Azure Update Delivery will be deprecated, and Azure Firewall will be impacted

Do you know about future changes to the Azure Update Delivery service tag? If you use Azure Firewall to handle Windows updates, there is significant news that you should be aware of. From July 1st, 2024, the Azure Update Delivery service tag will no longer exist, according to the official blog post published by the Redmond-based tech giant last week.

This signifies that if your setup depends on this service tag for receiving Windows updates, now is an ideal time to alter course and employ Azure Firewall application rules. Let us delve deeper into what this implies and how you can shift seamlessly without interruption.

Using Azure Firewall service tags has helped make firewall configurations easier to handle. These tags are like groups containing IP addresses and ranges linked with certain Azure resources; they automatically update whenever a change occurs.

This feature proves very handy when ensuring Windows devices can connect securely to Microsoft Windows Update services without constantly adjusting the firewall rules. For instance, the AzureUpdateDelivery service tag has allowed devices to scan for updates like operating system enhancements and driver and application patches by recognizing IP addresses used by Microsoft’s scanning services.

But change is happening. The method of content downloads is changing, too. Downloads are now more often coming from reliable third-party Content Delivery Networks (CDNs), which don’t have service tags, and this might interrupt the update process at a stage when content gets downloaded.

The answer is to stop using service tags such as AzureUpdateDelivery and AzureFrontDoor.FirstParty, and start using Azure Firewall application rules with Fully Qualified Domain Name (FQDN) filtering.

It is time to take action if you have explicitly used these service tags in your Azure Firewall rules. You should review your Azure Firewall policy network rules to verify their usage and begin planning the migration.

For affected individuals, the action suggested involves establishing Azure Firewall application rules set for the Windows Update FQDN tag.

This method ensures that your firewall recognizes precisely which hosts are reliable to scan and get update content from, maintaining security without needing you to manually update IP addresses.

But what if I’m using my own firewall or proxy services? Don’t worry; Microsoft assists with setting up these services to work well with Windows Update services.

For people who like to limit updates only inside the network boundary, there is another option called Windows Server Update Services (WSUS). This lets devices search and get updates without touching the internet at all.

The deprecation date is near, so it’s necessary to start moving forward with these new methods. The reason for this change isn’t merely to keep pace; it’s about guaranteeing that your environment stays safe and current.

In other news, Microsoft also released the capabilities of the Azure Web Application Firewall (WAF) and Azure Firewall into the Copilot for Security last month in a public preview.