Yesterday I’ve done a webcast detailing all the new features available in Dynamics 365 Business Central and I’ve also mentioned the possibility to manage traffic access restrictions to Dynamics 365 Business Central by using Azure Service Tags.
A service tag in Azure represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
You can use service tags in place of specific IP addresses when you want to create security rules and routes and define network access controls on network security groups or Azure Firewall. By specifying the service tag name in the appropriate source or destination field of a security rule, you can allow or deny the traffic for the corresponding service.
Dynamics 365 Business Central now has its own service tag: Dynamics365BusinessCentral. If you query the Azure Service tag detail, it’s actually defined as follows:
{
"name": "Dynamics365BusinessCentral",
"id": "Dynamics365BusinessCentral",
"properties": {
"changeNumber": 5,
"region": "",
"regionId": 0,
"platform": "Azure",
"systemService": "Dynamics365BusinessCentral",
"addressPrefixes": [
"4.194.227.0/25",
"20.18.6.128/25",
"20.24.2.128/25",
"20.26.17.128/26",
"20.50.89.0/25",
"20.50.89.128/26",
"20.59.86.128/26",
"20.74.198.64/26",
"20.79.109.192/26",
"20.87.86.128/27",
"20.91.13.192/26",
"20.91.148.0/26",
"20.92.7.192/26",
"20.98.151.128/26",
"20.100.5.224/27",
"20.100.20.128/27",
"20.107.238.0/24",
"20.111.5.192/26",
"20.119.157.0/26",
"20.125.165.64/26",
"20.164.152.96/27",
"20.170.168.0/25",
"20.189.199.96/27",
"20.192.158.32/27",
"20.199.203.0/26",
"20.200.161.160/27",
"20.203.90.0/26",
"20.204.194.96/27",
"20.204.198.64/26",
"20.205.54.128/25",
"20.206.182.192/26",
"20.208.145.192/26",
"20.210.71.192/27",
"20.213.196.64/26",
"20.214.130.32/27",
"20.218.186.160/27",
"20.220.0.128/26",
"20.220.5.128/27",
"20.220.6.0/26",
"20.223.66.176/28",
"20.223.67.160/27",
"20.223.69.0/25",
"20.232.92.64/26",
"20.233.132.0/25",
"20.236.146.0/25",
"40.80.97.192/26",
"40.117.24.96/27",
"51.116.79.192/26",
"51.120.178.64/27",
"51.120.180.224/27",
"51.142.129.128/26",
"51.142.131.128/26",
"52.191.44.128/26",
"52.236.190.0/24",
"52.242.46.128/26",
"68.218.121.0/26",
"68.218.123.0/25",
"68.219.173.128/25"
],
"networkFeatures": [
"NSG",
"API"
]
}
}
Please don’t rely on these IP addresses for your applications, because they can change!!! Service tags are used exactly to avoid relying on IP addresses. Please never do that!
By using this tag it’s now possible to restrict traffic to/from Business Central using your network security groups and firewalls. You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
To define a security rule for Dynamics 365 Business Central, in the Azure Portal select the Network Security Group and here create a new inbound or outbound policy by selecting Source = Service Tag and Source service tag = Dynamics365BusinessCentral:
Then you can define your rule.
This is a great addition when you have scenarios where you need to restrict traffic to your ERP or to external applications (for example restrict traffic coming to Dynamics 365 Business Central to a specific set of IP addresses).
Stefano Demiliani 
Hi, can I use this in scenario where I have custom application on the customer server (onprem) which exposed API to the Internet. But I would like to restrict that only Business Central can call this API. Is it possible using service tags?
LikeLike
If you create an Azure Virtual Network for your onprem network, yes you can do that. Only traffic coming from that service tag can reach the network.
LikeLike