The Service Engine subnet should allow incoming TCP connections on port 7 from the IP address 168.63.129.16. This is used by Azure to probe the Service Engine health.

For more information, see Ports and Protocols used by NSX Advanced Load Balancer for Management communication.