More and more users now choose to integrate App Service with Azure DevOps to streamline build and deployment process of their applications. The SCM site is the engine behind App Service for deployment, meaning that the release pipeline of Azure DevOps deploys code to the SCM site of an app. In most scenario, SCM site can be reached through public internet. Therefore, ensuring secure access to the site becomes more important. We can enable access restriction on SCM site or set up other firewall solutions to control incoming traffic to the site.
Here we will introduce you on how to identify and whitelist deployment traffic from Azure pipeline to SCM site with access restriction. This article also applies when setting up the same rules in other firewall solutions.
Identify IP ranges coming from the deployment traffic
Before we get into the topic, let us take a look at on how Azure Pipeline deploys your code. Azure Pipelines use agents to deploy your application. An agent is a VM or a container with installed agent software that runs the pipeline jobs. There are three types of agents used by Azure pipeline to build and deploy your code:
- Microsoft-hosted agent
- Self-hosted agents
- VMSS agents
You may check what type of agents you are using for Azure pipelines in Azure DevOps >> Project settings >> Agent pools:
If the pipelines are using self-hosted agents or VMSS agents, then you know how to find out the outbound IPs of the agents.
If the pipelines use Microsoft-hosted agents (in Azure Pipelines agent pool) to deploy your code, which is the default scenario, it is worth noting that the IP ranges used by Microsoft-hosted agents are subject to change as they are a part of Azure global network. Azure publishes a weekly JSON file listing IP ranges for Azure datacenters, broken out by region. You can find out the IP ranges used by the agents in the same region of your DevOps organization by looking through the JSON file with the format of AzureCloud.<region>, such as AzureCloud.westus.
As the IPs of Microsoft-hosted agents' are a part of the "AzureCloud" service tag, you can also identify the IP ranges of Microsoft-hosted agents by retrieving information from "AzureCloud" service tag along with the region information of your Azure DevOps organization with following Powershell cmdlets (for example if your DevOps organization is in "westus"):
$serviceTags = Get-AzNetworkServiceTag -Location westus
$azureCloud = $serviceTags.Values | Where-Object { $_.Name -eq "AzureCloud.westus" }
$azureCloud.Properties.AddressPrefixes
Please note that the IPs of Azure Pipeline (Microsoft-hosted agents) are not a part of the "AzureDevOps" service tag . The "AzureDevOps" service tag only includes inbound IPs of DevOps service, meaning the IPs are the destination addresses of network traffic.
Set access restriction rules based on the identified IP ranges
For self-hosted agents or VMSS agents, you may add the allow rules based on the outbound IPs of the agents to the SCM site.
For Microsoft-hosted agents, we can allow the traffic by whitelisting "AzureCloud" service tag to access SCM site on Azure Portal.
If you are using Microsoft-hosted agents and you don't want to allow all of the IPs in "AzureCloud" service tag to access your web app. ("AzureCloud" service tag includes all outbound IPs from Azure datacenters.) You can specify the IPs in the access restriction rules or other firewall rules. As the list of IP ranges in your region is quite long, we can automate the process of adding access restriction rules by running the following Powershell cmdlets (for example if your DevOps organization is in "westus"):
#Get all outbound IP ranges of Azure datacenters in your region.
$serviceTags = Get-AzNetworkServiceTag -Location westus
$azureCloud = $serviceTags.Values | Where-Object { $_.Name -eq "AzureCloud.westus" }
$addressPrefixes = $azureCloud.Properties.AddressPrefixes
#Set the access restriction rules to your web app with the retrived IP ranges.
foreach($address in $addressPrefixes){
try{
Add-AzWebAppAccessRestrictionRule -ResourceGroupName "ResourceGroup" -WebAppName "AppName" -TargetScmSite -Name "azure pipeline rule" -Priority 100 -Action Allow -IpAddress $address
}
catch{
write-host $address" is not added successfully."
}
}
As mentioned before, the IP ranges used by Microsoft-hosted agents are subject to change. You don't have to worry about it if you are using "AzureCloud" service tag. But please remember to update them regularly if the exact IP ranges are specified in the rules.
To summarize, the IPs of Azure pipeline (Microsoft-hosted agents) are not static, either we can include them in a bigger scope with "AzureCloud" service tag to save the management overhead or we can update the IP ranges regularly for a more granular protection.
Update on 3/26/2024
Right now, Microsoft-hosted agents are not able to use service tags. We'll need to follow the IP range allow listing method.
For more information:
Microsoft-hosted agents - Networking
Set up Azure App Service access restrictions