A YAML list of [service tags](https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags) that are allowed for egress in custom security groups. If this list is empty, no service tags are permitted.<br /><br />Applies to non-Guardrails managed Security Groups.<br /><br />Examples: ```   - VirtualNetwork   - Storage ``` 

Azure > Management Group

Azure > Subscription

Azure > Tenant

Turbot > Folder

Turbot

Turbot > IAM > Turbot Identity

Turbot > IAM > Unidentified Identity

Azure > Active Directory > Directory

Kubernetes > Cluster

GCP > Project

GitHub > Repository

AWS > Account

ServiceNow > Instance

Azure > Network Watcher > Network Watcher

Azure > SQL > Database

Azure > SQL > Elastic Pool

Azure > SQL > Managed Instance

Azure > SQL > Server

Azure > Relay > Namespace

Azure > Key Vault > Vault

Azure > Search Management > Search Service

Azure > Automation > Automation Account

Azure > Automation > Runbook

Azure > App Service > App Service Plan

Azure > App Service > Web App

Azure > Resource Group

Azure > SignalR Service > SignalR

Azure > DNS > Zone

Azure > DNS > Record Set

Azure > Storage > Storage Account

Azure > Monitor > Action Group

Azure > Monitor > Metric Alert

Azure > Application Insights > Application Insight

Azure > PostgreSQL > Flexible Server

Azure > PostgreSQL > Server

Azure > Network > Application Security Group

Azure > Network > Express Route Circuits

Azure > Network > Network Interface

Azure > Network > Network Security Group

Azure > Network > Private DNS Zones

Azure > Network > Private Endpoints

Azure > Network > Public IP Address

Azure > Network > Route Table

Azure > Network > Virtual Network

Azure > Network > Virtual Network Gateway

Azure > Network > Private Link Service

Azure > Load Balancer > Load Balancer

Azure > MySQL > Flexible Server

Azure > MySQL > Server [Deprecated]

Azure > Managed Identity > User Assigned Identity

Azure > API Management > API Management Service

Azure > Log Analytics > Log Analytics Workspace

Azure > Recovery Service > Vault

Azure > Synapse Analytics > SQL Pool

Azure > Synapse Analytics > Workspace

Azure > Compute > Availability Set

Azure > Compute > Disk

Azure > Compute > Disk Encryption Set

Azure > Compute > Image

Azure > Compute > Snapshot

Azure > Compute > Ssh Public Key

Azure > Compute > Virtual Machine

Azure > Compute > Virtual Machine Scale Set

Azure > Application Gateway Service > Application Gateway

Azure > Databricks > Workspace

Azure > Data Factory > Factory

Azure > Service Bus > Namespace

Azure > Cosmos DB > Database Account

Azure > Container Registry > Registry

Azure > SQL Virtual Machine Service > SQL Virtual Machine

Azure > AKS > Managed Cluster

Azure > Firewall > Firewall

GCP > BigQuery > Dataset

GCP > BigQuery > Table

GCP > Compute Engine > Disk

GCP > Compute Engine > Image

GCP > Compute Engine > Instance

GCP > Compute Engine > Region Disk

GCP > Compute Engine > Snapshot

GCP > Dataproc > Cluster

GCP > Dataproc > Job

GCP > Dataproc > Workflow Template

GCP > SQL > Instance

GCP > Dataplex > Lake

GCP > Dataplex > Task

GCP > Dataplex > Zone

GCP > Secret Manager > Secret

GCP > Network > Forwarding Rule

GCP > Network > Global Forwarding Rule

GCP > Network > VPN Tunnel

GCP > Bigtable > Instance

GCP > Spanner > Instance

GCP > Vertex AI > Endpoint

GCP > Memorystore > Instance

GCP > Pub/Sub > Snapshot

GCP > Pub/Sub > Subscription

GCP > Pub/Sub > Topic

GCP > Storage > Bucket

GCP > Composer > Environment

GCP > App Engine > Service

GCP > KMS > Crypto Key

GCP > Kubernetes Engine > Region Cluster

GCP > Kubernetes Engine > Zone Cluster

GCP > DNS > Managed Zone

AWS > Resource Access Manager > Resource Share

AWS > Elastic Beanstalk > Application

AWS > Elastic Beanstalk > Environment

AWS > AppStream > Image

AWS > AppStream > Fleet

AWS > AppStream > Image Builder

AWS > IAM > Access Analyzer

GCP > Folder

AWS > EC2 > Instance

AWS > Region

A YAML list of [service tags](https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags) that are allowed for egress&#92;nin custom security groups. If this list is empty, no service tags are permitted.&#92;n&#92;nApplies to non-Guardrails managed Security Groups.&#92;n&#92;nExamples:&#92;n```&#92;n  - VirtualNetwork&#92;n  - Storage&#92;n```&#92;n

Azure > Network > Network Security Group > Ingress Rules > Approved

Azure > Network > Network Security Group > Ingress Rules > Approved > Service Tags

Schema Type	`array`
Default	`- '*'`

Policy: Azure > Network > Network Security Group > Ingress Rules > Approved > Service Tags

Targets

Primary Policy

Policy Specification

Category

In Your Workspace

Developers