Azure DevOps Services now supports Azure Service Tags!
What problems did customers face without Service Tags?
In the past, IP addresses changed when new Azure DevOps systems were added or migrated. Then, customers were unaware of the IP changes and were required to update their on-prem firewalls or Azure NSGs manually.
What are Service Tags?
Service Tags are a convenient way for customers to manage their networking configuration to allow traffic from specific Azure services. Now that a service tag has been set up for Azure DevOps Services, customers can easily allow access by adding the tag name AzureDevOps to their NSGs or firewalls programmatically using Powershell and CLI. The portal will be supported at a later date. Customers may also use the service tag for on-prem firewall via a JSON file download. Azure Service Tags are supported for inbound connection only from Azure DevOps to customers’ on-prem. Outbound connection from customers’ networks to Azure DevOps is not supported. Customers are still required to allow the Azure Front Door (AFD) IPs provided in the doc for outbound connections. The inbound connection applies to the following scenarios documented here.
- Azure DevOps Services connecting to endpoints for Service Hooks
- Azure DevOps Services connecting to customer-controlled SQL Azure VMs for Data Import
- Azure Pipelines connecting to on-prem source code repositories such as GitHub Enterprise or BitBucket Server
- Azure DevOps Services Audit Streaming connecting to on-prem or cloud-based Splunk
The Service Tag does not apply to Microsoft Hosted Agents. Customers are still required to allow the entire geography for the Microsoft Hosted Agents. If allowing the entire geography is a concern, we recommend using the Azure Virtual Machine Scale Set Agents. The Scale Set Agents are a form of self-hosted agents that can be autoscaled to meet your demands.
AzureDevOps doesn’t appear in the list of available Service Tags for editing NSG inbound policy. Does something have to happen to enable it?
There is no support from portal at this time as per the above. Are you trying CLI / PS?
How about connecting library groups from Azure DevOps to a Keyvault? This was also included in the backlog item for this but nothing is mentioned.
How one setup outbound NSGs to allow connect to azure devops services in case of selfhosted agents?