At times, you may want to block all outgoing traffic from a VNet in Azure. You configure a Network Security Group (NSG) with a Deny All outgoing policy. Upon testing (because you always test...right?), you find that DNS and the Windows Licensing Key Management Service are still able to traverse the NSG.
What's up with that!?
There's actually also a third service (the Azure Instance Metadata service) that can do the same, and according to Microsoft,
A word of warning, these services are used to provide key support to your Azure workloads, so proceed with caution.
What's up with that!?
There's actually also a third service (the Azure Instance Metadata service) that can do the same, and according to Microsoft,
Basic infrastructure services like DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. These IP addresses belong to Microsoft and are the only virtualized IP addresses used in all regions for this purpose. Effective security rules and effective routes will not include these platform rules.However, the news is not all bad. The same article states that
To override this basic infrastructure communication, you can create a security rule to deny traffic by using the following service tags on your Network Security Group rules: AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKMSo there you have it, now you can REALLY block all outgoing traffic from your VNet. Oh wait...there still isn't one for DHCP. 🤷♂️
A word of warning, these services are used to provide key support to your Azure workloads, so proceed with caution.
References
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags
https://docs.microsoft.com/en-gb/azure/virtual-network/security-overview#azure-platform-considerations
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
