I need to setup Network Security Group rules for my application so it can receive HTTPS requests from the Internet and write data into Table Storage and Azure SQL. Nothing else is allowed.
I know how to setup the HTTP inbound rule. But I could not figure out how to setup outbound rules for table storage and azure sql. Should I provide use ".table.core.windows.net" as value of DestinationAddressPrefix?
You cannot use network security rules for Azure Storage Services because:
DestinationAddressPrefix
is a network IP Address in CDIR format and not DNS prefix / suffixWhat you could, but only in theory, and I would not recommend that, is to add your Azure Data Centre IP Address ranges to the Network Security Group. This would be the closest to what you try to achieve. But as I said, I would not recommend it (as you have to constantly update it and still have failure when this list is not updated).
If your primary concern is that your service shall not communicate with on-premises (in case you use VPN), you can add explicit deny for you on-prem network.
If your concern is that your service could be target of various attacks, than you could use a proper Web Application Firewall, like Barracuda - https://www.barracuda.com/programs/azure/application-security
As for Azure SQL Database, you can only limit access to your Azure SQL Database to "All azure services", but not "only mine azure service". And currently (again, as of 2015-06-12) there is no other way around.