Overview of Azure service tags
The simplest definition of an Azure service tag is the grouping of IP address space from a specific Azure service. This makes management flexible and scalable, as the address prefixes groups are created only by Microsoft and are automatically updated when services change or update, thus reducing the need to manually update your tenant’s network security rules.
Service tags can be utilized to create inbound and/or outbound NSG rules to allow or deny internet traffic and allow or deny Azure cloud traffic, traffic to other available Azure service tags, or to achieve network isolation by prohibiting internet access to your resources while still allowing access to Azure service public endpoints.
One of the best features of service tags is that these can also be limited to specific service regions, providing even greater control over and flexibility in your network configuration. Reviewing an existing NSG in the Azure tenant, as seen in the following...