Blog Post

Windows IT Pro Blog
4 MIN READ

Changes coming to the Azure Update Delivery service tag

Dave_Roth's avatar
Dave_Roth
Icon for Microsoft rankMicrosoft
May 31, 2024
Azure Update Delivery service tag is being deprecated starting July 1, 2024. If your Azure Firewall is configured to receive Windows updates using this service tag, you'll need to migrate away from t...
Published May 31, 2024
Version 1.0
servicing and updates
hspinto's avatar
hspinto
Icon for Microsoft rankMicrosoft
Jun 07, 2024

Here's an Azure Resource Graph helper query that allows you to quickly identify NSG rules that are using those service tags:

 

resources
| where type == 'microsoft.network/networksecuritygroups'
| mv-expand nsgRule = properties.securityRules limit 400
| extend destinationAddressPrefix = tostring(nsgRule.properties.destinationAddressPrefix)
| where destinationAddressPrefix in ('AzureUpdateDelivery','AzureFrontDoor.FirstParty')
| where nsgRule.properties.access == 'Allow'
| where nsgRule.properties.direction == 'Outbound'
| extend ruleName = tostring(nsgRule.name)
| extend protocol = tostring(nsgRule.properties.protocol)
| extend destinationPortRange = iif(isnotempty(nsgRule.properties.destinationPortRange),tostring(nsgRule.properties.destinationPortRange),tostring(nsgRule.properties.destinationPortRanges))
| extend sourceAddressPrefix = iif(isnotempty(nsgRule.properties.sourceAddressPrefix),tostring(nsgRule.properties.sourceAddressPrefix),tostring(nsgRule.properties.sourceAddressPrefixes))
| extend subnets = tostring(properties.subnets)
| project destinationAddressPrefix, nsg=name, resourceGroup, subscriptionId, ruleName, protocol, destinationPortRange, sourceAddressPrefix, subnets