Azure RM Network Security Tags: what can they be?

On this documentation page here regarding Network Security Rules, it says:

destination_address_prefix (Optional) CIDR or destination IP range or * to match any IP. Tags such as ‘VirtualNetwork’, ‘AzureLoadBalancer’ and ‘Internet’ can also be used. Besides, it also supports all available Service Tags like ‘Sql.WestEurope‘, ‘Storage.EastUS‘, etc. You can list the available service tags with the cli: shell az network list-service-tags --location westcentralus . For further information please see Azure CLI - az network list-service-tags. This is required if destination_address_prefixes is not specified.

It is unclear to me what tags are available that are not part of the az network list-service-tags list. For instance, Internet is not part of the list, nor is AzureLoadBalancer or VirtualNetwork. These are all of the examples given that are not part of the az network list-service-tags command. But what other options are there??

Specifically in my case, I wanted to know if I could say Subnet, to specify anything in the subnet where I place the network security group. But I think it would be helpful to everyone if the list of tags beyond those available from az network list-service-tags were provided.

To be clear, I want to know what tags can be used beyond service tags. Eg, the documentation gives a few examples. But are there others? Are these examples just a subset of acceptable non-service tags? Or the entire set? The documentation is unclear.