StorageError: Forbidden - Azure Devops

Question

I am trying to deploy a NodeJS Application to a Function App via Azure DevOps but I am getting the following error on the deploy stage:

StorageError: Forbidden

My Storage Account is inside a Virtual Network (as is my function app) and has some firewall rules associated with it.

If I change the settings on my storage account to Public network access - Enabled from all networks then the Pipeline works. What IP addresses do I need to add to the storage account firewall to make this work?

Answer 1

You can download the IP addresses of Microsoft-hosted agent from the weekly JSON file. Here is an example to get it using C# code. The Microsoft-hosted agents don’t have constant IP addresses. This file is updated every week.

If you are using network security groups or Azure Firewall, you can use the service tag Azure.Cloud.. This tag is used to allow all inbound traffic. However, we don't recommend this in most scenarios since this means allowing traffic from all Azure IP's, including those used by other Azure customers.

If you can add a network rule in a pipeline (for example, if you are using NSG, then you can use Azure CLI to create a network rule), you can use following PowerShell script to get the current agent ip address, then add it to network rule before deployment and remove this rule at the end of the pipeline:

$IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ip

At last, if you do not have to use Microsoft-hosted agent, it is also a good choice to use Azure virtual machine scale set agent or self-hosted agent that in the same virtual network of your storage account.