Service tags – MS AZ-104 Exam Guide

Posted on by zeusexam

Service tags

Many Azure services are accessed via internet-facing endpoints. These endpoints can change over time, for example as new Azure regions are built. This makes it difficult to use NSG rules to control access to those services—it’s hard to identify the list of IP ranges to use, and even harder to keep the list up to date.

To address this problem, Azure provides service tags. These are platform-defined shortcuts that map to the IP ranges of various Azure services. The IP ranges associated with each service tag are updated automatically whenever the IP addresses used by the service change.

Service tags are used in NSG rules as a quick and reliable way of creating rules that control traffic to each service. Typically, they are used in outbound rules to control which other Azure services the VMs in a VNet can or cannot access.

Note that service tags control access to the service, but not to a specific resource within that service. For example, a service tag might be used in an NSG rule allowing a VM to connect to Azure Storage. This rule cannot control which account in Azure Storage the VM will attempt to use.

Service tags are provided for more than 60 Azure services, and the list is growing. Here are some of the most commonly used service tags.

  • VirtualNetwork Controls access to the virtual network address space where the NSG is assigned. It refers to the entire virtual network (not just the subnet), plus all connected virtual networks and any on-premises address space connected via site-to-site VPN or ExpressRoute. Note that the network address space of peered virtual networks is only included if the Allow Virtual Network Access property is set to Enabled.
  • Internet Denotes the public internet address space. This includes the internet-facing Azure IP address ranges that are used for public IP addresses and Azure platform services.
  • AzureCloud Denotes the Azure data center public IP space. This service tag can be scoped to a specific Azure region, such as by specifying AzureCloud.EastUs.
  • AzureLoadBalancer Denotes the IPs where Azure Load Balancer health probes will originate. Traffic from these addresses should be allowed for any load-balanced VMs. Note that this service tag cannot be used to control traffic coming through the Load Balancer from elsewhere. This traffic can be filtered using the originating source IP, which is not modified as it passes through the Azure Load Balancer
  • AzureTrafficManager Performs a similar role for Azure Traffic Manager. It is used to allow traffic from the source IP addresses of Traffic Manager health probes.
  • Storage Represents the IP addresses used by the Azure Storage service. As with the Azure Cloud Service Tag, the Storage service tag can be region scoped. For example, you can specify Storage.WestUS to allow access only to Storage accounts in the West US region.
  • Sql Represents the IP addresses used by the Azure Database for MySQL, Azure Data- base for PostgreSQL, and Azure Synapse Analytics. This service tag can also be scoped to a specific region.

Leave a Reply

Your email address will not be published. Required fields are marked *