With Service tags Microsoft defines services and their addresses, no more manually adding addresses to multiple services thanks to Service tags.
Table of Contents
What tags are currently supported?
Bare in mind that Microsoft add new services monthly and new tags with them.
Inbound tags
Outbound tags
In and Outbound
How to add tags?
Let’s say we have scenario that we need to block all internet access but allow other Services.
You can add rules directly from Virtual machine and networking
Virtual machine networking
Or from Network Security Group (NSG)
From NSG Outbound rules
When You add a new Outbound rule, You will see any, IP Adddresses, Service tags and ASG’s
And under Destination service tags You will choose nothing less than Internet.
Set service to custom, destination ports to * and protocol Any with action Deny.
Now Your Internet is broke but Microsoft Backbone works. Next You could add some Service Your want as allow rule.
Let’s use as an example Azure Key Vault only in North Europe.
Now we have One deny and one Allow rule inside the NSG.
And You can see the same rules inside Your virtual mcash
Service tags for on-premises
You can obtain the current service tag and range information to include as part of your on-premises firewall configurations. This information is the current point-in-time list of the IP ranges that correspond to each service tag. You can obtain the information programmatically or via a JSON file download.
Use the Service Tag Discovery API
You can programmatically retrieve the current list of service tags together with IP address range details:
|
1 2 3 |
$serviceTags = Get-AzNetworkServiceTag -Location northeurope $storage = $serviceTags.Values | Where-Object { $_.Name -eq "Storage" } $storage.Properties.AddressPrefixes |
Discover service tags by using downloadable JSON files
You can download JSON files that contain the current list of service tags together with IP address range details. These lists are updated and published weekly. Locations for each cloud are:
Closure
That’s one way You can use Service tags, other way could be with Azure Firewall.
Short post but important stuff, hopefully it helps someone to solve a real life problem.
Keep on learning!
RSS - Posts