If you configure restricted NSG without “Internet” service tag on Azure Stack, you need to consider 169.254.169.254 and 18.104.22.168. This entry is the summary of my investigation about 169.254.169.254 and 22.214.171.124 on Azure Stack.
ASDK 1908 in @syuheiuda ’s physical container
169.254.169.254 is an instance metadata service. A virtual machine needs to access 169.254.169.254 during the deployment process. If the NSG which is attached to the virtual machine blocks the outbound traffic to 169.254.169.254, the deployment of this virtual machine becomes a timeout and fails.
In Azure, NSG permits the traffic to 169.254.169.254 implicitly. But in Azure Stack, NSG doesn’t allow the traffic to 169.254.169.254 implicitly. You need to add “169.254.169.254” or “Internet” to NSG to allow the traffic to 169.254.169.254.
126.96.36.199 is DHCP, DNS and etc on in VNet. 188.8.131.52 also is not permitted implicitly in NSG. If NSG blocks the traffic to 184.108.40.206 and a virtual machine uses a default DNS server, a virtual machine can’t resolve FQDN.
In Azure, 220.127.116.11 is in “VirtualNetwork” service tag. But in Azure Stack, 18.104.22.168 is not in “VirtualNetwork”. You need to add “22.214.171.124” or “Internet” to allow the traffic to 126.96.36.199.