[Updated] New IP address ranges with Service Tags for Azure DevOps Services
Please see the Rollout Update section below for important information about brownout status and schedule change for East US 2 region.
Azure DevOps Services will support Service Tags by the end of CY2020. Azure Service Tags are a convenient way for customers to manage their networking configuration to allow traffic from specific Azure services. Once a Service Tag has been set up for Azure DevOps Services, customers can easily allow access by adding the tag name azuredevops to their NSGs or firewalls either through the portal or programmatically.
In preparation for this enhancement, our IP address space will be changing for outbound traffic from Azure DevOps Services to customers’ on-prem systems, effective October 5 2020. If you’re currently using firewall rules to allow traffic from Azure DevOps Services, please be sure to update these rules to account for our new IP ranges by that deadline. We will be conducting a brownout test from September 9, 2020 to September 15, 2020 as indicated below. Please note the change from originally announced date of September 8, 2020 to September 9, 2020. While most of the features will work, the below four scenarios will be impacted by the brownout test due to IP address range change. If you do not want any impact for these four scenarios during this period, please add the additional IP address ranges below for your region to your firewall rules as soon as possible.
The Service Tag does not apply to Microsoft Hosted Agents. Customers are still required to allow the entire geography for the Microsoft Hosted Agents. For inbound traffic from customers’ on-prem systems to Azure DevOps Services, customers can continue to follow the guidelines here.
To help you determine whether this change impacts your organization, we are building an Azure DevOps IP Check Tool. The IP Check Tool is used to validate inbound and outbound connectivity between Azure DevOps Services and customers’ on-prem systems. Please use this tool prior to the brownout and after to validate your connectivity.
For inbound testing from your on-prem system to Azure DevOps Services, please make sure that the browser running the test is connected to your target network. We will attempt to contact Azure DevOps Services and report any errors we see.
For outbound testing from Azure DevOps Services to your on-prem systems, please provide us with a REST URL you expect our services to call. We will attempt to call the URL from each of our service regions. Any HTTP status code between 200 and 499 will be considered a successful connection. All 5xx status codes will be reported as an error.
If you are having issues, please post an update on this open developer community item.
IP Address Changes
To react to the changes in our IPv4 address range, users should ensure dev.azure.com is open and update their allowed IPs to include the following IPv4 addresses (based on your region). You will also be able to use the service tag name azuredevops to allow all IP ranges below but the tag will not be available until November 2020. IPv6 is not supported at this time.
IP Address Ranges
|Region||IP address ranges|
Azure DevOps documentation will be updated with the new IP address ranges here. A complete list of Azure DevOps Services guidelines for configuring firewalls and proxy servers can be found in the Allow IP addresses and URLs to the allow list document.
Over the course of the next few weeks, we will conduct a series of brownout tests to identify organizations that may be impacted by these routing changes. We will conduct our first test on September 9, 2020 and complete by September 15, 2020. Please note the change from originally announced date of September 8, 2020 to September 9, 2020 and also note the change for East US 2 region to September 16,2020 at 07:00 EDT (11:00 UTC). See below for the brownout schedule. The brownout test will take 2 hours.
Azure DevOps Services started the network configuration change for the East US 2 region on September 9, 2020 at 10:00 EDT (14:00 UTC) and noticed a spike of customer impacting failures during one of the deployments. The spike lasted for 1 to 3 minutes for web traffic and customers may have noticed a message with “TF400898: An Internal Error Occurred” in their browser. The brownout in the East US 2 region was halted but we completed the brownout in the Central Canada region with success. We will continue with the brownout in the South India and West US 2 regions on September 10, 2020. We have updated the brownout schedule for the East US 2 region to September 16, 2020 at 07:00 EDT (11:00 UTC).
Brownouts in chronological order
|UTC Date Time||Region||Local Date Time|
|2020-09-09 19:00||canadacentral||2020-09-09 15:00 EDT|
|2020-09-10 11:00||indiasouth||2020-09-10 16:30 IST|
|2020-09-10 17:00||uswest2||2020-09-10 10:00 PDT|
|2020-09-11 12:00||uksouth||2020-09-11 13:00 BST|
|2020-09-11 18:00||brazilsouth||2020-09-11 15:00 BRT|
|2020-09-14 13:00||europewest||2020-09-14 15:00 CEST|
|2020-09-15 00:00||asiaeast||2020-09-15 08:00 HKT|
|2020-09-15 14:00||uscentral||2020-09-15 09:00 CDT|
|2020-09-15 22:00||australiaeast||2020-09-16 08:00 AEST|
|2020-09-16 11:00||useast2||2020-09-16 07:00 EDT|
In the event we are running these tests and use cases such as service hooks, data import, and pipelines are not working during this period of time, please navigate to the status page and check that there aren’t any ongoing incidents and update your IP address allow list. We are targeting November, 2020 to make Service Tags generally available for Azure DevOps.
If you experience any issues with accessing your Azure DevOps organization after updating your IP allow list, please post an update on this open developer community item.