FQDN tags overview

An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services. You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall.

For example, to manually allow Windows Update network traffic through your firewall, you need to create multiple application rules per the Microsoft documentation. Using FQDN tags, you can create an application rule, include the Windows Updates tag, and now network traffic to Microsoft Windows Update endpoints can flow through your firewall.

You can't create your own FQDN tags, nor can you specify which FQDNs are included within a tag. Microsoft manages the FQDNs encompassed by the FQDN tag, and updates the tag as FQDNs change.

The following table shows the current FQDN tags you can use. Microsoft maintains these tags and you can expect additional tags to be added periodically.

FQDN tag Description
Windows Update Allow outbound access to Microsoft Update as described in How to Configure a Firewall for Software Updates.
Windows Diagnostics Allow outbound access to all Windows Diagnostics endpoints.
Microsoft Active Protection Service (MAPS) Allow outbound access to MAPS.
App Service Environment (ASE) Allows outbound access to ASE platform traffic. This tag doesn’t cover customer-specific Storage and SQL endpoints created by ASE. These should be enabled via Service Endpoints or added manually.

For more information about integrating Azure Firewall with ASE, see Locking down an App Service Environment.
Azure Backup Allows outbound access to the Azure Backup services.

Note

When selecting FQDN Tag in an application rule, the protocol:port field must be set to https.

Next steps

To learn how to deploy an Azure Firewall, see Tutorial: Deploy and configure Azure Firewall using the Azure portal.