Alternate method to resolve the VirtualNetwork service tag

Question

Alternate method to resolve the VirtualNetwork service tag

Shaked Eyal 86

Hello,

We are attempting to dynamically resolve the Virtual Network Service Tag in the Network Security Group rules.

We desire to comprehend the IP addresses that this service tag encompasses for each Virtual Network within our subscription.

We have identified the option to obtain this information via the Network Watch - Effective Security Rule API.

Is there an alternative method to acquire this information? Are there any REST APIs or a series of APIs that we could utilize to collect this data?

Not all of our clients are willing to enable the Network Watcher solely for this purpose.

Praveen Bandaru 850 Reputation points Microsoft External Staff

2025-03-05T17:23:33.82+00:00
Hello Shaked Eyal

Greetings!
You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes. Use service tags in place of specific IP addresses when you create security rules and routes. By specifying the service tag name, such as ApiManagement, in the appropriate source or destination field of a security rule, you can allow or deny the traffic for the corresponding service. By specifying the service tag name in the address prefix of a route, you can route traffic intended for any of the prefixes encapsulated by the service tag to a desired next hop type.

Check the below document for more understanding:

Azure service tags overview | Microsoft Learn

https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services?utm_source=chatgpt.com

Could you please confirm if you have an existing virtual network service tag in your NSG? Also, let me know what error you are facing with the service tag.

If you want to allow the service tag, kindly check the screenshot below.

Please let me know if you are trying to allow or deny the service tag in your VNET.

Please confirm if you would like to block the service using service Tag?

Also please confirm if you have existing NSG rule for service tag

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Shaked Eyal 86 Reputation points

2025-03-06T07:53:08.27+00:00

Hi, thank you for the comment.
That's not exactly what I mean.
We are trying to understand what exactly the IPs the VirtualNetwork service tag has in each VNET and NSG.
For example, in the attached rule, I marked the service tag in the default rule that each NSG has, and we want to know what exactly the addresses this service tag contains in each VNET and NSG?
Shaked Eyal 86 Reputation points

2025-03-06T08:36:47.7266667+00:00

Hi, thank you for the quick reply.
That is not what I am looking for.
For example, in the NSG, we have the default inbound rule

. We are trying to understand what IP address, ranges, and subnets are included in the VirtualNetwork service tag.

shideh kolahdooz 5

Hi

You have several alternative methods to retrieve the IP addresses included in the VirtualNetwork service tag without enabling Network Watcher:

Service Tags REST API:

Use the Service Tags API directly:

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/locations/{location}/serviceTags?api-version=2023-05-01

This returns all service tags including VirtualNetwork and their associated IP address prefixes

Azure CLI:

      az network list-service-tags --location eastus

- Filter the output for VirtualNetwork entries with jq:

```
az network list-service-tags --location eastus | jq '.values[] | select(.name=="VirtualNetwork")'
```

**PowerShell**:

```
$serviceTags = Get-AzNetworkServiceTag -Location eastus

$virtualNetworkTag = $serviceTags.Values | Where-Object { $_.Name -eq "VirtualNetwork" } $virtualNetworkTag.Properties.AddressPrefixes ```

     **ARM Template Deployment** (with "what-if" mode):
     
        - Create a simple template that references the service tag
        
           - Run in what-if mode to see the evaluated values without deploying
           
           **Virtual Network REST API**:
           
              - Query each VNet directly to get its address spaces:
              
                 - `GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}?api-version=2023-05-01`
                 
                 **Resource Graph Explorer**:
                 
                    - Query for VNet address ranges across your subscription:
                    
                    ```
                    Resources

| where type == 'microsoft.network/virtualnetworks' | project name, addressSpace = properties.addressSpace.addressPrefixes ```

Each method provides the IP address ranges that make up the VirtualNetwork service tag without requiring Network Watcher to be enabled.

Shaked Eyal 86 Reputation points

2025-03-06T09:07:36.0466667+00:00
I have tried the GET serviceTags API but I am getting an empty result:

GET https://management.azure.com/subscriptions/d3d3ff27-93fa-41aa-93a2-84d311c7582e/providers/Microsoft.Network/locations/eastus/serviceTags?api-version=2024-05-01

But the response I am getting is:

{ "value": [], "nextLink": "" }

I chose eastus because I have NSG there.
Do I need to have a VM running like the effective security rule tool?
Shaked Eyal 86 Reputation points

2025-03-09T08:23:05.7933333+00:00

Thanks for the comments.
I got my answer

Accepted answer

0 additional answers

Your answer

Praveen Bandaru 850 Reputation points Microsoft External Staff

2025-03-05T17:23:33.82+00:00

Hello Shaked Eyal

Greetings!
You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes. Use service tags in place of specific IP addresses when you create security rules and routes. By specifying the service tag name, such as ApiManagement, in the appropriate source or destination field of a security rule, you can allow or deny the traffic for the corresponding service. By specifying the service tag name in the address prefix of a route, you can route traffic intended for any of the prefixes encapsulated by the service tag to a desired next hop type.

Check the below document for more understanding:

Azure service tags overview | Microsoft Learn

https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services?utm_source=chatgpt.com

Could you please confirm if you have an existing virtual network service tag in your NSG? Also, let me know what error you are facing with the service tag.

If you want to allow the service tag, kindly check the screenshot below.

Please let me know if you are trying to allow or deny the service tag in your VNET.

Please confirm if you would like to block the service using service Tag?

Also please confirm if you have existing NSG rule for service tag

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Shaked Eyal 86 Reputation points

2025-03-06T07:53:08.27+00:00

Hi, thank you for the comment.
That's not exactly what I mean.
We are trying to understand what exactly the IPs the VirtualNetwork service tag has in each VNET and NSG.
For example, in the attached rule, I marked the service tag in the default rule that each NSG has, and we want to know what exactly the addresses this service tag contains in each VNET and NSG?
Shaked Eyal 86 Reputation points

2025-03-06T08:36:47.7266667+00:00

Hi, thank you for the quick reply.
That is not what I am looking for.
For example, in the NSG, we have the default inbound rule

. We are trying to understand what IP address, ranges, and subnets are included in the VirtualNetwork service tag.
shideh kolahdooz 5 Reputation points

2025-03-06T08:41:41.1866667+00:00

Hi

You have several alternative methods to retrieve the IP addresses included in the VirtualNetwork service tag without enabling Network Watcher:

Service Tags REST API:

Use the Service Tags API directly: GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/locations/{location}/serviceTags?api-version=2023-05-01

This returns all service tags including VirtualNetwork and their associated IP address prefixes

Azure CLI:
az network list-service-tags --location eastus

- Filter the output for VirtualNetwork entries with jq: ``` az network list-service-tags --location eastus | jq '.values[] | select(.name=="VirtualNetwork")' ``` **PowerShell**: ``` $serviceTags = Get-AzNetworkServiceTag -Location eastus

$virtualNetworkTag = $serviceTags.Values | Where-Object { $_.Name -eq "VirtualNetwork" } $virtualNetworkTag.Properties.AddressPrefixes ```

**ARM Template Deployment** (with "what-if" mode): - Create a simple template that references the service tag - Run in what-if mode to see the evaluated values without deploying **Virtual Network REST API**: - Query each VNet directly to get its address spaces: - `GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}?api-version=2023-05-01` **Resource Graph Explorer**: - Query for VNet address ranges across your subscription: ``` Resources

| where type == 'microsoft.network/virtualnetworks' | project name, addressSpace = properties.addressSpace.addressPrefixes ```

Each method provides the IP address ranges that make up the VirtualNetwork service tag without requiring Network Watcher to be enabled.
Shaked Eyal 86 Reputation points

2025-03-06T09:07:36.0466667+00:00

I have tried the GET serviceTags API but I am getting an empty result:

GET https://management.azure.com/subscriptions/d3d3ff27-93fa-41aa-93a2-84d311c7582e/providers/Microsoft.Network/locations/eastus/serviceTags?api-version=2024-05-01

But the response I am getting is:

{ "value": [], "nextLink": "" }

I chose eastus because I have NSG there.
Do I need to have a VM running like the effective security rule tool?
Shaked Eyal 86 Reputation points

2025-03-09T08:23:05.7933333+00:00

Thanks for the comments.
I got my answer

Answer 1

Praveen Bandaru 850 Microsoft External Staff

Hello Shaked Eyal

Greetings!

In an inbound NSG rule, the source virtual network service tag includes peered VNET IP ranges, while the destination virtual network service tag includes current VNET IP ranges.

For an outbound NSG rule, the source virtual network service tag includes current VNET IP ranges, and the destination virtual network service tag includes peered VNET IP ranges.

And also check the below link to find the IP ranges for service tag:

Azure IP Ranges and Service Tags

Regarding your API management to fetch the IP ranges, please check the link below for more information:

https://learn.microsoft.com/en-us/answers/questions/105211/api-to-get-azure-ip-ranges-and-service-tags

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Praveen Bandaru 850 Reputation points Microsoft External Staff

2025-03-11T04:22:14.1733333+00:00

Hello Shaked Eyal

Greetings!
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Alternate method to resolve the VirtualNetwork service tag

0 additional answers

Your answer