| ActionGroup | Action Group. | Inbound | No | No |
| ApiManagement | Management traffic for Azure API Management-dedicated deployments. Note: This tag represents the Azure API Management service endpoint for control plane per region. The tag enables customers to perform management operations on the APIs, Operations, Policies, NamedValues configured on the API Management service. | Inbound | Yes | Yes |
| ApplicationInsightsAvailability | Application Insights Availability. | Inbound | No | No |
| AppConfiguration | App Configuration. | Outbound | No | No |
| AppService | Azure App Service. This tag is recommended for outbound security rules to web apps and Function apps. Note: This tag doesn't include IP addresses assigned when using IP-based SSL (App-assigned address). | Outbound | Yes | Yes |
| AppServiceManagement | Management traffic for deployments dedicated to App Service Environment. | Both | No | Yes |
| AutonomousDevelopmentPlatform | Autonomous Development Platform | Both | Yes | No |
| AzureActiveDirectory | Azure Active Directory. | Outbound | No | Yes |
| AzureActiveDirectoryDomainServices | Management traffic for deployments dedicated to Azure Active Directory Domain Services. | Both | No | Yes |
| AzureAdvancedThreatProtection | Azure Advanced Threat Protection. | Outbound | No | No |
| AzureArcInfrastructure | Azure Arc-enabled servers, Azure Arc-enabled Kubernetes, and Guest Configuration traffic. Note: This tag has a dependency on the AzureActiveDirectory,AzureTrafficManager, and AzureResourceManager tags. | Outbound | No | Yes |
| AzureAttestation | Azure Attestation. | Outbound | No | Yes |
| AzureBackup | Azure Backup. Note: This tag has a dependency on the Storage and AzureActiveDirectory tags. | Outbound | No | Yes |
| AzureBotService | Azure Bot Service. | Outbound | No | No |
| AzureCloud | All datacenter public IP addresses. | Both | Yes | Yes |
| AzureCognitiveSearch | Azure Cognitive Search. This tag or the IP addresses covered by this tag can be used to grant indexers secure access to data sources. For more information about indexers, see indexer connection documentation. (Video) What is NSG Service Tag? What is Azure Service Tag? Note: The IP of the search service isn't included in the list of IP ranges for this service tag and also needs to be added to the IP firewall of data sources. | Inbound | No | No |
| AzureConnectors | This tag represents the IP addresses used for managed connectors that make inbound webhook callbacks to the Azure Logic Apps service and outbound calls to their respective services, for example, Azure Storage or Azure Event Hubs. | Both | Yes | Yes |
| AzureContainerAppsService | Azure Container Apps Service | Both | Yes | No |
| AzureContainerRegistry | Azure Container Registry. | Outbound | Yes | Yes |
| AzureCosmosDB | Azure Cosmos DB. | Outbound | Yes | Yes |
| AzureDatabricks | Azure Databricks. | Both | No | No |
| AzureDataExplorerManagement | Azure Data Explorer Management. | Inbound | No | No |
| AzureDataLake | Azure Data Lake Storage Gen1. | Outbound | No | Yes |
| AzureDeviceUpdate | Device Update for IoT Hub. | Both | No | Yes |
| AzureDevSpaces | Azure Dev Spaces. | Outbound | No | No |
| AzureDevOps | Azure DevOps. | Inbound | Yes | Yes |
| AzureDigitalTwins | Azure Digital Twins. Note: This tag or the IP addresses covered by this tag can be used to restrict access to endpoints configured for event routes. | Inbound | No | Yes |
| AzureEventGrid | Azure Event Grid. | Both | No | No |
AzureFrontDoor.Frontend
AzureFrontDoor.Backend
AzureFrontDoor.FirstParty | Azure Front Door. | Both | Yes | Yes |
| AzureHealthcareAPIs | The IP addresses covered by this tag can be used to restrict access to Azure Health Data Services. | Both | No | Yes |
| AzureInformationProtection | Azure Information Protection. Note: This tag has a dependency on the AzureActiveDirectory, AzureFrontDoor.Frontend and AzureFrontDoor.FirstParty tags. | Outbound | No | No |
| AzureIoTHub | Azure IoT Hub. | Outbound | Yes | No |
| AzureKeyVault | Azure Key Vault. Note: This tag has a dependency on the AzureActiveDirectory tag. | Outbound | Yes | Yes |
| AzureLoadBalancer | The Azure infrastructure load balancer. The tag translates to the virtual IP address of the host (168.63.129.16) where the Azure health probes originate. This only includes probe traffic, not real traffic to your backend resource. If you're not using Azure Load Balancer, you can override this rule. | Both | No | No |
| AzureLoadTestingInstanceManagement | This service tag is used for inbound connectivity from Azure Load Testing service to the load generation instances injected into your virtual network in the private load testing scenario. Note: This tag is intended to be used in Azure Firewall, NSG, UDR and all other gateways for inbound connectivity. (Video) Azure Service Tags | How to Use | No | Yes | |
| AzureMachineLearning | Azure Machine Learning. | Both | No | Yes |
| AzureMonitor | Log Analytics, Application Insights, AzMon, and custom metrics (GiG endpoints). Note: For Log Analytics, the Storage tag is also required. If Linux agents are used, GuestAndHybridManagement tag is also required. | Outbound | No | Yes |
| AzureOpenDatasets | Azure Open Datasets. Note: This tag has a dependency on the AzureFrontDoor.Frontend and Storage tag. | Outbound | No | No |
| AzurePlatformDNS | The basic infrastructure (default) DNS service. You can use this tag to disable the default DNS. Be cautious when you use this tag. We recommend that you read Azure platform considerations. We also recommend that you perform testing before you use this tag. | Outbound | No | No |
| AzurePlatformIMDS | Azure Instance Metadata Service (IMDS), which is a basic infrastructure service. You can use this tag to disable the default IMDS. Be cautious when you use this tag. We recommend that you read Azure platform considerations. We also recommend that you perform testing before you use this tag. | Outbound | No | No |
| AzurePlatformLKM | Windows licensing or key management service. You can use this tag to disable the defaults for licensing. Be cautious when you use this tag. We recommend that you read Azure platform considerations. We also recommend that you perform testing before you use this tag. (Video) Azure Service Tags for User-Defined Routes (UDR) | Outbound | No | No |
| AzureResourceManager | Azure Resource Manager. | Outbound | No | No |
| AzureSentinel | Microsoft Sentinel. | Inbound | Yes | Yes |
| AzureSignalR | Azure SignalR. | Outbound | No | No |
| AzureSiteRecovery | Azure Site Recovery. Note: This tag has a dependency on the AzureActiveDirectory, AzureKeyVault, EventHub,GuestAndHybridManagement and Storage tags. | Outbound | No | No |
| AzureSphere | This tag or the IP addresses covered by this tag can be used to restrict access to Azure Sphere Security Services. | Both | No | Yes |
| AzureStack | Azure Stack Bridge services. This tag represents the Azure Stack Bridge service endpoint per region. | Outbound | No | Yes |
| AzureTrafficManager | Azure Traffic Manager probe IP addresses. For more information on Traffic Manager probe IP addresses, see Azure Traffic Manager FAQ. | Inbound | No | Yes |
| AzureUpdateDelivery | For accessing Windows Updates. Note: This tag provides access to Windows Update metadata services. To successfully download updates, you must also enable the AzureFrontDoor.FirstParty service tag and configure outbound security rules with the protocol and port defined as follows: - AzureUpdateDelivery: TCP, port 443
- AzureFrontDoor.FirstParty: TCP, port 80
| Outbound | No | No |
| AzureWebPubSub | AzureWebPubSub | Both | Yes | No |
| BatchNodeManagement | Management traffic for deployments dedicated to Azure Batch. | Both | Yes | Yes |
| ChaosStudio | Azure Chaos Studio. Note: If you have enabled Application Insights integration on the Chaos Agent, the AzureMonitor tag is also required. | Both | Yes | No |
| CognitiveServicesManagement | The address ranges for traffic for Azure Cognitive Services. | Both | No | No |
| DataFactory | Azure Data Factory | Both | No | No |
| DataFactoryManagement | Management traffic for Azure Data Factory. | Outbound | No | No |
| Dynamics365ForMarketingEmail | The address ranges for the marketing email service of Dynamics 365. | Outbound | Yes | No |
| Dynamics365BusinessCentral | This tag or the IP addresses covered by this tag can be used to restrict access from/to the Dynamics 365 Business Central Services. | Both | No | Yes |
| EOPExternalPublishedIPs | This tag represents the IP addresses used for Security & Compliance Center PowerShell. Refer to the . | Both | No | Yes |
| EventHub | Azure Event Hubs. | Outbound | Yes | Yes |
| GatewayManager | Management traffic for deployments dedicated to Azure VPN Gateway and Application Gateway. | Inbound | No | No |
| GuestAndHybridManagement | Azure Automation and Guest Configuration. | Outbound | No | Yes |
| HDInsight | Azure HDInsight. | Inbound | Yes | No |
| Internet | The IP address space that's outside the virtual network and reachable by the public internet. The address range includes the Azure-owned public IP address space. (Video) Azure Virtual Network and PaaS Network Controls | Both | No | No |
| LogicApps | Logic Apps. | Both | No | No |
| LogicAppsManagement | Management traffic for Logic Apps. | Inbound | No | No |
| M365ManagementActivityApi | The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365 and Azure Active Directory activity logs. Customers and partners can use this information to create new or enhance existing operations, security, and compliance-monitoring solutions for the enterprise. Note: This tag has a dependency on the AzureActiveDirectory tag. | Outbound | Yes | No |
| M365ManagementActivityApiWebhook | Notifications are sent to the configured webhook for a subscription as new content becomes available. | Inbound | Yes | No |
| MicrosoftAzureFluidRelay | This tag represents the IP addresses used for Azure Microsoft Fluid Relay Server. | Outbound | No | No |
| MicrosoftCloudAppSecurity | Microsoft Defender for Cloud Apps. | Outbound | No | No |
| MicrosoftContainerRegistry | Container registry for Microsoft container images. Note: This tag has a dependency on the AzureFrontDoor.FirstParty tag. | Outbound | Yes | Yes |
| MicrosoftDefenderForEndpoint | Microsoft Defender for Endpoint | Both | No | Yes |
| PowerBI | Power BI. | Both | No | No |
| PowerPlatformInfra | This tag represents the IP addresses used by the infrastructure to host Power Platform services. | Outbound | Yes | Yes |
| PowerPlatformPlex | This tag represents the IP addresses used by the infrastructure to host Power Platform extension execution on behalf of the customer. | Inbound | Yes | Yes |
| PowerQueryOnline | Power Query Online. | Both | No | No |
| ServiceBus | Azure Service Bus traffic that uses the Premium service tier. | Outbound | Yes | Yes |
| ServiceFabric | Azure Service Fabric. Note: This tag represents the Service Fabric service endpoint for control plane per region. This enables customers to perform management operations for their Service Fabric clusters from their VNET endpoint. (For example, https:// westus.servicefabric.azure.com). | Both | No | No |
| Sql | Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Database for MariaDB, and Azure Synapse Analytics. Note: This tag represents the service, but not specific instances of the service. For example, the tag represents the Azure SQL Database service, but not a specific SQL database or server. This tag doesn't apply to SQL managed instance. | Outbound | Yes | Yes |
| SqlManagement | Management traffic for SQL-dedicated deployments. | Both | No | Yes |
| Storage | Azure Storage. Note: This tag represents the service, but not specific instances of the service. For example, the tag represents the Azure Storage service, but not a specific Azure Storage account. (Video) What is service tag and how to use it for NSG | Azure Training in Hindi | Outbound | Yes | Yes |
| StorageSyncService | Storage Sync Service. | Both | No | No |
| WindowsAdminCenter | Allow the Windows Admin Center backend service to communicate with customers' installation of Windows Admin Center. | Outbound | No | Yes |
| WindowsVirtualDesktop | Azure Virtual Desktop (formerly Windows Virtual Desktop). | Both | No | Yes |
| VirtualNetwork | The virtual network address space (all IP address ranges defined for the virtual network), all connected on-premises address spaces, peered virtual networks, virtual networks connected to a virtual network gateway, the virtual IP address of the host, and address prefixes used on user-defined routes. This tag might also contain default routes. | Both | No | No |