I have a couple of questions about service tags:
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview
If I want a quick way to allow all outbound traffic to Azure services such as Storage Account, Key Vault, Recovery services vault, Azure SQL, etc, will adding an outbound rule with destination = service tag and destination service tag = "AzureCloud" sufficient? That is, the link says AzureCloud includes "All datacenter public IP addresses" so it seems to me it's catch-all tag to ensure outbound traffic to other Azure services are not blocked? If so, any risks to use this?
there is a service tag "sql" but when I try to add an outbound rule, it shows there are many other sql.[regions] service tags as well. Does "sql" include all "sql.[regions]"?
Thank you.