, in the form of <contoso.servicebus.windows.net>. Alternatively you can use the IP address that you see when you run the following command: `nslookup <host name for the namespace>`, however this is not recommended or supported, and you will need to keep track of changes to the IP addresses. 
+> Service Bus service tags include the IP addresses of namespaces on all SKUs, however, using service tags with private or service endpoints for Service Bus is only supported on **premium** namespaces. If you are using a **standard** namespace, use the FQDN of the namespace instead, in the form of <contoso.servicebus.windows.net>. Alternatively you can use the IP address that you see when you run the following command: `nslookup <host name for the namespace>`, however this is not recommended or supported, and you will need to keep track of changes to the IP addresses. 
 
 ## IP firewall 
 By default, Service Bus namespaces are accessible from internet as long as the request comes with valid authentication and authorization. With IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges in [CIDR (Classless Inter-Domain Routing)](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation.
diff --git a/articles/service-bus-messaging/service-bus-premium-messaging.md b/articles/service-bus-messaging/service-bus-premium-messaging.md
@@ -114,6 +114,7 @@ You can also enable support for large message for existing queues (or topics), b
 ## Network security
 The following network security features are available only in the premium tier. For details, see [Network security](network-security.md).
 
+- [Service tags](network-security.md#service-tags)
 - [Network service endpoints](network-security.md#network-service-endpoints)
 - [Private endpoints](network-security.md#private-endpoints)
 
diff --git a/articles/virtual-network/service-tags-overview.md b/articles/virtual-network/service-tags-overview.md
@@ -116,7 +116,7 @@ By default, service tags reflect the ranges for the entire cloud. Some service t
 | **[PowerQueryOnline](/data-integration/gateway/service-gateway-communication)** | Power Query Online. | Both | No | Yes |
 | **Scuba** | Data connectors for Microsoft security products (Sentinel, Defender, etc.). | Inbound | No | No|
 | **[SerialConsole](/troubleshoot/azure/virtual-machines/linux/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled)** | Limit access to boot diagnostics storage accounts from only Serial Console service tag | Inbound | No | Yes |
-| **ServiceBus** | Azure Service Bus traffic on all SKUs. | Outbound | Yes | Yes |
+| **ServiceBus** | Azure Service Bus traffic. | Outbound | Yes | Yes |
 | **[ServiceFabric](/azure/service-fabric/how-to-managed-cluster-networking#bring-your-own-virtual-network)** | Azure Service Fabric.<br/><br/>**Note**: This tag represents the Service Fabric service endpoint for control plane per region. This enables customers to perform management operations for their Service Fabric clusters from their VNET endpoint. (For example, https:// westus.servicefabric.azure.com). | Both | No | Yes |
 | **Sql** | Azure SQL Database, Azure Database for MySQL Single Server, Azure Database for PostgreSQL Single Server, Azure Database for MariaDB, and Azure Synapse Analytics.<br/><br/>**Note**: This tag represents the service, but not specific instances of the service. For example, the tag represents the Azure SQL Database service, but not a specific SQL database or server. This tag doesn't apply to SQL managed instance. | Outbound | Yes | Yes |
 | **SqlManagement** | Management traffic for SQL-dedicated deployments. | Both | No | Yes |
