How can we improve Azure Networking?

← Networking

Azure DevOps Whitelisting

Please create service tag for Azure DevOps Hosted Build Agents. I have been told that to allow hosted agent access through NSG - to my ASE's, I need to whitelist ALL external Azure IPs.. This is unaccesptable from a Security standpoint. Please address immediately

https://developercommunity.visualstudio.com/idea/467755/static-ip-address-for-azure-devops.html?childToView=571222#comment-571222

530 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Michael Redondo shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
triaged  ·  Adminazurecxpuservoice (Product Manager, Microsoft Azure) responded  · 

Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

9 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Justin Chung commented  ·   ·  Flag as inappropriate

    Azure DevOps is working on elastic self-hosted agent pools where Azure Pipelines can dynamically provision VMs in a customer's subscription. This will have some of the benefits of hosted agents in that Azure Pipelines will manage the lifecycle of these machines. However, since they are in the customer's subscription, they will have more control on the types of machines, images, and networking. We are targeting 2H CY2020 for this. More details at https://github.com/microsoft/azure-pipelines-agent/blob/master/docs/design/byos.md

  • Dibyendu Dawn commented  ·   ·  Flag as inappropriate

    This is absolute required when we have lock-down environment. Specially in healthcare industry we have such security requirements where we need to lock-down all the storage account, other internal service endpoints (service fabric, AKS, event hub, service bus etc) etc internally to only our org IP range. This way azure hosted agents are not able to communicate with azure resources. Currently only 2 option are there: regularly ingest the whole geography data-center IPs or self-hosted devops agents. We need better solution for this. As both the solution are inconvenience for us. Updating MS published new IP ranges to hundred of our project specific resources not possible every week. Also we need different OS version for azure self hosted VM agents as we have both Linux + different versions of windows containers. Maintaining this agents, lock down all security aspect, patching etc again required lot of effort.

  • Daniel commented  ·   ·  Flag as inappropriate

    Any update on the release of Service Tags for Azure DevOps Hosted agents?

Networking: IP addresses

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice