Azure Service Tags are a way to simplify network security by grouping Azure resources together based on their location or functionality. This allows for more efficient access control and easier management.
With Azure Service Tags, you can quickly identify which resources are located in a specific region or are part of a particular service. This is especially useful for organizations with a large number of Azure resources.
By using Service Tags, you can create network security rules that apply to a group of resources at once, rather than having to create separate rules for each individual resource. This can save a lot of time and effort in the long run.
Azure Service Tags are automatically updated whenever a new resource is created or a resource is moved to a different region. This ensures that your network security rules remain accurate and up-to-date.
Discovery Options
You have two main options for discovering Azure service tags: using the Service Tag Discovery API or downloading JSON files. You can use the API to programmatically retrieve the current list of service tags together with IP address range details.
The API is accessible through REST, Azure PowerShell, and Azure CLI. For example, you can use the following PowerShell cmdlets to retrieve all the prefixes for the Storage Service Tag.
You must be authenticated and have a role with read permissions for your current subscription to use the API. It takes up to 4 weeks for new Service Tag data to propagate in the API results across all Azure regions.
Alternatively, you can download JSON files that contain the current list of service tags together with IP address range details. These lists are updated and published weekly for Azure Public, Azure US Government, Microsoft Azure operated by 21Vianet, and Azure Germany.
The IP address ranges in these files are in CIDR notation. You can detect updates from one publication to the next by noting increased changeNumber values in the JSON file.
Here are the locations for each cloud:
- Azure Public
- Azure US Government
- Microsoft Azure operated by 21Vianet
- Azure Germany
Understanding Service Tags
Service tags are a convenient way to manage access controls in Azure by grouping specific Azure services IP ranges. They can be used to define network security rules and apply these rules consistently across multiple Azure resources.
You can use service tags to allow network access to your Azure resources, such as Azure Storage or Azure SQL Database, by specifying the service tag instead of the IP ranges. This approach is more convenient and can be applied consistently across multiple resources.
Azure Service Tags are case-insensitive for operations, but tag values are case-sensitive. This means that you can update or retrieve a tag regardless of the casing, but the casing you provide will be preserved by the resource provider.
Some service tags, such as Storage, have regional scope, which means you can restrict the corresponding IP ranges to a specified region. For example, Storage.WestUS narrows the range to only the storage IP address ranges from the WestUS region.
Here's a brief overview of service tags supported in the classic deployment model:
Tag Usage and Recommendations
You can apply tags to your Azure resources, resource groups, and subscriptions, but not to management groups. This is a limitation of Azure's tagging system.
Tags support all cost-accruing services, which means you can use them to track costs associated with your Azure resources. To ensure that cost-accruing services are provisioned with a tag, use one of the tag policies.
Sensitive values should never be added to tags, as they could be exposed through various methods, including cost reports, commands that return existing tag definitions, deployment histories, exported templates, and monitoring logs. This is a crucial security consideration.
Tag names are case-insensitive for operations, but the resource provider might keep the casing you provide for the tag name. You'll see that casing in cost reports.
Tag values are case-sensitive, which means you should be careful when entering values for your tags. If you're not careful, you might end up with a mismatch between the value you expect and the value that's actually stored.
Here are some tag usage recommendations to keep in mind:
On-Premises
On-premises, you can obtain the current service tag and range information to include as part of your on-premises firewall configurations.
This information is the current point-in-time list of the IP ranges that correspond to each service tag.
You can obtain the information programmatically or via a JSON file download.
This means you can automate the process or simply download a file to get the necessary data.
Unique Pagination
Unique pagination can result in some tools, like the Azure portal, to show the tag key twice.
This happens because the Unique Tags API has a limit to the size of each API response page that is returned.
A tag with a large set of unique values will require the API to fetch the next page to retrieve the remaining set of values.
This can cause the tag key to be shown again to indicate that the values are still under this key.
The API will fetch the next page to retrieve the remaining set of values, which can lead to duplicated tag keys in some tools.
Security and Access
To get the required access to tag resources, you can either have write access to the Microsoft.Resources/tags resource type or write access to the resource itself. The Tag Contributor role grants access to the former, while the Contributor role grants access to the latter.
The Tag Contributor role is a good option if you want to apply tags to subscriptions through the portal, but it can't apply tags to resources or resource groups. On the other hand, the Contributor role is a more general role that grants access to apply tags to any entity.
You can use the Virtual Machine Contributor role to apply tags to virtual machines specifically.
Required Access
To get the required access to tag resources, you can have write access to the Microsoft.Resources/tags resource type, which is granted by the Tag Contributor role.
The Tag Contributor role lets you apply tags to subscriptions through the portal, but you can't apply tags to resources or resource groups through the portal.
You can also have write access to the resource itself, granted by the Contributor role, which allows you to apply tags to any entity.
To apply tags to only one resource type, you can use the contributor role for that resource, such as the Virtual Machine Contributor for virtual machines.
There are two ways to get the required access to tag resources:
- Write access to the Microsoft.Resources/tags resource type (granted by the Tag Contributor role)
- Write access to the resource itself (granted by the Contributor role)
The Tag Contributor role supports all tag operations through Azure PowerShell and REST API, but it can't apply tags to resources or resource groups through the portal.
Network Security Rule
Network security rules are designed to prevent unauthorized access to sensitive data and systems.
A well-configured firewall is crucial in implementing network security rules, as it can block incoming and outgoing traffic based on predetermined security rules.
Firewalls can be configured to allow or block specific types of traffic, such as HTTP, FTP, or SSH.
Network security rules can also be implemented using intrusion detection and prevention systems, which can detect and block malicious traffic.
Intrusion detection and prevention systems can be configured to monitor network traffic for signs of unauthorized access or malicious activity.
Regularly reviewing and updating network security rules is essential to ensure the continued security of the network.
Billing
You can use tags to group your billing data, making it easier to track costs for different organizations or runtime environments. This can be especially helpful if you're running multiple VMs for various clients.
For example, you can use tags to categorize costs by cost center or runtime environment, such as production environment. The tags will appear in the Tags column for services that support them.
To retrieve information about tags, you can download the usage file available from the Azure portal. This will give you a detailed view of your billing data, including any tags that have been applied.
Frequently Asked Questions
What is the difference between service tag and service endpoint in Azure?
Service tags and service endpoints are two distinct Azure features: service tags allow or deny traffic to Azure resources, while service endpoints secure service resources to a virtual network. Understanding the difference between these two features is crucial for securing and managing your Azure resources effectively.
Sources
- https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview
- https://www.tenable.com/blog/these-services-shall-not-pass-abusing-service-tags-to-bypass-azure-firewall-rules-customer
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources
- https://michaeldurkan.com/2024/02/18/azure-networking-zero-to-hero-network-security-groups/
- https://www.cryingcloud.com/blog/2016/09/12/network-security-group-rule-tags-deep-dive
Featured Images: pexels.com