Blog Post

Apps on Azure Blog
2 MIN READ

Deploy app service with private endpoint enabled via Azure DevOps

Emma_Yen's avatar
Emma_Yen
Brass Contributor
Apr 17, 2023

There is a common scenario that customers want their app service being allocated inside private network and cannot be accessed by public network. Therefore, they usually enable private endpoint as well as configure Access Restriction to deny all the public traffic.

 

When the private endpoint is enabled and public traffic is denied to the web app, all the public traffic to this app is cut off. Since there is a range of IP addresses where agents are deployed, they have a public IP. Obviously, these agents are unable to reach web app.

 

As a solution, we can either allow the IP ranges list in the firewall or use self-hosted agents to deploy.

You may check below document for more information Microsoft-hosted-agents for Azure Pipelines

 

In below lab, we will demo 2 tests. One is what if we deploy code to a web app with private endpoint by Microsoft-agent and another one is how to deploy by a self-hosted agent.

 

Lab

Test1: deploy using Microsoft-hosted agent

Result: We will see Error: Failed to deploy web package to App Service. Ip Forbidden (CODE: 403) since web app is not accessible via internet.

 

Create a new pipeline

 

Here, I select GitHub in this demo

 

Deploy a Django app. So I choose the second one.

 

Select subscription and web app name

 

Save and run

 

Web app is private endpoint enabled which means the inbound traffic needs to be a private IP from the same subnet as web app or an IP that has permission to access this app service.

However, Microsoft-agent works over public network. It is deployed failed and the Error - Failed to deploy web package to App Service. Ip Forbidden (CODE: 403)

 

Test2: deploy using self-hosted agent on Linux VM (Ubuntu 20.04)

Result: it works fine. Deploy successfully.

 

Create Linux VM (Ubuntu 20.04) in the same VNET as web app.

In Azure Devops portal, Add agent pool

 

Then New Agent and choose operating system of your build machine. (Here, I choose Linux)

 

Get Personal Access Tokens

 

 

New token and grant permission to agent pools

 

Remember to record this token as it will not displayed again.

 

SSH into Linux VM and configure agent to connect Azure pipeline

Download and create agent

 

Configure agent settings

Sever URL:

Please refer to Deploy an Azure Pipelines agent on Linux - Azure Pipelines | Microsoft Learn

 

Run agent

 

Check from portal that agent is online

 

In order to get confused, we create a separated pipeline here.

Creation Steps are the same as previous steps: 

New Pipeline -> GitHub -> Python to Linux Web App on Azure -> Select subscription -> Select web app name -> Save and run

 

Modify the yml file. Change pool to the one just created.

 

Then, run the pipeline again. We can see that it deployed successfully this time.

 

References

Deploy an Azure Pipelines agent on Linux - Azure Pipelines | Microsoft Learn

Microsoft-hosted-agents for Azure Pipelines

Updated Apr 17, 2023
Version 1.0
azure app service
devops

2 Comments

  • aizefler's avatar
    aizefler
    MCT
    Nov 06, 2024

    Excellent article, I have this scenario and I had already thought about this proposal, but I was hoping for another alternative to using the agents hosted by Azure DevOps. Congratulations for sharing!

  • Sebastian_Gauna's avatar
    Sebastian_Gauna
    Copper Contributor
    Aug 04, 2023

    Thanks for the article, my question is redundant since the article explains it but I can't believe it so... Really?? there's no other way to publish from Azure Devops Microsoft-Hosted Agents to a Private Endpoint other than allowing Azure Devops IPs?? 100% Certainty about this??