💡 Feature Request - Recommendations for deprecation of AzureUpdateDelivery service tag

[tksh164]

Describe the solution you'd like

Azure Update Delivery service tag is being deprecated. So, we should detect it if customers are using that service tag.

• Changes coming to the Azure Update Delivery service tag

  Azure Update Delivery service tag is being deprecated starting July 1, 2024. If your Azure Firewall is configured to receive Windows updates using this service tag, you'll need to migrate away from the service tag and use Azure Firewall application rules instead.

• Available service tags

  AzureUpdateDelivery The Azure Update Delivery service tag used for accessing Windows Updates is marked for deprecation and in the future it will be decommissioned.

The above deprecation will affect the following resources at least:

• Network security groups
• Route tables
• Azure Firewall (classic rules)
• Azure Firewall policies

Describe alternatives you've considered

n/a

Additional context

n/a

[kzk839]

I created these KQLs to find resources which use AzureUpdateDelivery or AzureFrontDoor.FirstpPrty tags. However, rules in Azure Firewall policy could not be searched in KQL.

for NSGs

resources
| where type =~ "Microsoft.Network/NetworkSecurityGroups"
| mv-expand rule = properties.securityRules
| extend source = rule.properties.sourceAddressPrefix
| extend destination = rule.properties.destinationAddressPrefix
| extend ruleName = rule.name
| where source == "AzureUpdateDelivery" or destination == "AzureUpdateDelivery" or source == "AzureFrontDoor.FirstParty" or destination == "AzureFrontDoor.FirstParty"
| project id, name, location, resourceGroup, subscriptionId, ruleName, source, destination

for Route Tables

resources
| where type =~ "Microsoft.Network/routetables"
| mv-expand route = properties.routes
| extend routeName = route.name
| extend addressPrefix = route.properties.addressPrefix
| where addressPrefix == "AzureUpdateDelivery" or addressPrefix  == "AzureFrontDoor.FirstParty"
| project id, name, location, resourceGroup, subscriptionId, routeName, addressPrefix

for Azure Firewall (classic rules)

resources
| where type =~ "Microsoft.Network/AzureFirewalls"
| mv-expand nwRules = properties.networkRuleCollections
| mv-expand nwRule = nwRules.properties.rules
| extend ruleName = nwRule.name
| extend sourceAddresses = nwRule.sourceAddresses
| extend destinationAddresses = nwRule.destinationAddresses
| where sourceAddresses contains "AzureUpdateDelivery" or destinationAddresses contains "AzureUpdateDelivery" or sourceAddresses contains "AzureFrontDoor.FirstParty" or destinationAddresses contains "AzureFrontDoor.FirstParty"
| project id, name, location, resourceGroup, subscriptionId, ruleName, sourceAddresses, destinationAddresses