FQDN tags overview
An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Azure services. You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall.
For example, to manually allow Windows Update network traffic through your firewall, you need to create multiple application rules per the Azure documentation. Using FQDN tags, you can create an application rule, include the Windows Updates tag, and now network traffic to Microsoft Windows Update endpoints can flow through your firewall.
You can't create your own FQDN tags, nor can you specify which FQDNs are included within a tag. Azure manages the FQDNs encompassed by the FQDN tag, and updates the tag as FQDNs change.
The following table shows the current FQDN tags you can use. Azure maintains these tags and you can expect more tags to be added periodically.
Current FQDN tags
FQDN tag | Description |
---|---|
WindowsUpdate | Allow outbound access to Microsoft Update as described in How to Configure a Firewall for Software Updates. |
WindowsDiagnostics | Allow outbound access to all Windows Diagnostics endpoints. |
MicrosoftActiveProtectionService (MAPS) | Allow outbound access to MAPS. |
AppServiceEnvironment (ASE) | Allows outbound access to ASE platform traffic. This tag doesn't cover customer-specific Storage and SQL endpoints created by ASE. These should be enabled via Service Endpoints or added manually. For more information about integrating Azure Firewall with ASE, see Locking down an App Service Environment. |
AzureBackup | Allows outbound access to the Azure Backup services. |
AzureHDInsight | Allows outbound access for HDInsight platform traffic. This tag doesn't cover customer-specific Storage or SQL traffic from HDInsight. Enable these using Service Endpoints or add them manually. |
AzureKubernetesService (AKS) | Allows outbound access to AKS. For more information, see Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments. |
Note
When you select FQDN Tag in an application rule, the protocol:port field must be set to https.
Next steps
To learn how to deploy an Azure Firewall, see Tutorial: Deploy and configure Azure Firewall using the Azure portal.