Raven_Zhang, you can retrieve the IP address of the Microsoft-hosted agent with the following line of PowerShell.
$ip = (Invoke-WebRequest -uri "http://ifconfig.me/ip").Content
Because each Azure Pipeline Job may end up on a different agent, and each agent will have a different IP address, it's important that all of the following items occur within the same Pipeline Job.
- Download build artifact
- Retrieve the IP address of the Microsoft-hosted agent
- Add the access restriction rule
- Deploy the build artifact to app service
- Remove the access restriction rule
I recommend applying the https://learn.microsoft.com/en-us/azure/devops/pipelines/process/conditions condition for the step that removes the access restriction rule so that if something goes wrong and the deployment fails, the access restriction rule will still be removed.