Virtual network service tags
A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
You can use service tags to define network access controls on network security groups or Azure Firewall. Use service tags in place of specific IP addresses when you create security rules. By specifying the service tag name, such as ApiManagement, in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service.
As of March 2021, you can also use Service Tags in place of explicit IP ranges in user defined routes. This feature is currently in Public Preview.
You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services that have public endpoints. Create inbound/outbound network security group rules to deny traffic to/from Internet and allow traffic to/from AzureCloud or other available service tags of specific Azure services.
Available service tags
The following table includes all the service tags available for use in network security group rules.
The columns indicate whether the tag:
- Is suitable for rules that cover inbound or outbound traffic.
- Supports regional scope.
- Is usable in Azure Firewall rules.
By default, service tags reflect the ranges for the entire cloud. Some service tags also allow more granular control by restricting the corresponding IP ranges to a specified region. For example, the service tag Storage represents Azure Storage for the entire cloud, but Storage.WestUS narrows the range to only the storage IP address ranges from the WestUS region. The following table indicates whether each service tag supports such regional scope. Note that the direction listed for each tag is a recommendation. For example, the AzureCloud tag may be used to allow inbound traffic. However, we don't recommend this in most scenarios since this means allowing traffic from all Azure IP's, including those used by other Azure customers.
|Tag||Purpose||Can use inbound or outbound?||Can be regional?||Can use with Azure Firewall?|
|ApiManagement||Management traffic for Azure API Management-dedicated deployments.
Note: This tag represents the Azure API Management service endpoint for control plane per region. This enables customers to perform management operations on the APIs, Operations, Policies, NamedValues configured on the API Management service.
|ApplicationInsightsAvailability||Application Insights Availability.||Inbound||No||No|
|AppService||Azure App Service. This tag is recommended for outbound security rules to web apps and Function apps.||Outbound||Yes||Yes|
|AppServiceManagement||Management traffic for deployments dedicated to App Service Environment.||Both||No||Yes|
|AzureActiveDirectory||Azure Active Directory.||Outbound||No||Yes|
|AzureActiveDirectoryDomainServices||Management traffic for deployments dedicated to Azure Active Directory Domain Services.||Both||No||Yes|
|AzureAdvancedThreatProtection||Azure Advanced Threat Protection.||Outbound||No||No|
|AzureArcInfrastructure||Azure Arc enabled servers, Azure Arc enabled Kubernetes, and Guest Configuration traffic.
Note: This tag has a dependency on the AzureActiveDirectory,AzureTrafficManager, and AzureResourceManager tags. This tag is not currently configurable via Azure Portal.
Note: This tag is not currently configurable via Azure Portal
Note: This tag has a dependency on the Storage and AzureActiveDirectory tags.
|AzureBotService||Azure Bot Service.||Outbound||No||No|
|AzureCloud||All datacenter public IP addresses.||Outbound||Yes||Yes|
|AzureCognitiveSearch||Azure Cognitive Search.
This tag or the IP addresses covered by this tag can be used to grant indexers secure access to data sources. Refer to the indexer connection documentation for more details.
Note: The IP of the search service is not included in the list of IP ranges for this service tag and also needs to be added to the IP firewall of data sources.
|AzureConnectors||This tag represents the IP addresses used for managed connectors that make inbound webhook callbacks to the Azure Logic Apps service and outbound calls to their respective services, for example, Azure Storage or Azure Event Hubs.||Inbound / Outbound||Yes||Yes|
|AzureContainerRegistry||Azure Container Registry.||Outbound||Yes||Yes|
|AzureCosmosDB||Azure Cosmos DB.||Outbound||Yes||Yes|
|AzureDataExplorerManagement||Azure Data Explorer Management.||Inbound||No||No|
|AzureDataLake||Azure Data Lake Storage Gen1.||Outbound||No||Yes|
|AzureDevSpaces||Azure Dev Spaces.||Outbound||No||No|
|AzureDevOps||Azure Dev Ops.
Note: This tag is not currently configurable via Azure Portal
|AzureDigitalTwins||Azure Digital Twins.
Note: This tag or the IP addresses covered by this tag can be used to restrict access to endpoints configured for event routes. This tag is not currently configurable via Azure Portal
|AzureEventGrid||Azure Event Grid.||Both||No||No|
|Azure Front Door.||Both||No||No|
|AzureInformationProtection||Azure Information Protection.
Note: This tag has a dependency on the AzureActiveDirectory, AzureFrontDoor.Frontend and AzureFrontDoor.FirstParty tags.
|AzureIoTHub||Azure IoT Hub.||Outbound||No||No|
|AzureKeyVault||Azure Key Vault.
Note: This tag has a dependency on the AzureActiveDirectory tag.
|AzureLoadBalancer||The Azure infrastructure load balancer. The tag translates to the virtual IP address of the host (22.214.171.124) where the Azure health probes originate. This only includes probe traffic, not real traffic to your backend resource. If you're not using Azure Load Balancer, you can override this rule.||Both||No||No|
|AzureMachineLearning||Azure Machine Learning.||Both||No||Yes|
|AzureMonitor||Log Analytics, Application Insights, AzMon, and custom metrics (GiG endpoints).
Note: For Log Analytics, the Storage tag is also required. If Linux agents are used, GuestAndHybridManagement tag is also required.
|AzureOpenDatasets||Azure Open Datasets.
Note: This tag has a dependency on the AzureFrontDoor.Frontend and Storage tag.
|AzurePlatformDNS||The basic infrastructure (default) DNS service.
You can use this tag to disable the default DNS. Be cautious when you use this tag. We recommend that you read Azure platform considerations. We also recommend that you perform testing before you use this tag.
|AzurePlatformIMDS||Azure Instance Metadata Service (IMDS), which is a basic infrastructure service.
You can use this tag to disable the default IMDS. Be cautious when you use this tag. We recommend that you read Azure platform considerations. We also recommend that you perform testing before you use this tag.
|AzurePlatformLKM||Windows licensing or key management service.
You can use this tag to disable the defaults for licensing. Be cautious when you use this tag. We recommend that you read Azure platform considerations. We also recommend that you perform testing before you use this tag.
|AzureResourceManager||Azure Resource Manager.||Outbound||No||No|
|AzureSiteRecovery||Azure Site Recovery.
Note: This tag has a dependency on the AzureActiveDirectory, AzureKeyVault, EventHub,GuestAndHybridManagement and Storage tags.
|AzureTrafficManager||Azure Traffic Manager probe IP addresses.
For more information on Traffic Manager probe IP addresses, see Azure Traffic Manager FAQ.
|BatchNodeManagement||Management traffic for deployments dedicated to Azure Batch.||Both||No||Yes|
|CognitiveServicesManagement||The address ranges for traffic for Azure Cognitive Services.||Both||No||No|
|DataFactory||Azure Data Factory||Both||No||No|
|DataFactoryManagement||Management traffic for Azure Data Factory.||Outbound||No||No|
|Dynamics365ForMarketingEmail||The address ranges for the marketing email service of Dynamics 365.||Outbound||Yes||No|
|EOPExternalPublishedIPs||This tag represents the IP addresses used for Security & Compliance Center Powershell. Refer to the Connect to Security & Compliance Center PowerShell using the EXO V2 module for more details.
Note: This tag is not currently configurable via Azure Portal.
|EventHub||Azure Event Hubs.||Outbound||Yes||Yes|
|GatewayManager||Management traffic for deployments dedicated to Azure VPN Gateway and Application Gateway.||Inbound||No||No|
|GuestAndHybridManagement||Azure Automation and Guest Configuration.||Outbound||No||Yes|
|Internet||The IP address space that's outside the virtual network and reachable by the public internet.
The address range includes the Azure-owned public IP address space.
|LogicAppsManagement||Management traffic for Logic Apps.||Inbound||No||No|
|MicrosoftCloudAppSecurity||Microsoft Cloud App Security.||Outbound||No||No|
|MicrosoftContainerRegistry||Container registry for Microsoft container images.
Note: This tag has a dependency on the AzureFrontDoor.FirstParty tag.
|PowerBI||PowerBi. Note: This tag is not currently configurable via Azure Portal.||Both||No||No|
|PowerQueryOnline||Power Query Online.||Both||No||No|
|ServiceBus||Azure Service Bus traffic that uses the Premium service tier.||Outbound||Yes||Yes|
|ServiceFabric||Azure Service Fabric.
Note: This tag represents the Service Fabric service endpoint for control plane per region. This enables customers to perform management operations for their Service Fabric clusters from their VNET (endpoint eg. https:// westus.servicefabric.azure.com)
|Sql||Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and Azure Synapse Analytics.
Note: This tag represents the service, but not specific instances of the service. For example, the tag represents the Azure SQL Database service, but not a specific SQL database or server. This tag does not apply to SQL managed instance.
|SqlManagement||Management traffic for SQL-dedicated deployments.||Both||No||Yes|
Note: This tag represents the service, but not specific instances of the service. For example, the tag represents the Azure Storage service, but not a specific Azure Storage account.
|StorageSyncService||Storage Sync Service.||Both||No||No|
|WindowsVirtualDesktop||Windows Virtual Desktop.||Both||No||Yes|
|VirtualNetwork||The virtual network address space (all IP address ranges defined for the virtual network), all connected on-premises address spaces, peered virtual networks, virtual networks connected to a virtual network gateway, the virtual IP address of the host, and address prefixes used on user-defined routes. This tag might also contain default routes.||Both||No||No|
In the classic deployment model (before Azure Resource Manager), a subset of the tags listed in the previous table are supported. These tags are spelled differently:
|Classic spelling||Equivalent Resource Manager tag|
Service tags of Azure services denote the address prefixes from the specific cloud being used. For example, the underlying IP ranges that correspond to the Sql tag value on the Azure Public cloud will be different from the underlying ranges on the Azure China cloud.
If you implement a virtual network service endpoint for a service, such as Azure Storage or Azure SQL Database, Azure adds a route to a virtual network subnet for the service. The address prefixes in the route are the same address prefixes, or CIDR ranges, as those of the corresponding service tag.
Service tags on-premises
You can obtain the current service tag and range information to include as part of your on-premises firewall configurations. This information is the current point-in-time list of the IP ranges that correspond to each service tag. You can obtain the information programmatically or via a JSON file download, as described in the following sections.
Use the Service Tag Discovery API (public preview)
You can programmatically retrieve the current list of service tags together with IP address range details:
It takes up to 4 weeks for new Service Tag data to propagate in the API results. The change number in the response metadata will be incremented when this happens. There may be temporary differences in results when different location values are specified. When using the results to create NSG rules, you should set the location paramater to match the NSG's region.
The API data will represent those tags which can be used with NSG rules, a subset of the tags currently in the downloadable JSON file. While in public preview, we do not guarantee that the data will remain the same from one update to the next.
Discover service tags by using downloadable JSON files
You can download JSON files that contain the current list of service tags together with IP address range details. These lists are updated and published weekly. Locations for each cloud are:
The IP address ranges in these files are in CIDR notation.
A subset of this information has been published in XML files for Azure Public, Azure China, and Azure Germany. These XML downloads will be deprecated by June 30, 2020 and will no longer be available after that date. You should migrate to using the Discovery API or JSON file downloads as described in the previous sections.
- You can detect updates from one publication to the next by noting increased changeNumber values in the JSON file. Each subsection (for example, Storage.WestUS) has its own changeNumber that's incremented as changes occur. The top level of the file's changeNumber is incremented when any of the subsections is changed.
- For examples of how to parse the service tag information (for example, get all address ranges for Storage in WestUS), see the Service Tag Discovery API PowerShell documentation.
- When new IP addresses are added to service tags, they will not be used in Azure for at least one week. This gives you time to update any systems that might need to track the IP addresses associated with service tags.
- Learn how to create a network security group.