Azure DevOps Whitelisting
Please create service tag for Azure DevOps Hosted Build Agents. I have been told that to allow hosted agent access through NSG - to my ASE's, I need to whitelist ALL external Azure IPs.. This is unaccesptable from a Security standpoint. Please address immediately
Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
This is important! Please start working on it!
Uladzislau Dadzimau commented
This is highly important feature (not from the Justin's response though).
Justin Chung commented
Azure DevOps is working on elastic self-hosted agent pools where Azure Pipelines can dynamically provision VMs in a customer's subscription. This will have some of the benefits of hosted agents in that Azure Pipelines will manage the lifecycle of these machines. However, since they are in the customer's subscription, they will have more control on the types of machines, images, and networking. We are targeting 2H CY2020 for this. More details at https://github.com/microsoft/azure-pipelines-agent/blob/master/docs/design/byos.md
Dibyendu Dawn commented
This is absolute required when we have lock-down environment. Specially in healthcare industry we have such security requirements where we need to lock-down all the storage account, other internal service endpoints (service fabric, AKS, event hub, service bus etc) etc internally to only our org IP range. This way azure hosted agents are not able to communicate with azure resources. Currently only 2 option are there: regularly ingest the whole geography data-center IPs or self-hosted devops agents. We need better solution for this. As both the solution are inconvenience for us. Updating MS published new IP ranges to hundred of our project specific resources not possible every week. Also we need different OS version for azure self hosted VM agents as we have both Linux + different versions of windows containers. Maintaining this agents, lock down all security aspect, patching etc again required lot of effort.
Константин Мохов commented
6 month, any updates?
Any update on the release of Service Tags for Azure DevOps Hosted agents?