FQDN tags overview
An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Azure services. You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall.
For example, to manually allow Windows Update network traffic through your firewall, you need to create multiple application rules per the Azure documentation. Using FQDN tags, you can create an application rule, include the Windows Updates tag, and now network traffic to Microsoft Windows Update endpoints can flow through your firewall.
You can't create your own FQDN tags, nor can you specify which FQDNs are included within a tag. Azure manages the FQDNs encompassed by the FQDN tag, and updates the tag as FQDNs change.
The following table shows the current FQDN tags you can use. Azure maintains these tags and you can expect additional tags to be added periodically.
Current FQDN tags
| FQDN tag | Description |
|---|---|
| Windows Update | Allow outbound access to Microsoft Update as described in How to Configure a Firewall for Software Updates. |
| Windows Diagnostics | Allow outbound access to all Windows Diagnostics endpoints. |
| Microsoft Active Protection Service (MAPS) | Allow outbound access to MAPS. |
| App Service Environment (ASE) | Allows outbound access to ASE platform traffic. This tag doesn't cover customer-specific Storage and SQL endpoints created by ASE. These should be enabled via Service Endpoints or added manually. For more information about integrating Azure Firewall with ASE, see Locking down an App Service Environment. |
| Azure Backup | Allows outbound access to the Azure Backup services. |
| Azure HDInsight | Allows outbound access for HDInsight platform traffic. This tag doesn't cover customer-specific Storage or SQL traffic from HDInsight. Enable these using Service Endpoints or add them manually. |
| Azure Kubernetes Service (AKS) | Allows outbound access to AKS. For more information, see Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments. |
Note
When selecting FQDN Tag in an application rule, the protocol:port field must be set to https.
Next steps
To learn how to deploy an Azure Firewall, see Tutorial: Deploy and configure Azure Firewall using the Azure portal.