If you configure restricted NSG without “Internet” service tag on Azure Stack, you need to consider 169.254.169.254 and 188.8.131.52. This entry is the summary of my investigation about 169.254.169.254 and 184.108.40.206 on Azure Stack.
ASDK 1908 in @syuheiuda ’s physical container
169.254.169.254 is an instance metadata service. A virtual machine needs to access 169.254.169.254 during the deployment process. If the NSG which is attached to the virtual machine blocks the outbound traffic to 169.254.169.254, the deployment of this virtual machine becomes a timeout and fails.
In Azure, NSG permits the traffic to 169.254.169.254 implicitly. But in Azure Stack, NSG doesn’t allow the traffic to 169.254.169.254 implicitly. You need to add “169.254.169.254” or “Internet” to NSG to allow the traffic to 169.254.169.254.
220.127.116.11 is DHCP, DNS and etc on in VNet. 18.104.22.168 also is not permitted implicitly in NSG. If NSG blocks the traffic to 22.214.171.124 and a virtual machine uses a default DNS server, a virtual machine can’t resolve FQDN.
In Azure, 126.96.36.199 is in “VirtualNetwork” service tag. But in Azure Stack, 188.8.131.52 is not in “VirtualNetwork”. You need to add “184.108.40.206” or “Internet” to allow the traffic to 220.127.116.11.