Use Azure NSG and Azure Service Tags to block internet and allow to Azure Portal
27 Feb 2023 Written by Ajo MathewMy Client got a requirement to block internet access inside a Subnet \ Vnet only using NSG and allow connection only to Azure Portal.
Client is using Azure Private Endpoints to enable private access to Azure Storage , Databricks and other services hence other resource access from within the VMs inside VM is working as expected.
The requirement from security team is to lock Azure Vnet & Subnet from internet and enable only direct Portal access.
Azure Documentation on Service Tags never mention about AzurePortal service tag but I was able to find it while checking outboud NSG rule.
With below combination of Azure Tags I managed to enable Azure Portal access and block internet.
Azure Service Tag combinations used with priority
- AzurePortal (400)
- AzureActiveDirectory (410)
- AzureTrafficManager (430)
- AzureFrontDoor.Frontend (440)
- AzureResourceManager (450)
With Priority 500 I have set up a rule to block all internet access from Virtual network
| Priority | Name | Port | Pritocol | Source | Destination | Action |
| 400 | AzurePortal | All | All | Virtualnetwork(Tag) | AzurePortal(tag) | Allow |
| 410 | AzureActiveDirectory | All | All | Virtualnetwork(Tag) | AzureActiveDirectory(tag) | Allow |
| 430 | AzureTrafficManager | All | All | Virtualnetwork(Tag) | AzureTrafficManager(tag) | Allow |
| 440 | AzureFrontDoor.Frontend | All | All | Virtualnetwork(Tag) | AzureFrontDoor.Frontend(tag) | Allow |
| 450 | AzureResourceManager | All | All | Virtualnetwork(Tag) | AzureResourceManager(tag) | Allow |
| 500 | Block Outbound internet | Any | Any | Virtualnetwork(Tag) | Internet (tag) | Deny |