Hello @AZLearner-5762 ,
By default the basic infrastructure services communication is not subject to the configured network security groups unless specifically targeted leveraging the AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM service tags. These platform tags are used for specific scenarios and each deny rule has an independent result.
AzurePlatformDNS : The basic infrastructure (default) DNS service. You can use this tag to disable the default DNS.
AzurePlatformIMDS : Azure Instance Metadata Service (IMDS), which is a basic infrastructure service. You can use this tag to disable the default IMDS.
AzurePlatformLKM : Windows licensing or key management service. You can use this tag to disable the defaults for licensing.
NOTE : Be cautious when you use these tags. It is recommended that you perform testing before you use these tags.
So, yes even if you lock down outbound traffic, these Azure platform traffic won't be affected unless you explicitly deny these with respective service tags - AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM.
Please refer : https://azure.microsoft.com/en-us/updates/network-security-group-improvements-now-available/
Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.
Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.