If you configure restricted NSG without “Internet” service tag on Azure Stack, you need to consider 169.254.169.254 and 22.214.171.124. This entry is the summary of my investigation about 169.254.169.254 and 126.96.36.199 on Azure Stack.
ASDK 1908 in @syuheiuda ’s physical container
169.254.169.254 is an instance metadata service. A virtual machine needs to access 169.254.169.254 during the deployment process. If the NSG which is attached to the virtual machine blocks the outbound traffic to 169.254.169.254, the deployment of this virtual machine becomes a timeout and fails.
In Azure, NSG permits the traffic to 169.254.169.254 implicitly. But in Azure Stack, NSG doesn’t allow the traffic to 169.254.169.254 implicitly. You need to add “169.254.169.254” or “Internet” to NSG to allow the traffic to 169.254.169.254.
188.8.131.52 is DHCP, DNS and etc on in VNet. 184.108.40.206 also is not permitted implicitly in NSG. If NSG blocks the traffic to 220.127.116.11 and a virtual machine uses a default DNS server, a virtual machine can’t resolve FQDN.
In Azure, 18.104.22.168 is in “VirtualNetwork” service tag. But in Azure Stack, 22.214.171.124 is not in “VirtualNetwork”. You need to add “126.96.36.199” or “Internet” to allow the traffic to 188.8.131.52.