CODEWITHSUNDEEP
azure-devops
evgeny
evgeny

Reputation: 1135

Azure DevOps IP addresses

I have an application running on Web App that needs to communicate with Azure DevOps Microsoft hosted agent. I've set some IP restrictions to deny everything and now in the process of whitelisting agent's IPs. When I read this page it refers to weekly json that contains objects about everything what I need (CIDRs per region). I've parsed the json, added them to my allow list, however the agent's public IP address is not from the range mentioned in the json. The way I checked it was running bash task on the agent to curl icanhazip.com. Does anyone know if the list is complete or should I look somewhere else?

I.e. example in my case:

I use this data (since my ADO org is in West Europe):

{
      "name": "AzureDevOps.WestEurope",
      "id": "AzureDevOps.WestEurope",
      "properties": {
        "changeNumber": 1,
        "region": "westeurope",
        "regionId": 18,
        "platform": "Azure",
        "systemService": "AzureDevOps",
        "addressPrefixes": [
          "40.74.28.0/23"
        ],
        "networkFeatures": null
      }
    }

but the agent initiates connection from the IP: 20.238.71.171, which is not in any of the CIDRs privided by that json file (checked all other regions with ADO).

Any thoughts / help?

Upvotes: 5

Views: 18789

Answers (3)

Thanos
Thanos

Reputation: 1778

I know this is an old question but since I end up here I thought of sharing the code that I used based on the proposed solution.

I used the Azure Cli az keyvault network-rule module to add and remove the Public Agent IP.

Sample of code:

- task: AzureCLI@2
  displayName: "Adding Virtual Agent Public Allowed IP Firewall list of KV."
  inputs:
    scriptType: "pscore"
    scriptLocation: "inlineScript"
    azureSubscription: $( azureSubscription )
    inlineScript: |
      $agentHostPublicIp = (Invoke-WebRequest ifconfig.me/ip).Content.Trim()
      Write-Output "Public IP of agent to add: $agentHostPublicIp"
      az keyvault network-rule add --name $(vg_vault_name) --ip-address $agentHostPublicIp --no-wait --resource-group $(vg_resource_group_name)

  - task: AzureKeyVault@2
    displayName: "Download from Azure Key Vault '$(vg_vault_name)' secrets."
    inputs:
      azureSubscription:$( azureSubscription )
      KeyVaultName: $(vg_vault_name)
      SecretsFilter: "*" # string. Required. Secrets filter. Default: *.
      RunAsPreJob: false

  - task: AzureCLI@2
    displayName: "Removing Virtual Agent Public Allowed IP Firewall list of KV."
    condition: always() # Run this task, even if the previous one failed
    inputs:
      scriptType: "pscore"
      scriptLocation: "inlineScript"
      azureSubscription: $( azureSubscription )
      inlineScript: |
        $agentHostPublicIp = (Invoke-WebRequest ifconfig.me/ip).Content.Trim()
        Write-Output "Public IP of agent to remove: $agentHostPublicIp"
        az keyvault network-rule remove --name $(vg_vault_name) --ip-address $agentHostPublicIp --no-wait --resource-group $(vg_resource_group_name)

As a next step you can use what ever secrets you have pulled from the vault.

Sample from the official documentation Use Azure Key Vault secrets in Azure Pipelines

This solution assumes that the user is using Azure Public Agents and not Hosted Agents. In the case the user is using Hosted Agents then he simply needs to add once the public IP(s) of the Agent(s) and no need to remove them again.

Upvotes: 2

Max CHien
Max CHien

Reputation: 143

If you mean MS-hosted agent: You should use AzureCloud service tag

The IP address ranges for the hosted agents are listed in the weekly file under AzureCloud., such as AzureCloud.westus for the West US region.

Docs: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#networking

Upvotes: 1

silent
silent

Reputation: 16148

You would need to whitelist ALL ranges from, for instance, Azure West Europe. Those are a lot of different IP ranges, as Azure DevOps hosted agents do not have a service Tag.

Since this opens up your firewall to literally every VM running in West Europe, this is usually not really desired, as it is just a bit short of opening up your App to the entire world.

Hence, what people usually do is the following:

  1. First task in a build job, fetch the public IP address of the executing build agent, using something like ipfy.org
  2. Use AZ CLI to add this IP as a single IP allow rule to your app
  3. Do your deployment etc
  4. Remove the IP rule again

Upvotes: 18

Related Questions