Add documents how to allow connectivity to oryx-cdn.microsoft.io with NSG

[georgeOsdDev]

Feature Request

App Service has network dependency to oryx-cdn.microsoft.io.
https://github.com/microsoft/Oryx/blob/main/doc/hosts/appservice.md#network-dependencies

When using App Service with a Virtual Network or an App Service Environment, you will need to allow outbound access from the webapp to oryx-cdn.microsoft.io on port 443

This will be inconsistent if NSG have denyAll outbound rule to Internet. We need to change NSG to allow connect to access internet and use firewall to verify output connection.

Currently NSG does not support FQDN rule.
So it is happy if we can have ip address list of oryx-cdn.microsoft.io or ServiceTag which cover oryx-cdn.microsoft.io.

From nslookup command, we can see that oryx-cdn.microsoft.io was hosted by Azure FrontDoor and TrafficManager.
So I think IP address is not fixed. And serviceTag “AzureFrontDoor.Frontend” may cover range of IP addresses which used by oryx-cdn.microsoft.io.

$ nslookup oryx-cdn.microsoft.io
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
oryx-cdn.microsoft.io   canonical name = oryx-cdn.azureedge.net.
oryx-cdn.azureedge.net  canonical name = oryx-cdn.afd.azureedge.net.
oryx-cdn.afd.azureedge.net      canonical name = firstparty-azurefd-prod.trafficmanager.net.
firstparty-azurefd-prod.trafficmanager.net      canonical name = dual.part-0018.t-0009.t-msedge.net.
dual.part-0018.t-0009.t-msedge.net      canonical name = part-0018.t-0009.t-msedge.net.
Name:   part-0018.t-0009.t-msedge.net
Address: 13.107.246.46
Name:   part-0018.t-0009.t-msedge.net
Address: 13.107.213.46
Name:   part-0018.t-0009.t-msedge.net
Address: 2620:1ec:bdf::46
Name:   part-0018.t-0009.t-msedge.net
Address: 2620:1ec:46::46