Exam AZ-104 topic 6 question 32 discussion

You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services that have public endpoints. Create inbound/outbound network security group rules to deny traffic to/from Internet and allow traffic to/from AzureCloud or other available service tags of specific Azure services. https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview

C - "Azure portal" is in the list of Service tag.

Service Tag most appropriate but since it's the same as grouping of IP addresses, guess IP addresses can also be a valid answer, but service tag more appropriate.

C is correct

C is correct

It was in EXAM, thanks Examtopic.

B. IP Addresses To create a rule in NSG1 to prevent hosts on Subnet1 from connecting to the Azure portal while allowing them to connect to other internet hosts, you should set the Destination in the rule to IP Addresses. The Azure portal can be accessed via a specific set of IP addresses. By creating a rule in NSG1 that blocks traffic to these IP addresses, you can prevent hosts on Subnet1 from accessing the Azure portal while still allowing them to access other internet hosts. Option A, Application security group, is not relevant to this scenario as it is used to group multiple virtual machines and apply network security rules to them as a group. Option C, Service Tag, is also not relevant as it is used to define a set of IP address ranges for specific Azure services. Option D, Any, would allow traffic to any destination, which is not appropriate for this scenario as it would not prevent access to the Azure portal.

AzurePortal service tag can be added to NSG in the portal but is not listed in the documentation. Moreover, looks like it won't work as intended - https://learn.microsoft.com/en-us/answers/questions/1198445/what-azureportal-service-tag-mean "This tag is currently not supported by NSG i.e. although you can list it in the nsg rule but it will not have the desired effect which coincides with your observation above. If you wish to block access to Azure Portal from your VM you can do it via Azure Firewall. Azure Firewall offers FQDN filtering functionality" That means the goal can't be achieved by Service Tag. AzureCloud tag is "All datacenter public IP addresses.", not the portal

To all people here voting "Service Tags": what is the service tag for Azure portal ? I cannot find it in the docs...

A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes. Use service tags in place of specific IP addresses when you create security rules and routes Reference Virtual network service tags https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

service tag enables you to be very specific on the service you are bloking.

C correct

You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services that have public endpoints

You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes