Blog Post

Apps on Azure Blog
4 MIN READ

How to deploy your Web App from Azure Pipeline with restricted access.

Raven_Zhang's avatar
Raven_Zhang
Icon for Microsoft rankMicrosoft
Mar 18, 2022

More and more users now choose to integrate App Service with Azure DevOps to streamline build and deployment process of their applications. The SCM site is the engine behind App Service for deployment, meaning that the release pipeline of Azure DevOps deploys code to the SCM site of an app. In most scenario, SCM site can be reached through public internet. Therefore, ensuring secure access to the site becomes more important. We can enable access restriction on SCM site or set up other firewall solutions to control incoming traffic to the site.

Here we will introduce you on how to identify and whitelist deployment traffic from Azure pipeline to SCM site with access restriction. This article also applies when setting up the same rules in other firewall solutions.

 

 

Identify IP ranges coming from the deployment traffic

 

Before we get into the topic, let us take a look at on how Azure Pipeline deploys your code. Azure Pipelines use agents to deploy your application. An agent is a VM or a container with installed agent software that runs the pipeline jobs. There are three types of agents used by Azure pipeline to build and deploy your code:

  • Microsoft-hosted agent
  • Self-hosted agents
  • VMSS agents

You may check what type of agents you are using for Azure pipelines in Azure DevOps >> Project settings >> Agent pools:

 

If the pipelines are using self-hosted agents or VMSS agents, then you know how to find out the outbound IPs of the agents.

 

If the pipelines use Microsoft-hosted agents (in Azure Pipelines agent pool) to deploy your code, which is the default scenario, it is worth noting that the IP ranges used by Microsoft-hosted agents are subject to change as they are a part of Azure global network. Azure publishes a weekly JSON file listing IP ranges for Azure datacenters, broken out by region. You can find out the IP ranges used by the agents in the same region of your DevOps organization by looking through the JSON file with the format of AzureCloud.<region>, such as AzureCloud.westus. 

 

As the IPs of Microsoft-hosted agents' are a part of the "AzureCloud" service tag, you can also identify the IP ranges of Microsoft-hosted agents by retrieving information from "AzureCloud" service tag along with the region information of your Azure DevOps organization with following Powershell cmdlets (for example if your DevOps organization is in "westus"):

 

 

$serviceTags = Get-AzNetworkServiceTag -Location westus
$azureCloud = $serviceTags.Values | Where-Object { $_.Name -eq "AzureCloud.westus" }
$azureCloud.Properties.AddressPrefixes

 

 

Please note that the IPs of Azure Pipeline (Microsoft-hosted agents) are not a part of the "AzureDevOps" service tag . The "AzureDevOps" service tag only includes inbound IPs of DevOps service, meaning the IPs are the destination addresses of network traffic.

 

 

Set access restriction rules based on the identified IP ranges

 

For self-hosted agents or VMSS agents, you may add the allow rules based on the outbound IPs of the agents to the SCM site.

 

For Microsoft-hosted agents, we can allow the traffic by whitelisting "AzureCloud" service tag to access SCM site on Azure Portal. 

If you are using Microsoft-hosted agents and you don't want to allow all of the IPs in "AzureCloud" service tag to access your web app. ("AzureCloud" service tag includes all outbound IPs from Azure datacenters.) You can specify the IPs in the access restriction rules or other firewall rules. As the list of IP ranges in your region is quite long, we can automate the process of adding access restriction rules by running the following Powershell cmdlets (for example if your DevOps organization is in "westus"): 

 

 

#Get all outbound IP ranges of Azure datacenters in your region.
$serviceTags = Get-AzNetworkServiceTag -Location westus
$azureCloud = $serviceTags.Values | Where-Object { $_.Name -eq "AzureCloud.westus" }
$addressPrefixes = $azureCloud.Properties.AddressPrefixes

#Set the access restriction rules to your web app with the retrived IP ranges.
foreach($address in $addressPrefixes){
   try{
     Add-AzWebAppAccessRestrictionRule  -ResourceGroupName "ResourceGroup" -WebAppName "AppName" -TargetScmSite -Name "azure pipeline rule" -Priority 100 -Action Allow -IpAddress $address
   }
   catch{
     write-host $address" is not added successfully."
   }
}

 

 

As mentioned before, the IP ranges used by Microsoft-hosted agents are subject to change. You don't have to worry about it if you are using "AzureCloud" service tag. But please remember to update them regularly if the exact IP ranges are specified in the rules. 

 

To summarize, the IPs of Azure pipeline (Microsoft-hosted agents) are not static, either we can include them in a bigger scope with "AzureCloud" service tag to save the management overhead or we can update the IP ranges regularly for a more granular protection.

 

Update on 3/26/2024

Right now, Microsoft-hosted agents are not able to use service tags. We'll need to follow the IP range allow listing method. 

Reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#service-tags

 

For more information:

 

Azure Pipelines agents

Microsoft-hosted agents - Networking

Set up Azure App Service access restrictions

Virtual network service tags

 

Updated Mar 26, 2024
Version 2.0
  • matzter's avatar
    matzter
    Brass Contributor

    Nice, I wasn't aware of the additional capabilities / data in the Service Tags. 
    Anyway, for our use case - to be even more granular and specific.
    We wrote a script to read the current public IP of the agent and add it to the firewall rules - and remove it after the deployment.

     

  • Derek_Wade's avatar
    Derek_Wade
    Copper Contributor

    Raven_Zhang, you can retrieve the IP address of the Microsoft-hosted agent with the following line of PowerShell.

     

     

    $ip = (Invoke-WebRequest -uri "http://ifconfig.me/ip").Content

     

     

    Because each Azure Pipeline Job may end up on a different agent, and each agent will have a different IP address, it's important that all of the following items occur within the same Pipeline Job.

    1. Download build artifact
    2. Retrieve the IP address of the Microsoft-hosted agent
    3. Add the access restriction rule
    4. Deploy the build artifact to app service
    5. Remove the access restriction rule

     

    I recommend applying the always() condition for the step that removes the access restriction rule so that if something goes wrong and the deployment fails, the access restriction rule will still be removed.

  • rsinha296's avatar
    rsinha296
    Copper Contributor

    In my case function app is running behind Private Endpoint and i wanted to deploy code using azdo,  i was able to resolve this issue by running the azure agents with Azure virtual machine scaleset 

    Things to take care of 
    1. make sure creating the scaleset in the same virtual network where your function app are running 
    2. once the scalseset is created we will have to change the azdo pipeline so that these agents can be picked 
    3. No need to add any firewall rules in the function app , we can disable the public network completely and it should work 

     

  • carlintveld's avatar
    carlintveld
    Brass Contributor

    It would be great if Microsoft were providing a simple in-built method to connect Microsoft hosted pipelines to a private subnet. E.g. in order to deploy to ASE hosted app services you then just would be targeting the subnet of the ASE. Vpn tech has come this far today, it should be possible.

  • Good idea matzter ! Your solution is more secure especially when the deployment is not that frequent. I am very curious about how we can read the public IP of the agent with a script.  :lol: