You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network/service-tags-overview.md
+9-2Lines changed: 9 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ ms.reviewer: kumud
18
18
# Virtual network service tags
19
19
<aname="network-service-tags"></a>
20
20
21
-
A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network securitiy rules.
21
+
A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
22
22
23
23
You can use service tags to define network access controls on [network security groups](https://docs.microsoft.com/azure/virtual-network/security-overview#security-rules) or [Azure Firewall](https://docs.microsoft.com/azure/firewall/service-tags). Use service tags in place of specific IP addresses when you create security rules. By specifying the service tag name (for example, **ApiManagement**) in the appropriate *source* or *destination* field of a rule, you can allow or deny the traffic for the corresponding service.
24
24
@@ -42,13 +42,18 @@ By default, service tags reflect the ranges for the entire cloud. Some service t
42
42
|**AppServiceManagement**| Management traffic for deployments dedicated to App Service Environment. | Both | No | Yes |
43
43
|**AzureActiveDirectory**| Azure Active Directory. | Outbound | No | Yes |
44
44
|**AzureActiveDirectoryDomainServices**| Management traffic for deployments dedicated to Azure Active Directory Domain Services. | Both | No | Yes |
45
+
|**AzureAdvancedThreatProtection**| Azure Advanced Threat Protection. | Outbound | No | No |
45
46
|**AzureBackup**|Azure Backup.<br/><br/>*Note:* This tag has a dependency on the **Storage** and **AzureActiveDirectory** tags. | Outbound | No | Yes |
47
+
|**AzureBotService**| Azure Bot Service. | Outbound | No | No |
46
48
|**AzureCloud**| All [datacenter public IP addresses](https://www.microsoft.com/download/details.aspx?id=41653). | Outbound | Yes | Yes |
49
+
|**AzureCognitiveSearch**| Azure Cognitive Search (if using indexers with a skillset). | Both | No | No |
|**AzureDatabricks**| Azure Databricks. | Both | No | No |
54
+
|**AzureDataExplorerManagement**| Azure Data Explorer Management. | Inbound | No | No |
50
55
|**AzureDataLake**| Azure Data Lake. | Outbound | No | Yes |
51
-
|**AzureHDInsight**| Azure HDInsight. | Inbound|Yes| No |
56
+
|**AzureEventGrid**| Azure Event Grid. <br/><br/>*Note:* This tag covers Azure Event Grid endpoints in US South Central, US East, US East 2, US West 2, and US Central only. | Both|No| No |
52
57
|**AzureIoTHub**| Azure IoT Hub. | Outbound | No | No |
53
58
|**AzureKeyVault**| Azure Key Vault.<br/><br/>*Note:* This tag has a dependency on the **AzureActiveDirectory** tag. | Outbound | Yes | Yes |
54
59
|**AzureLoadBalancer**| The Azure infrastructure load balancer. The tag translates to the [virtual IP address of the host](security-overview.md#azure-platform-considerations) (168.63.129.16) where the Azure health probes originate. If you're not using Azure Load Balancer, you can override this rule. | Both | No | No |
@@ -57,12 +62,14 @@ By default, service tags reflect the ranges for the entire cloud. Some service t
57
62
|**AzurePlatformDNS**| The basic infrastructure (default) DNS service.<br/><br>You can use this tag to disable the default DNS. Be cautious when you use this tag. We recommend that you read [Azure platform considerations](https://docs.microsoft.com/azure/virtual-network/security-overview#azure-platform-considerations). We also recommend that you perform testing before you use this tag. | Outbound | No | No |
58
63
|**AzurePlatformIMDS**| Azure Instance Metadata Service (IMDS), which is a basic infrastructure service.<br/><br/>You can use this tag to disable the default IMDS. Be cautious when you use this tag. We recommend that you read [Azure platform considerations](https://docs.microsoft.com/azure/virtual-network/security-overview#azure-platform-considerations). We also recommend that you perform testing before you use this tag. | Outbound | No | No |
59
64
|**AzurePlatformLKM**| Windows licensing or key management service.<br/><br/>You can use this tag to disable the defaults for licensing. Be cautious when you use this tag. We recommend that you read [Azure platform considerations](https://docs.microsoft.com/azure/virtual-network/security-overview#azure-platform-considerations). We also recommend that you perform testing before you use this tag. | Outbound | No | No |
65
+
|**AzureResourceManager**| Azure Resource Manager. | Outbound | No | No |
60
66
|**AzureTrafficManager**| Azure Traffic Manager probe IP addresses.<br/><br/>For more information on Traffic Manager probe IP addresses, see [Azure Traffic Manager FAQ](https://docs.microsoft.com/azure/traffic-manager/traffic-manager-faqs). | Inbound | No | Yes |
61
67
|**BatchNodeManagement**| Management traffic for deployments dedicated to Azure Batch. | Both | No | Yes |
62
68
|**CognitiveServicesManagement**| The address ranges for traffic for Azure Cognitive Services. | Outbound | No | No |
63
69
|**Dynamics365ForMarketingEmail**| The address ranges for the marketing email service of Dynamics 365. | Outbound | Yes | No |
|**GatewayManager**| Management traffic for deployments dedicated to Azure VPN Gateway and Application Gateway. | Inbound | No | No |
72
+
|**HDInsight**| Azure HDInsight. | Inbound | Yes | No |
66
73
|**Internet**| The IP address space that's outside the virtual network and reachable by the public internet.<br/><br/>The address range includes the [Azure-owned public IP address space](https://www.microsoft.com/download/details.aspx?id=41653). | Both | No | No |
0 commit comments