Virtual network service tags
A service tag represents a group of IP address prefixes from a given Azure service. It helps to minimize complexity of frequent updates on network security rules. You can use service tags to define network access controls on Network Security Groups or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (e.g., ApiManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
Available service tags
The following table includes all of the service tags available to be used in Network Security Groups rules.
The columns indicate whether the tag is:
- Suitable for rules covering inbound or outbound traffic
- Support regional scope
- Usable in Azure Firewall rules
By default, service tags reflect the ranges for the entire cloud. Some service tags also allow more finer-grain control by restricting the corresponding IP ranges to a specified region. For example while the service tag Storage represents Azure Storage for the entire cloud, Storage.WestUS narrows that to only the storage IP address ranges from the WestUS region. The descriptions of each Service tag below indicates whether they support such regional scope.
|Tag||Purpose||Can use Inbound or Outbound?||Can be Regional?||Can use with Azure Firewall?|
|ApiManagement||Management traffic for APIM dedicated deployments.||Both||No||Yes|
|AppService||App Service service. This tag is recommended for outbound security rules to WebApp frontends.||Outbound||Yes||Yes|
|AppServiceManagement||Management traffic for App Service Environment dedicated deployments.||Both||No||Yes|
|AzureActiveDirectory||Azure Active Directory service.||Outbound||No||Yes|
|AzureActiveDirectoryDomainServices||Management traffic for Azure Active Directory Domain Services dedicated deployments.||Both||No||Yes|
|AzureBackup||Azure Backup service.
Note: This tag has a dependency on the Storage and AzureActiveDirectory tags.
|AzureCloud||All datacenter public IP addresses.||Outbound||Yes||Yes|
|AzureConnectors||Logic Apps connectors for probe/backend connections.||Inbound||Yes||Yes|
|AzureContainerRegistry||Azure Container Registry service.||Outbound||Yes||Yes|
|AzureCosmosDB||Azure Cosmos Database service.||Outbound||Yes||Yes|
|AzureDataLake||Azure Data Lake service.||Outbound||No||Yes|
|AzureKeyVault||Azure KeyVault service.
Note: This tag has a dependency on the AzureActiveDirectory tag.
|AzureLoadBalancer||Azure's infrastructure load balancer. The tag translates to the Virtual IP address of the host (188.8.131.52) where Azure's health probes originate. If you are not using the Azure load balancer, you can override this rule.||Both||No||No|
|AzureMachineLearning||Azure Machine Learning service.||Outbound||No||Yes|
|AzureMonitor||Log Analytics, App Insights, AzMon, and custom metrics (GiG endpoints).
Note: For Log Analytics, this tag has dependency on the Storage tag.
|AzurePlatformDNS||The basic infrastructure (default) DNS service.
You can use this tag to disable the default DNS. Please exercise caution in using this tag. Reading Azure platform considerations is recommended. Testing is recommended before using this tag.
|AzurePlatformIMDS||IMDS, which is a basic infrastructure service.
You can use this tag to disable the default IMDS. Please exercise caution in using this tag. Reading Azure platform considerations is recommended. Testing is recommended before using this tag.
|AzurePlatformLKM||Windows licensing or key management service.
You can use this tag to disable the defaults for licensing. Please exercise caution in using this tag. Reading Azure platform considerations is recommended. Testing is recommended before using this tag.
|AzureTrafficManaged||Azure Traffic Manager probe IP addresses.
More information on Traffic Manager probe IP addresses can be found in the Azure Traffic Manager FAQ.
|BatchNodeManagement||Management traffic for Azure Batch dedicated deployments.||Both||No||Yes|
|CognitiveServicesManagement||The address ranges for traffic for Cognitive Services||Outbound||No||No|
|Dynamics365ForMarketingEmail||The address ranges for the marketing email service of Dynamics 365.||Outbound||Yes||No|
|EventHub||Azure EventHub service.||Outbound||Yes||Yes|
|GatewayManager||Management traffic for VPN/App Gateways dedicated deployments.||Inbound||No||No|
|Internet||The IP address space that is outside the virtual network and reachable by the public Internet.
The address range includes the Azure owned public IP address space.
|MicrosoftContainerRegistry||Microsoft Container Registry service.||Outbound||Yes||Yes|
|ServiceBus||Azure Service Bus service using the Premium service tier.||Outbound||Yes||Yes|
|ServiceFabric||Service Fabric service.||Outbound||No||No|
|Sql||Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and Azure SQL Data Warehouse services.
Note: This tag represents the service, but not specific instances of the service. For example, the tag represents the Azure SQL Database service, but not a specific SQL database or server.
|SqlManagement||Management traffic for SQL dedicated deployments.||Both||No||Yes|
|Storage||Azure Storage service.
Note: The tag represents the service, but not specific instances of the service. For example, the tag represents the Azure Storage service, but not a specific Azure Storage account.
|VirtualNetwork||The virtual network address space (all IP address ranges defined for the virtual network), all connected on-premises address spaces, peered virtual networks, or virtual network connected to a virtual network gateway, the virtual IP address of the host and address prefixes used on user-defined routes. Be aware that this tag may also contain default routes.||Both||No||No|
When working in the Classic (pre-Azure Resource Manager) environment, a select set of the above tags are supported. These use an alternative spelling:
|Classic spelling||Equivalent Resource Manager tag|
Service tags of Azure services denotes the address prefixes from the specific cloud being used. e.g. the underlying IP ranges corresponding to the Sql tag value will differ between the Azure Public cloud and the Azure China cloud.
If you implement a virtual network service endpoint for a service, such as Azure Storage or Azure SQL Database, Azure adds a route to a virtual network subnet for the service. The address prefixes in the route are the same address prefixes, or CIDR ranges, as the corresponding service tag.
Service tags in on-premises
You can obtain the current service tag and range information to include as part of your on-premises firewall configurations. This information is the current point-in-time list of the IP ranges corresponding to each service tag. The information can be obtained programmatically or via JSON file download as follows.
Service tag Discovery API (Public Preview)
You can programmatically retrieve the current list of service tags with IP address range details:
While in Public Preview, the Discovery API may return information that is not as current as the JSON downloads (below).
Discover service tags using downloadable JSON files
You can download JSON files containing the current list of service tags with IP address range details. These are updated and published weekly. Locations for each cloud are:
A subset of this information has previously been published in XML files for Azure Public, Azure China and Azure Germany. These XML downloads will be deprecated by June 30, 2020 and will no longer be available after that date. Please migrate to using the Discovery API or JSON file downloads as described above.
- You can detect updates from one publishing to the next via increased changeNumber values within the JSON file. Each subsection (e.g. Storage.WestUS) has its own changeNumber that is incremented as changes occur. The top level of the file's changeNumber is incremented when any of the subsections has changed.
- For examples of how to parse the service tag information (e.g. get all address ranges for Storage in WestUS), please refer to the Service Tag Discovery API PowerShell documentation.
- Learn how to Create a network security group.