There is a common scenario that customers want their app service being allocated inside private network and cannot be accessed by public network. Therefore, they usually enable private endpoint as well as configure Access Restriction to deny all the public traffic.
When the private endpoint is enabled and public traffic is denied to the web app, all the public traffic to this app is cut off. Since there is a range of IP addresses where agents are deployed, they have a public IP. Obviously, these agents are unable to reach web app.
As a solution, we can either allow the IP ranges list in the firewall or use self-hosted agents to deploy.
You may check below document for more information Microsoft-hosted-agents for Azure Pipelines
In below lab, we will demo 2 tests. One is what if we deploy code to a web app with private endpoint by Microsoft-agent and another one is how to deploy by a self-hosted agent.
Lab
Test1: deploy using Microsoft-hosted agent
Result: We will see Error: Failed to deploy web package to App Service. Ip Forbidden (CODE: 403) since web app is not accessible via internet.
Create a new pipeline
Here, I select GitHub in this demo
Deploy a Django app. So I choose the second one.
Select subscription and web app name
Save and run
Web app is private endpoint enabled which means the inbound traffic needs to be a private IP from the same subnet as web app or an IP that has permission to access this app service.
However, Microsoft-agent works over public network. It is deployed failed and the Error - Failed to deploy web package to App Service. Ip Forbidden (CODE: 403)
Test2: deploy using self-hosted agent on Linux VM (Ubuntu 20.04)
Result: it works fine. Deploy successfully.
Create Linux VM (Ubuntu 20.04) in the same VNET as web app.
In Azure Devops portal, Add agent pool
Then New Agent and choose operating system of your build machine. (Here, I choose Linux)
Get Personal Access Tokens
New token and grant permission to agent pools
Remember to record this token as it will not displayed again.
SSH into Linux VM and configure agent to connect Azure pipeline
Download and create agent
Configure agent settings
Sever URL:
Please refer to Deploy an Azure Pipelines agent on Linux - Azure Pipelines | Microsoft Learn
Run agent
Check from portal that agent is online
In order to get confused, we create a separated pipeline here.
Creation Steps are the same as previous steps:
New Pipeline -> GitHub -> Python to Linux Web App on Azure -> Select subscription -> Select web app name -> Save and run
Modify the yml file. Change pool to the one just created.
Then, run the pipeline again. We can see that it deployed successfully this time.
References
Deploy an Azure Pipelines agent on Linux - Azure Pipelines | Microsoft Learn