Reputation: 1
How can I connect an Azure DevOps Microsoft-hosted agent pool to an AWS Network Security Group (NSG) that blocks public IPs?
I am using the Microsoft-hosted agent pool to run an Azure pipeline. In the pipeline YAML, I have included a task (task: SSH@0) to connect to an AWS EC2 instance. However, the AWS Network Security Group is configured to block public IP addresses. I attempted to register the Azure DevOps public IPs in the AWS NSG, but this approach did not work.
I want to establish a connection between Azure Pipeline and an AWS EC2 instance by adding the Azure DevOps public IP range to the AWS Network Security Group, which currently blocks all public IPs (0.0.0.0/0).
I’ve tried setting up a service connection between Azure DevOps and an AWS EC2 instance, but it didn’t work.
I’ve also added the Azure IP Ranges and Service Tags for the public cloud to the AWS NSG inbound rules, but it didn’t help.
Upvotes: -1
Views: 225
Answers (1)
Reputation: 5557
You can refer to the following steps to dynamically add agent IP to AWS Network Security Group.
- Get the IP of the current agent and set it as variable.
- Add the IP to the AWS Network Security Group with the AWSCLI task with the
aws ec2 authorize-security-group-ingresscommand. Here is the sample of the command. - Run the SSH task to connect to an AWS EC2 instance.
- Remove the IP to the AWS Network Security Group with the AWSCLI task with the
aws ec2 revoke-security-group-ingresscommand. Here is the sample of the command.
Here is possible sample YAML :
trigger:
- none
pool:
vmImage: 'ubuntu-latest'
steps:
# Get the IP of the current agent and set it as variable.
- task: PowerShell@2
displayName: Get the IP of current agent
inputs:
targetType: 'inline'
script: |
$IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
$IP
Write-Host "##vso[task.setvariable variable=IP]$IP"
- task: AWSCLI@1
displayName: 'Add IP to AWS Security Group'
inputs:
awsCredentials: 'your-service-connection'
regionName: 'your-region'
awsCommand: 'ec2'
awsSubCommand: 'authorize-security-group-ingress'
awsArguments: '--group-id your-security-group-id --protocol tcp --port 22 --cidr $(IP)/32'
# Connect to an AWS EC2 instance with SSH task and do what you need to do.
- task: SSH@0
inputs:
sshEndpoint: 'your-ssh-endpoint'
runOptions: 'commands'
commands: 'your-commands'
- task: AWSCLI@1
displayName: 'Remove IP from AWS Security Group'
inputs:
awsCredentials: 'your-service-connection'
regionName: 'your-region'
awsCommand: 'ec2'
awsSubCommand: 'revoke-security-group-ingress'
awsArguments: '--group-id your-security-group-id --protocol tcp --port 22 --cidr $(IP)/32'
Upvotes: 0
Related Questions
- You may not specify a referenced group id for an existing IPv4 CIDR rule. prompt when editing the Inbound rule in AWS Security Group
- How can I help Azure Network Security Group rules recognize Service Tags for Azure DevOps
- How can I use a Azure AD Service Principal to connect an Azure DevOps pipeline to an artifact feed?
- How can I enable Diagnostics on a Network Security Group using ARM templates
- Do AWS Security Group and Azure Network Security Group work the same way?
- AWS security group that allows instances within VPC to connect doesn't work over public IP
- How to connect Azure Web Application (App Service/Website) to Network Security Group?