Block internet access but allow windows update to an Azure VM

Should there be a requirement to block general internet access out an Azure virtual machine but you still require the virtual machine to apply windows updates / security patches the following network security groups are required to be applied to the VM.

The following Service tags applied to the NSG:

AzureUpdateDelivery – port 443

AzureFrontDoor.FirstParty – port 80

Block internet to Any